Merge branch 'docs/pycafe_embedding' of https://github.com/mckinsey/v…

…izro into docs/pycafe_embedding
mckinsey · Aug 7, 2024 · 032e1ec · 032e1ec
2 parents 5ec800c + 238dfc3
commit 032e1ec
Show file tree

Hide file tree

Showing 82 changed files with 2,786 additions and 344 deletions.
diff --git a/.github/workflows/checks-workflows.yml b/.github/workflows/checks-workflows.yml
@@ -0,0 +1,29 @@
+name: Checks for GitHub workflows
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches:
+      - main
+
+env:
+  PYTHONUNBUFFERED: 1
+  FORCE_COLOR: 1
+  PYTHON_VERSION: "3.11"
+
+jobs:
+  checks-workflows:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python ${{ env.PYTHON_VERSION }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+
+      - name: Checks for GitHub workflows
+        run: |
+          python tools/scan_yaml_for_risky_text.py .github/workflows
diff --git a/.github/workflows/circleci-trigger.yml b/.github/workflows/circleci-trigger.yml
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -21,6 +21,6 @@ jobs:
       pull-requests: write
 
     steps:
-      - uses: actions/labeler@v4
+      - uses: actions/labeler@v5
         with:
           repo-token: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/.github/workflows/test-integration-vizro-ai.yml b/.github/workflows/test-integration-vizro-ai.yml
@@ -93,3 +93,16 @@ jobs:
           cd ../vizro-ai
           hatch run ${{ matrix.hatch-env }}:pip install ../vizro-core/dist/vizro*.tar.gz
           hatch run ${{ matrix.hatch-env }}:test-integration
+
+      - name: Send custom JSON data to Slack
+        id: slack
+        uses: slackapi/[email protected]
+        if: failure()
+        with:
+          payload: |
+            {
+              "text": "Vizro-ai ${{ matrix.hatch-env }} integration tests build result: ${{ job.status }}\nBranch: ${{ github.head_ref }}\n${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+            }
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
diff --git a/.github/workflows/vizro-qa-tests-trigger.yml b/.github/workflows/vizro-qa-tests-trigger.yml
@@ -0,0 +1,53 @@
+name: Vizro QA tests trigger
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches:
+      - main
+
+env:
+  PYTHONUNBUFFERED: 1
+  FORCE_COLOR: 1
+
+jobs:
+  vizro-qa-test-trigger-fork:
+    if: ${{ github.event.pull_request.head.repo.fork }}
+    name: Vizro QA ${{ matrix.label }} trigger
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - label: integration tests
+          - label: notebooks tests
+    steps:
+      - name: Passed fork step
+        run: echo "Success!"
+
+  vizro-qa-tests-trigger:
+    if: ${{ ! github.event.pull_request.head.repo.fork }}
+    name: Vizro QA ${{ matrix.label }} trigger
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - label: integration tests
+          - label: notebooks test
+    steps:
+      - uses: actions/checkout@v4
+      - name: Tests trigger
+        run: |
+          export INPUT_OWNER=${{ secrets.VIZRO_QA_ORG }}
+          export INPUT_REPO=${{ secrets.VIZRO_QA_REPO }}
+          if [ "${{ matrix.label }}" == "integration tests" ]; then
+            export INPUT_WORKFLOW_FILE_NAME=${{ secrets.VIZRO_QA_INTEGRATION_TESTS_WORKFLOW }}
+          elif [ "${{ matrix.label }}" == "notebooks test" ]; then
+            export INPUT_WORKFLOW_FILE_NAME=${{ secrets.VIZRO_QA_NOTEBOOKS_TESTS_WORKFLOW }}
+          fi
+          export INPUT_GITHUB_TOKEN=${{ secrets.VIZRO_SVC_PAT }}
+          export INPUT_REF=main # because we should send existent branch to dispatch workflow
+          export INPUT_CLIENT_PAYLOAD='{"branch": "${{ github.head_ref }}"}'
+          tools/trigger-workflow-and-wait.sh
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -43,19 +43,19 @@ repos:
       - id: prettier
 
   - repo: https://github.com/macisamuele/language-formatters-pre-commit-hooks
-    rev: v2.13.0
+    rev: v2.14.0
     hooks:
       - id: pretty-format-toml
         args: [--autofix]
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.5.0
+    rev: v0.5.6
     hooks:
       - id: ruff
         args: [--fix, --exit-non-zero-on-fix]
 
   - repo: https://github.com/psf/black
-    rev: 24.4.2
+    rev: 24.8.0
     hooks:
       - id: black
 
@@ -67,6 +67,9 @@ repos:
         additional_dependencies: ["bandit[toml]"]
 
   - repo: https://github.com/pre-commit/mirrors-mypy
+    # Upgrade to v1.11.1 not possible as it doesn't seem compatible with pydantic<2 plugin.
+    # Similar issue with previous v.1.11.X versions: https://github.com/pydantic/pydantic/issues/10000
+    # We need to revert the changes from the pre-commit autoupdate for now.
     rev: v1.10.1
     hooks:
       - id: mypy
@@ -103,7 +106,7 @@ repos:
         args: ["--fix"]
 
   - repo: https://github.com/errata-ai/vale
-    rev: v3.6.0
+    rev: v3.7.0
     hooks:
       - id: vale
         args: [--config=.vale/.vale.ini]

diff --git a/tools/scan_yaml_for_risky_text.py b/tools/scan_yaml_for_risky_text.py
@@ -0,0 +1,19 @@
+"""Check for security issues in workflows files."""
+
+import sys
+from pathlib import Path
+
+# according to this article: https://nathandavison.com/blog/github-actions-and-the-threat-of-malicious-pull-requests
+# we should avoid using `pull_request_target` for security reasons
+risky_text = "pull_request_target"
+
+
+def find_risky_files(path: str):
+    """Searching for risky text in yml files for given path."""
+    return {file for file in Path(path).rglob("*.yml") if risky_text in file.read_text()}
+
+
+if __name__ == "__main__":
+    risky_files = find_risky_files(sys.argv[1])
+    if risky_files:
+        sys.exit(f"{risky_text} found in files {risky_files}.")