Skip to content
build

Update crate-ci/typos action to v1.31.2 (#1432) #3939

Sign in to view logs

Update crate-ci/typos action to v1.31.2 (#1432)

Update crate-ci/typos action to v1.31.2 (#1432) #3939

Workflow file for this run

.github/workflows/continuous-integration-workflow.yml at fdcabe9
name: build
on: # cf. https://github.community/t/how-to-trigger-an-action-on-push-or-pull-request-but-not-both/16662
push:
branches:
- master
pull_request:
branches:
- master
jobs:
check-reference-pdf-files:
runs-on: ubuntu-latest
permissions: {}
steps:
- name: Checkout 🛎️
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Set up Python 3.13 🔧
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
with:
python-version: 3.13
- name: Install system dependencies ⚙️
run: sudo apt-get update --allow-releaseinfo-change && sudo apt-get install qpdf
- name: Check all PDF reference files used in tests ☑
run: |
# Using qpdf
find . -name '*.pdf' | xargs -n 1 sh -c 'qpdf --check --password=fpdf2 $0 || exit 255'
export PYTHONPATH=$PWD
# Using Datalogics PDF Checker:
scripts/install-pdfchecker.sh
time scripts/pdfchecker.py --process-all-test-pdf-files
scripts/pdfchecker.py --print-aggregated-report
# Using VeraPDF:
scripts/install-verapdf.sh
time scripts/verapdf.py --process-all-test-pdf-files
scripts/verapdf.py --print-aggregated-report
scripts/check-PDF-A-with-verapdf.sh
lint:
runs-on: ubuntu-24.04
permissions:
security-events: write # for zizmor
steps:
- name: Checkout 🛎️
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Set up Python 3.13 🔧
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
with:
python-version: 3.13
- name: Install Python dependencies ⚙️
run: |
python -m pip install --upgrade pip setuptools wheel
pip install --upgrade . -r test/linters-requirements.txt -r test/requirements.txt
# Running zizmor 1st, because it is blocking PR merge
- name: Run zizmor 🌈
run: zizmor --format=sarif . > results.sarif
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16
with:
sarif_file: results.sarif
category: zizmor
- name: Run linters 🔎
run: |
black --check .
pylint fpdf test tutorial/tuto*.py
bandit -c .banditrc.yml -r contributors/ fpdf/ tutorial/
semgrep scan --config auto --error --strict --exclude-rule=python.lang.security.insecure-hash-function.insecure-hash-function fpdf
- name: Scan project with grype 🔎
uses: anchore/scan-action@7c05671ae9be166aeb155bad2d7df9121823df32 # v6.1.0
with:
path: "."
fail-build: true
- name: Scan project dependencies with guarddog 🐶
run: |
pip install guarddog
# Scanning direct dependencies:
guarddog pypi scan defusedxml
guarddog pypi scan Pillow
guarddog pypi scan fonttools
# Scanning dev dependencies:
guarddog pypi verify contributors/requirements.txt
guarddog pypi verify docs/requirements.txt
guarddog pypi verify test/linters-requirements.txt
guarddog pypi verify test/requirements.txt
- name: Spell Check Repo ✍️
uses: crate-ci/typos@3be83342e28b9421997e9f781f713f8dde8453d2 # v1.31.2
test:
strategy:
matrix:
python-version: ['3.8', '3.9', '3.10', '3.11', '3.12', '3.13']
platform: [ubuntu-22.04, windows-latest]
runs-on: ${{ matrix.platform }}
permissions: {}
steps:
- name: Checkout 🛎️
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Set up Python ${{ matrix.python-version }} 🔧
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
with:
python-version: ${{ matrix.python-version }}
- name: Install system dependencies ⚙️
if: ${{ startsWith(matrix.platform, 'ubuntu') }}
# Ghostscript is needed for test/table/test_table_extraction.py
run: sudo apt-get update --allow-releaseinfo-change && sudo apt-get install ghostscript
- name: Install qpdf ⚙️
# We run the unit tests WITHOUT qpdf for a single parallel execution / Python version:
if: ${{ startsWith(matrix.platform, 'ubuntu') && matrix.python-version != '3.13' }}
run: sudo apt-get update --allow-releaseinfo-change && sudo apt-get install qpdf
- name: Install Python dependencies ⚙️
run: |
python -m pip install --upgrade pip setuptools wheel
pip install --upgrade . -r test/requirements.txt
- name: Run tests ☑
env:
CHECK_EXEC_TIME: ${{ matrix.python-version == '3.9' && 'test-enabled' || '' }}
CHECK_RSS_MEMORY: ${{ matrix.python-version == '3.13' && 'test-enabled' || '' }}
run: |
# Ensuring there is no `generate=True` left remaining in calls to assert_pdf_equal:
grep -IRF generate=True test/ && exit 1
# Executing all tests:
pytest -vv --trace-memory-usage
- name: Upload coverage report to codecov.io ☑
# We only upload coverage ONCE, for a single parallel execution / Python version:
if: ${{ startsWith(matrix.platform, 'ubuntu') && matrix.python-version == '3.13' }}
run: bash <(curl -s https://codecov.io/bash)
- name: Run tests with the minimal versions of fpdf2 direct dependencies ☑
if: ${{ startsWith(matrix.platform, 'ubuntu') && matrix.python-version == '3.8' }}
run: |
# Ensuring that those minimal versions remain compatible:
sed -i '/install_requires/,/\n/s/>=/==/' setup.cfg
pip install .
# Targeting only a subset of tests because: A) it's faster and B) some tests are dependant on a specific version of fonttools or Pillow
pytest -vv test/barcodes test/drawing test/errors test/image/test_load_image.py test/metadata test/shapes test/signing test/text_region test/utils
doc:
runs-on: ubuntu-latest
permissions:
# required to deploy doc, by pushing commits to branch gh-pages:
contents: write
pages: write
steps:
- name: Harden Runner
# Security hardening because this is a sensitive job,
# where extra care should be taken NOT to leak any secret
uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
with:
egress-policy: block
allowed-endpoints:
github.com:443
api.github.com:443
*.githubusercontent.com:443
pypi.org:443
files.pythonhosted.org:443
registry.npmjs.org:443
api.star-history.com:443
cdnjs.cloudflare.com:443
colab.research.google.com:443
fonts.googleapis.com:443
fonts.gstatic.com:443
img.shields.io:443
unpkg.com:443
# Starting from api.star-history.com, the endpoints whitelist reason is the mkdocs privacy plugin
- name: Checkout 🛎️
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
# Required for mkdocs git-revision-date-localized plugin:
fetch-depth: 0
- name: Set up Python 3.13 🔧
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
with:
python-version: 3.13
- name: Install Python dependencies ⚙️
run: |
python -m pip install --upgrade pip setuptools wheel
pip install --upgrade -r docs/requirements.txt -r contributors/requirements.txt
- name: Generate HTML documentation 🏗️
run: |
mkdir -p public/
# Setting PDF manual version:
sed -i "s/author:.*/author: v$(python setup.py -V 2>/dev/null)/" mkdocs.yml
cp tutorial/notebook.ipynb docs/
mkdocs build
pdoc --html -o public/ fpdf --template-dir docs/pdoc
scripts/add_pdoc_to_search_index.py
- name: Build contributors map 🗺️
# As build_contributors_html_page.py can hang due to GitHub rate-limiting, we only execute this on master for now
if: github.ref == 'refs/heads/master'
env:
# Needed by contributors/build_contributors_html_page.py:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PYTHONUNBUFFERED: 1
run: |
cd contributors/
npm ci
./build_contributors_html_page.py py-pdf/fpdf2
cp -t ../public/ contributors.html contributors-map-small.png
- name: Deploy documentation 🚀
if: github.ref == 'refs/heads/master'
uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: public/
publish:
if: github.ref == 'refs/heads/master'
runs-on: ubuntu-latest
environment:
name: pypi
url: https://pypi.org/p/fpdf2
permissions:
# Trusted publishing configured there: https://pypi.org/manage/project/fpdf2/settings/publishing/
id-token: write
steps:
- name: Harden Runner
# Security hardening because this is a sensitive job,
# where extra care should be taken NOT to leak any secret
uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
with:
egress-policy: block
allowed-endpoints:
ghcr.io:443
github.com:443
*.githubusercontent.com:443
pypi.org:443
files.pythonhosted.org:443
*.sigstore.dev:443
upload.pypi.org:443
- name: Checkout 🛎️
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Set up Python 3.13 🔧
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
with:
python-version: '3.13'
- name: Build distributions for Pypi 🏗️
id: build
run: |
echo Versions already released on Pypi: $(curl -Ls 'https://pypi.org/pypi/fpdf2/json' | jq -r '.releases|keys[]')
pip install --upgrade setuptools twine wheel .
echo Current code version: $(python setup.py -V)
# Checking if current code version has already been released:
if ! curl -Ls 'https://pypi.org/pypi/fpdf2/json' | jq -r '.releases|keys[]' | grep "^$(python setup.py -V)\$"; then echo publish=yes >> "$GITHUB_OUTPUT"; python setup.py sdist bdist_wheel; twine check dist/*; fi
- name: Publish package distributions to PyPI 🚀
if: steps.build.outputs.publish == 'yes'
uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
# Doc: https://github.com/marketplace/actions/pypi-publish
with:
print-hash: true