From 0a0cdcc4a0233d5dc8f2b6185ff7fbe70189dec6 Mon Sep 17 00:00:00 2001 From: Erica Portnoy Date: Mon, 23 Mar 2026 09:45:20 -0700 Subject: [PATCH] add eof newlines pass secrets and env vars set minimum permissions move permissions to job level, switch to contents read change name to AWS_TEST_FARM_PEM for consistency move comments, remove azure pipelines on-pr file match permissions remove runs-on: self-hosted. why was that even there? add shell:bash the auto-converted decided python 3.1 == 3.10. come on. put python version in quotes move python version to matrix copy from matrix into env matrix must take a list update matrix syntax remove composite put composite back --- .azure-pipelines/main.yml | 18 --------- .github/actions/sphinx_steps/action.yml | 2 +- .github/actions/tox_steps/action.yml | 28 +++++++------- .github/workflows/pr-test-suite.yml | 14 +++++-- .github/workflows/standard_tests_jobs.yml | 45 ++++++++++++----------- 5 files changed, 51 insertions(+), 56 deletions(-) delete mode 100644 .azure-pipelines/main.yml diff --git a/.azure-pipelines/main.yml b/.azure-pipelines/main.yml deleted file mode 100644 index 315b0d47f..000000000 --- a/.azure-pipelines/main.yml +++ /dev/null @@ -1,18 +0,0 @@ -# We run the test suite on commits to main so codecov gets coverage data -# about the main branch and can use it to track coverage changes. -trigger: - - main -pr: - - main - - '*.x' - -variables: - # We set this here to avoid coverage data being uploaded from things like our - # nightly pipeline. This is done because codecov (helpfully) keeps track of - # the number of coverage uploads for a commit and displays a warning when - # comparing two commits with an unequal number of uploads. Only uploading - # coverage here should keep the number of uploads it sees consistent. - uploadCoverage: true - -jobs: - - template: templates/jobs/standard-tests-jobs.yml diff --git a/.github/actions/sphinx_steps/action.yml b/.github/actions/sphinx_steps/action.yml index 3f62f9fc7..56d67399d 100644 --- a/.github/actions/sphinx_steps/action.yml +++ b/.github/actions/sphinx_steps/action.yml @@ -25,4 +25,4 @@ runs: echo "##[error]The following builds failed: ${FAILED_BUILDS[*]}" exit 1 fi - shell: bash \ No newline at end of file + shell: bash diff --git a/.github/actions/tox_steps/action.yml b/.github/actions/tox_steps/action.yml index 264dc3f9d..3a3bfd30b 100644 --- a/.github/actions/tox_steps/action.yml +++ b/.github/actions/tox_steps/action.yml @@ -3,7 +3,7 @@ runs: using: composite steps: - name: Install MacOS dependencies - if: startsWith(env.IMAGE_NAME, 'macOS') + if: startsWith(matrix.IMAGE_NAME, 'macOS') run: |- set -e unset HOMEBREW_NO_INSTALL_FROM_API @@ -12,7 +12,7 @@ runs: brew install augeas shell: bash - name: Install Linux dependencies - if: startsWith(env.IMAGE_NAME, 'ubuntu') + if: startsWith(matrix.IMAGE_NAME, 'ubuntu') run: |- set -e sudo apt-get update @@ -30,17 +30,19 @@ runs: set -e python3 tools/pip_install.py tox shell: bash -# # This item has no matching transformer -# - task: DownloadSecureFile@1 -# name: testFarmPem -# inputs: -# secureFile: azure-test-farm.pem -# condition: contains(variables['TOXENV'], 'test-farm') + - name: Create test farm pem file + if: contains(matrix.TOXENV, 'test-farm') + env: + PEM_CONTENTS: "${{ secrets.AWS_TEST_FARM_PEM }}" + run: 'echo ${PEM_CONTENTS} >> github-test-farm.pem' + shell: bash - name: Run tox env: - AWS_ACCESS_KEY_ID: "${{ env.AWS_ACCESS_KEY_ID }}" - AWS_SECRET_ACCESS_KEY: "${{ env.AWS_SECRET_ACCESS_KEY }}" - AWS_EC2_PEM_FILE: "${{ env.testFarmPem_secureFilePath }}" + AWS_ACCESS_KEY_ID: "${{ secrets.AWS_ACCESS_KEY_ID }}" + AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}" + AWS_EC2_PEM: "github-test-farm.pem" + PIP_USE_PEP517: "${{ matrix.PIP_USE_PEP517 }}" + TOXENV: "${{ matrix.TOXENV }}" run: |- set -e export TARGET_BRANCH="`echo "${BUILD_SOURCEBRANCH}" | sed -E 's!refs/(heads|tags)/!!g'`" @@ -49,7 +51,7 @@ runs: python3 -m tox run shell: bash - name: Upload coverage data - if: env.uploadCoverage == true && (startsWith(env.TOXENV, 'cover') || startsWith(env.TOXENV, 'integration')) + if: env.uploadCoverage == true && (startsWith(matrix.TOXENV, 'cover') || startsWith(matrix.TOXENV, 'integration')) run: |- python3 tools/pip_install.py -I coverage case "${{ runner.os }}" in @@ -70,4 +72,4 @@ runs: chmod +x codecov coverage xml ./codecov || echo "Uploading coverage data failed" - shell: bash \ No newline at end of file + shell: bash diff --git a/.github/workflows/pr-test-suite.yml b/.github/workflows/pr-test-suite.yml index 20d5cdf60..12f801cf2 100644 --- a/.github/workflows/pr-test-suite.yml +++ b/.github/workflows/pr-test-suite.yml @@ -1,3 +1,5 @@ +# We run the test suite on commits to main so codecov gets coverage data +# about the main branch and can use it to track coverage changes. name: certbot/pr-test-suite on: push: @@ -5,12 +7,18 @@ on: - main pull_request: branches: - - master - main - "*.x" -env: - uploadCoverage: true jobs: standard_tests_jobs: name: standard_tests_jobs uses: "./.github/workflows/standard_tests_jobs.yml" + permissions: + contents: read + with: + # We set this here to avoid coverage data being uploaded from things like our + # nightly pipeline. This is done because codecov (helpfully) keeps track of + # the number of coverage uploads for a commit and displays a warning when + # comparing two commits with an unequal number of uploads. Only uploading + # coverage here should keep the number of uploads it sees consistent. + uploadCoverage: true diff --git a/.github/workflows/standard_tests_jobs.yml b/.github/workflows/standard_tests_jobs.yml index 3fbb2c3df..fb8faf8b5 100644 --- a/.github/workflows/standard_tests_jobs.yml +++ b/.github/workflows/standard_tests_jobs.yml @@ -2,48 +2,51 @@ name: standard_tests_jobs on: workflow_call: + inputs: + uploadCoverage: + description: 'Upload coverage to Codecov' + type: boolean + default: false jobs: test: + permissions: + contents: read runs-on: - - self-hosted - "${{ matrix.IMAGE_NAME }}" env: - PYTHON_VERSION: 3.14 + uploadCoverage: ${{ inputs.uploadCoverage }} strategy: matrix: + PYTHON_VERSION: ['3.14'] + IMAGE_NAME: ['ubuntu-22.04'] + TOXENV: + - 'cover' + - 'lint-posix' + - 'mypy' + - 'integration' + - 'apache_compat' + - 'apacheconftest-with-pebble' + - 'nginxroundtrip' + - 'validate-changelog' include: - IMAGE_NAME: macOS-15 + PYTHON_VERSION: '3.14' TOXENV: cover PIP_USE_PEP517: 'true' - IMAGE_NAME: ubuntu-22.04 - PYTHON_VERSION: 3.1 + PYTHON_VERSION: '3.10' TOXENV: oldest - IMAGE_NAME: ubuntu-22.04 - PYTHON_VERSION: 3.1 + PYTHON_VERSION: '3.10' TOXENV: py310 - - IMAGE_NAME: ubuntu-22.04 - TOXENV: cover - - IMAGE_NAME: ubuntu-22.04 - TOXENV: lint-posix - - IMAGE_NAME: ubuntu-22.04 - TOXENV: mypy - - IMAGE_NAME: ubuntu-22.04 - TOXENV: integration - - IMAGE_NAME: ubuntu-22.04 - TOXENV: apache_compat - - IMAGE_NAME: ubuntu-22.04 - TOXENV: apacheconftest-with-pebble - - IMAGE_NAME: ubuntu-22.04 - TOXENV: nginxroundtrip - - IMAGE_NAME: ubuntu-22.04 - TOXENV: validate-changelog steps: - name: checkout uses: actions/checkout@v4.1.0 - uses: "./.github/actions/tox_steps" test_sphinx_builds: + permissions: + contents: read runs-on: - - self-hosted - ubuntu-22.04 steps: - name: checkout