name: audit on: workflow_call: inputs: with_coverage: required: true type: string python_version: required: true type: string concurrency: group: audit-${{inputs.python_version}}-${{github.ref}}-${{github.event.pull_request.number || github.run_number}} cancel-in-progress: true jobs: # Run audits on all the packages in the built-in repository package-audits: runs-on: ${{ matrix.operating_system }} strategy: matrix: operating_system: ["ubuntu-latest", "macos-latest"] steps: - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # @v2 with: fetch-depth: 2 - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # @v2 with: python-version: ${{ inputs.python_version }} - name: Install Python packages run: | pip install --upgrade pip setuptools pytest coverage[toml] - name: Verify new package checksums run: | . share/spack/setup-env.sh files=($(git diff --name-only -r HEAD^1 HEAD -- var/spack/repos/builtin/packages/*)) for file in ${files[@]}; do package=$(basename $(dirname $file)) versions=($(git diff -r HEAD^1 HEAD -- $file | \ grep -E "^\+ version\(" | \ sed -E "s/^\+ version\(\"//g" | \ sed -E "s/\".*\)//g")) if [ ${#versions[@]} -ne 0 ]; then printf "> spack checksum --verify $package ${versions[@]}" $(which spack) checksum --verify $package ${versions[@]} fi done - name: Package audits (with coverage) if: ${{ inputs.with_coverage == 'true' }} run: | . share/spack/setup-env.sh coverage run $(which spack) audit packages coverage combine coverage xml - name: Package audits (without coverage) if: ${{ inputs.with_coverage == 'false' }} run: | . share/spack/setup-env.sh $(which spack) audit packages - uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # @v2.1.0 if: ${{ inputs.with_coverage == 'true' }} with: flags: unittests,audits