- uses: actions/checkout@v4
with:
fetch-depth: 1
+ persist-credentials: false
- name: Runner image version
run: echo "IMAGE_VERSION=${ImageVersion}" >> "$GITHUB_ENV"
- name: Check Autoconf and aclocal versions
if: needs.check_source.outputs.run_tests == 'true'
steps:
- uses: actions/checkout@v4
+ with:
+ persist-credentials: false
- uses: actions/setup-python@v5
with:
python-version: '3.x'
LD_LIBRARY_PATH: ${{ github.workspace }}/multissl/openssl/${{ matrix.openssl_ver }}/lib
steps:
- uses: actions/checkout@v4
+ with:
+ persist-credentials: false
- name: Runner image version
run: echo "IMAGE_VERSION=${ImageVersion}" >> "$GITHUB_ENV"
- name: Restore config.cache
PYTHONSTRICTEXTENSIONBUILD: 1
steps:
- uses: actions/checkout@v4
+ with:
+ persist-credentials: false
- name: Register gcc problem matcher
run: echo "::add-matcher::.github/problem-matchers/gcc.json"
- name: Install Dependencies
#
# (GH-104097) test_sysconfig is skipped because it has tests that are
# failing when executed from inside a virtual environment.
- ${{ env.VENV_PYTHON }} -m test \
+ "${VENV_PYTHON}" -m test \
-W \
-o \
-j4 \
ASAN_OPTIONS: detect_leaks=0:allocator_may_return_null=1:handle_segv=0
steps:
- uses: actions/checkout@v4
+ with:
+ persist-credentials: false
- name: Runner image version
run: echo "IMAGE_VERSION=${ImageVersion}" >> "$GITHUB_ENV"
- name: Restore config.cache
- 'Doc/**'
- '.github/workflows/doc.yml'
-permissions:
- pull-requests: write
-
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
jobs:
documentation-links:
runs-on: ubuntu-latest
+ permissions:
+ pull-requests: write
+
steps:
- uses: readthedocs/actions/preview@v1
with:
timeout-minutes: 90
steps:
- uses: actions/checkout@v4
+ with:
+ persist-credentials: false
- name: Build tier two interpreter
run: |
./configure --enable-experimental-jit=interpreter --with-pydebug
runner: ${{ github.repository_owner == 'python' && 'ubuntu-24.04-aarch64' || 'ubuntu-24.04' }}
steps:
- uses: actions/checkout@v4
+ with:
+ persist-credentials: false
- uses: actions/setup-python@v5
with:
python-version: '3.11'
- 19
steps:
- uses: actions/checkout@v4
+ with:
+ persist-credentials: false
- uses: actions/setup-python@v5
with:
python-version: '3.11'
steps:
- uses: actions/checkout@v4
+ with:
+ persist-credentials: false
- uses: actions/setup-python@v5
with:
python-version: "3.x"
timeout-minutes: 10
steps:
- uses: actions/checkout@v4
+ with:
+ persist-credentials: false
- uses: actions/setup-python@v5
with:
python-version: "3.13"
pull_request:
types: [opened, reopened, labeled, unlabeled, synchronize]
-permissions:
- issues: write
- pull-requests: write
-
jobs:
label-dnm:
name: DO-NOT-MERGE
if: github.repository_owner == 'python'
runs-on: ubuntu-latest
+ permissions:
+ issues: write
+ pull-requests: write
timeout-minutes: 10
steps:
name: Unresolved review
if: github.repository_owner == 'python'
runs-on: ubuntu-latest
+ permissions:
+ issues: write
+ pull-requests: write
timeout-minutes: 10
steps:
- run: >-
echo '${{ github.event_name }}'
- uses: actions/checkout@v4
+ with:
+ persist-credentials: false
- name: Check for source changes
id: check
run: |
env:
branch_base: 'origin/${{ github.event.pull_request.base.ref }}'
branch_pr: 'origin/${{ github.event.pull_request.head.ref }}'
+ commits: ${{ github.event.pull_request.commits }}
refspec_base: '+${{ github.event.pull_request.base.sha }}:remotes/origin/${{ github.event.pull_request.base.ref }}'
refspec_pr: '+${{ github.event.pull_request.head.sha }}:remotes/origin/${{ github.event.pull_request.head.ref }}'
steps:
- name: 'Check out latest PR branch commit'
uses: actions/checkout@v4
with:
+ persist-credentials: false
ref: >-
${{
github.event_name == 'pull_request'
if: github.event_name == 'pull_request'
run: |
# Fetch enough history to find a common ancestor commit (aka merge-base):
- git fetch origin ${{ env.refspec_pr }} --depth=$(( ${{ github.event.pull_request.commits }} + 1 )) \
+ git fetch origin "${refspec_pr}" --depth=$(( commits + 1 )) \
--no-tags --prune --no-recurse-submodules
# This should get the oldest commit in the local fetched history (which may not be the commit the PR branched from):
- COMMON_ANCESTOR=$( git rev-list --first-parent --max-parents=0 --max-count=1 ${{ env.branch_pr }} )
+ COMMON_ANCESTOR=$( git rev-list --first-parent --max-parents=0 --max-count=1 "${branch_pr}" )
DATE=$( git log --date=iso8601 --format=%cd "${COMMON_ANCESTOR}" )
# Get all commits since that commit date from the base branch (eg: master or main):
- git fetch origin ${{ env.refspec_base }} --shallow-since="${DATE}" \
+ git fetch origin "${refspec_base}" --shallow-since="${DATE}" \
--no-tags --prune --no-recurse-submodules
- name: 'Set up Python'
uses: actions/setup-python@v5
if: github.event_name == 'pull_request'
run: |
python Doc/tools/check-warnings.py \
- --annotate-diff '${{ env.branch_base }}' '${{ env.branch_pr }}' \
+ --annotate-diff "${branch_base}" "${branch_pr}" \
--fail-if-regression \
--fail-if-improved \
--fail-if-new-news-nit
timeout-minutes: 60
steps:
- uses: actions/checkout@v4
+ with:
+ persist-credentials: false
- name: 'Set up Python'
uses: actions/setup-python@v5
with:
timeout-minutes: 60
steps:
- uses: actions/checkout@v4
+ with:
+ persist-credentials: false
- uses: actions/cache@v4
with:
path: ~/.cache/pip
runs-on: ${{ inputs.os }}
steps:
- uses: actions/checkout@v4
+ with:
+ persist-credentials: false
- name: Runner image version
run: echo "IMAGE_VERSION=${ImageVersion}" >> "$GITHUB_ENV"
- name: Restore config.cache
name: 'Thread sanitizer'
runs-on: ubuntu-24.04
timeout-minutes: 60
+ env:
+ OPTIONS: ${{ inputs.options }}
+ SUPPRESSIONS_PATH: ${{ inputs.suppressions_path }}
steps:
- uses: actions/checkout@v4
+ with:
+ persist-credentials: false
- name: Runner image version
run: echo "IMAGE_VERSION=${ImageVersion}" >> "$GITHUB_ENV"
- name: Restore config.cache
sudo sysctl -w vm.mmap_rnd_bits=28
- name: TSAN Option Setup
run: |
- echo "TSAN_OPTIONS=log_path=${GITHUB_WORKSPACE}/tsan_log suppressions=${GITHUB_WORKSPACE}/${{ inputs.suppressions_path }} handle_segv=0" >> "$GITHUB_ENV"
+ echo "TSAN_OPTIONS=log_path=${GITHUB_WORKSPACE}/tsan_log suppressions=${GITHUB_WORKSPACE}/${SUPPRESSIONS_PATH} handle_segv=0" >> "$GITHUB_ENV"
echo "CC=clang" >> "$GITHUB_ENV"
echo "CXX=clang++" >> "$GITHUB_ENV"
- name: Add ccache to PATH
save: ${{ github.event_name == 'push' }}
max-size: "200M"
- name: Configure CPython
- run: ${{ inputs.options }}
+ run: "${OPTIONS}"
- name: Build CPython
run: make -j4
- name: Display build info
TERM: linux
steps:
- uses: actions/checkout@v4
+ with:
+ persist-credentials: false
- name: Register gcc problem matcher
run: echo "::add-matcher::.github/problem-matchers/gcc.json"
- name: Install dependencies
if: ${{ !inputs.free-threading }}
run: >-
python Tools/build/check_warnings.py
- --compiler-output-file-path=${{ env.CPYTHON_BUILDDIR }}/compiler_output_ubuntu.txt
+ --compiler-output-file-path="${CPYTHON_BUILDDIR}/compiler_output_ubuntu.txt"
--warning-ignore-file-path "${GITHUB_WORKSPACE}/Tools/build/.warningignore_ubuntu"
--compiler-output-type=gcc
--fail-on-regression
CROSS_BUILD_WASI: cross-build/wasm32-wasip1
steps:
- uses: actions/checkout@v4
+ with:
+ persist-credentials: false
# No problem resolver registered as one doesn't currently exist for Clang.
- name: "Install wasmtime"
uses: bytecodealliance/actions/wasmtime/setup@v1
- name: "Install WASI SDK" # Hard-coded to x64.
if: steps.cache-wasi-sdk.outputs.cache-hit != 'true'
run: |
- mkdir ${{ env.WASI_SDK_PATH }} && \
- curl -s -S --location https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-${{ env.WASI_SDK_VERSION }}/wasi-sdk-${{ env.WASI_SDK_VERSION }}.0-x86_64-linux.tar.gz | \
- tar --strip-components 1 --directory ${{ env.WASI_SDK_PATH }} --extract --gunzip
+ mkdir "${WASI_SDK_PATH}" && \
+ curl -s -S --location "https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-${WASI_SDK_VERSION}/wasi-sdk-${WASI_SDK_VERSION}.0-x86_64-linux.tar.gz" | \
+ tar --strip-components 1 --directory "${WASI_SDK_PATH}" --extract --gunzip
- name: "Configure ccache action"
uses: hendrikmuhs/ccache-action@v1.2
with:
- name: "Make host"
run: python3 Tools/wasm/wasi.py make-host
- name: "Display build info"
- run: make --directory ${{ env.CROSS_BUILD_WASI }} pythoninfo
+ run: make --directory "${CROSS_BUILD_WASI}" pythoninfo
- name: "Test"
- run: make --directory ${{ env.CROSS_BUILD_WASI }} test
+ run: make --directory "${CROSS_BUILD_WASI}" test
runs-on: windows-latest
timeout-minutes: 60
env:
+ ARCH: ${{ inputs.arch }}
IncludeFreethreaded: true
steps:
- uses: actions/checkout@v4
+ with:
+ persist-credentials: false
- name: Build CPython installer
- run: .\Tools\msi\build.bat --doc -${{ inputs.arch }}
+ run: .\Tools\msi\build.bat --doc -"${ARCH}"
name: 'build and test (${{ inputs.arch }})'
runs-on: ${{ inputs.os }}
timeout-minutes: 60
+ env:
+ ARCH: ${{ inputs.arch }}
steps:
- uses: actions/checkout@v4
+ with:
+ persist-credentials: false
- name: Register MSVC problem matcher
if: inputs.arch != 'Win32'
run: echo "::add-matcher::.github/problem-matchers/msvc.json"
run: >-
.\\PCbuild\\build.bat
-e -d -v
- -p ${{ inputs.arch }}
+ -p "${ARCH}"
${{ fromJSON(inputs.free-threading) && '--disable-gil' || '' }}
+ shell: bash
- name: Display build info # FIXME(diegorusso): remove the `if`
if: inputs.arch != 'arm64'
run: .\\python.bat -m test.pythoninfo
if: inputs.arch != 'arm64'
run: >-
.\\PCbuild\\rt.bat
- -p ${{ inputs.arch }}
+ -p "${ARCH}"
-d -q --fast-ci
${{ fromJSON(inputs.free-threading) && '--disable-gil' || '' }}
+ shell: bash
schedule:
- cron: "0 */6 * * *"
-permissions:
- pull-requests: write
-
jobs:
stale:
if: github.repository_owner == 'python'
runs-on: ubuntu-latest
+ permissions:
+ pull-requests: write
timeout-minutes: 10
steps:
timeout-minutes: 10
steps:
- uses: actions/checkout@v4
+ with:
+ persist-credentials: false
- uses: actions/setup-python@v5
with:
python-version: '3'
--- /dev/null
+# Configuration for the zizmor static analysis tool, run via pre-commit in CI
+# https://woodruffw.github.io/zizmor/configuration/
+rules:
+ dangerous-triggers:
+ ignore:
+ - documentation-links.yml
repos:
- repo: https://github.com/astral-sh/ruff-pre-commit
- rev: v0.7.1
+ rev: v0.8.2
hooks:
- id: ruff
name: Run Ruff (lint) on Doc/
types_or: [c, inc, python, rst]
- repo: https://github.com/python-jsonschema/check-jsonschema
- rev: 0.29.4
+ rev: 0.30.0
hooks:
- id: check-dependabot
- id: check-github-workflows
hooks:
- id: actionlint
+ - repo: https://github.com/woodruffw/zizmor-pre-commit
+ rev: v0.8.0
+ hooks:
+ - id: zizmor
+
- repo: https://github.com/sphinx-contrib/sphinx-lint
rev: v1.0.0
hooks:
projects / thirdparty / Python / cpython.git / commitdiff
