Add actionlint on CI (napari#7049)

# References and relevant issues To avoid PR like napari#7033 # Description This PR adds action lint on CI to early detect problems with workflows that are not executed on pull-request trigger. I first try to do this on pre-commit, but then it will require `go` compiler and will not contain [shellcheck](https://github.com/koalaman/shellcheck).
melonora · Jul 22, 2024 · e009163 · e009163
1 parent df666e1
commit e009163
Show file tree

Hide file tree

Showing 13 changed files with 63 additions and 47 deletions.
diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
@@ -0,0 +1,18 @@
+name: Actionlint
+
+on:
+  pull_request:
+    paths:
+      - '.github/**'
+
+jobs:
+  actionlint:
+    name: Action lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Check workflow files
+        run: |
+          bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
+          ./actionlint -color -ignore SC2129
+        shell: bash
diff --git a/.github/workflows/benchmarks.yml b/.github/workflows/benchmarks.yml
@@ -72,7 +72,7 @@ jobs:
       - uses: tlambert03/setup-qt-libs@v1
 
       - name: Setup asv
-        run: python -m pip install asv[virtualenv]
+        run: python -m pip install "asv[virtualenv]"
         env:
           PIP_CONSTRAINT: resources/constraints/benchmark.txt
 
@@ -91,9 +91,11 @@ jobs:
           # asv will checkout commits, which might contain LFS artifacts; ignore those errors since
           # they are probably just documentation PNGs not needed here anyway
           GIT_LFS_SKIP_SMUDGE: 1
+          HEAD_LABEL: ${{ github.event.pull_request.head.label }}
           PIP_CONSTRAINT: ${{ github.workspace }}/resources/constraints/benchmark.txt
         run: |
           set -euxo pipefail
+          read -ra cmd_options <<< "$ASV_OPTIONS"
 
           # ID this runner
           asv machine --yes
@@ -103,7 +105,7 @@ jobs:
             BASE_REF=${{ github.event.pull_request.base.sha }}
             CONTENDER_REF=${GITHUB_SHA}
             echo "Baseline:  ${BASE_REF} (${{ github.event.pull_request.base.label }})"
-            echo "Contender: ${CONTENDER_REF} (${{ github.event.pull_request.head.label }})"
+            echo "Contender: ${CONTENDER_REF} ($HEAD_LABEL)"
           elif [[ $GITHUB_EVENT_NAME == schedule ]]; then
             EVENT_NAME="cronjob"
             BASE_REF="${{ fromJSON(steps.latest_release.outputs.data).target_commitish }}"
@@ -118,12 +120,12 @@ jobs:
             echo "Contender: ${CONTENDER_REF} (workflow input)"
           fi
 
-          echo "EVENT_NAME=$EVENT_NAME" >> $GITHUB_ENV
-          echo "BASE_REF=$BASE_REF" >> $GITHUB_ENV
-          echo "CONTENDER_REF=$CONTENDER_REF" >> $GITHUB_ENV
+          echo "EVENT_NAME=$EVENT_NAME" >> "$GITHUB_ENV"
+          echo "BASE_REF=$BASE_REF" >> "$GITHUB_ENV"
+          echo "CONTENDER_REF=$CONTENDER_REF" >> "$GITHUB_ENV"
 
           # Run benchmarks for current commit against base
-          asv continuous $ASV_OPTIONS -b '${{ matrix.selection-regex }}' ${BASE_REF} ${CONTENDER_REF} \
+          asv continuous "${cmd_options[@]}" -b "${{ matrix.selection-regex }}" "${BASE_REF}" "${CONTENDER_REF}" \
           | sed -E "/Traceback | failed$|PERFORMANCE DECREASED/ s/^/::error:: /" \
           | tee asv_continuous.log
 

diff --git a/.github/workflows/benchmarks_report.yml b/.github/workflows/benchmarks_report.yml
@@ -63,7 +63,7 @@ jobs:
       - name: Collect PR number if available
         run: |
           if [[ -f pr_number ]]; then
-            echo "PR_NUMBER=$(cat pr_number)" >> $GITHUB_ENV
+            echo "PR_NUMBER=$(cat pr_number)" >> "$GITHUB_ENV"
           fi
 
       - name: "Comment on PR"

diff --git a/.github/workflows/docker-singularity-publish.yml b/.github/workflows/docker-singularity-publish.yml
@@ -121,7 +121,7 @@ jobs:
       - name: Continue if Singularity Recipe Exists
         run: |
           if [[ -f "${{ matrix.recipe }}" ]]; then
-            echo "keepgoing=true" >> $GITHUB_ENV
+            echo "keepgoing=true" >> "$GITHUB_ENV"
           fi
 
       - name: Build Container
@@ -136,7 +136,7 @@ jobs:
           fi
           # Build the container and name by tag
           echo "Tag is $tag."
-          echo "tag=$tag" >> $GITHUB_ENV
+          echo "tag=$tag" >> "$GITHUB_ENV"
 
       - name: Login and Deploy Container
         if: (github.event_name != 'pull_request')
@@ -145,5 +145,5 @@ jobs:
         run: |
           if [[ "${keepgoing}" == "true" ]]; then
               echo ${{ secrets.GITHUB_TOKEN }} | singularity remote login -u ${{ secrets.GHCR_USERNAME }} --password-stdin oras://ghcr.io
-              singularity push container.sif oras://ghcr.io/${GITHUB_REPOSITORY}:${tag}
+              singularity push container.sif "oras://ghcr.io/${GITHUB_REPOSITORY}:${tag}"
           fi
diff --git a/.github/workflows/make_release.yml b/.github/workflows/make_release.yml
@@ -46,10 +46,10 @@ jobs:
           VER="${VER/rc*/}"  # remove rc identifier
           RELEASE_NOTES_PATH="docs/docs/release/release_${VER//./_}.md"
 
-          echo "tag=${TAG}" >> $GITHUB_ENV
-          echo "release_notes_path=${RELEASE_NOTES_PATH}" >> $GITHUB_ENV
-          echo tag: ${TAG}
-          echo release_notes_path: ${RELEASE_NOTES_PATH}
+          echo "tag=${TAG}" >> "$GITHUB_ENV"
+          echo "release_notes_path=${RELEASE_NOTES_PATH}" >> "$GITHUB_ENV"
+          echo tag: "${TAG}"
+          echo release_notes_path: "${RELEASE_NOTES_PATH}"
           ls docs/docs/release
 
       - name: Create Release

diff --git a/.github/workflows/reusable_coverage_upload.yml b/.github/workflows/reusable_coverage_upload.yml
@@ -37,7 +37,7 @@ jobs:
           python -Im coverage xml -o coverage.xml
 
           # Report and write to summary.
-          python -Im coverage report --format=markdown --skip-empty --skip-covered >> $GITHUB_STEP_SUMMARY
+          python -Im coverage report --format=markdown --skip-empty --skip-covered >> "$GITHUB_STEP_SUMMARY"
 
       - name: Upload coverage data
         uses: codecov/codecov-action@v4

diff --git a/.github/workflows/reusable_pip_test.yml b/.github/workflows/reusable_pip_test.yml
@@ -25,7 +25,7 @@ jobs:
       - name: Install this commit
         run: |
           pip install --upgrade pip
-          pip install ./napari-from-github[pyqt,testing]
+          pip install "./napari-from-github[pyqt,testing]"
         env:
           PIP_CONSTRAINT: napari-from-github/resources/constraints/constraints_py3.9.txt
 

diff --git a/.github/workflows/reusable_run_tox_test.yml b/.github/workflows/reusable_run_tox_test.yml
@@ -69,7 +69,7 @@ jobs:
           path: dist
 
       - name: Set wheel path
-        run: echo "WHEEL_PATH=$(ls dist/*.whl)" >> $GITHUB_ENV
+        run: echo "WHEEL_PATH=$(ls dist/*.whl)" >> "$GITHUB_ENV"
         shell: bash
 
       - name: Set up Python ${{ inputs.python_version }}
@@ -92,6 +92,7 @@ jobs:
           git clone --depth 1 https://github.com/pyvista/gl-ci-helpers.git
           powershell gl-ci-helpers/appveyor/install_opengl.ps1
           if (Test-Path -Path "C:\Windows\system32\opengl32.dll" -PathType Leaf) {Exit 0} else {Exit 1}
+        shell: powershell
 
       - name: Disable ptrace security restrictions
         if: runner.os == 'Linux'
@@ -133,10 +134,10 @@ jobs:
         # FOURTH=none
         shell: bash
         run: |
-          python tools/split_qt_backend.py 0 ${{ inputs.qt_backend }} >> $GITHUB_ENV
-          python tools/split_qt_backend.py 1 ${{ inputs.qt_backend }} >> $GITHUB_ENV
-          python tools/split_qt_backend.py 2 ${{ inputs.qt_backend }} >> $GITHUB_ENV
-          python tools/split_qt_backend.py 3 ${{ inputs.qt_backend }} >> $GITHUB_ENV
+          python tools/split_qt_backend.py 0 ${{ inputs.qt_backend }} >> "$GITHUB_ENV"
+          python tools/split_qt_backend.py 1 ${{ inputs.qt_backend }} >> "$GITHUB_ENV"
+          python tools/split_qt_backend.py 2 ${{ inputs.qt_backend }} >> "$GITHUB_ENV"
+          python tools/split_qt_backend.py 3 ${{ inputs.qt_backend }} >> "$GITHUB_ENV"
 
       - name: Test with tox main
         timeout-minutes: ${{ inputs.timeout }}

diff --git a/.github/workflows/test_comprehensive.yml b/.github/workflows/test_comprehensive.yml
@@ -86,7 +86,6 @@ jobs:
       qt_backend: ${{ matrix.backend }}
       min_req: ${{ matrix.MIN_REQ }}
       coverage: cov
-      toxenv: ${{ matrix.toxenv }}
       tox_extras: ${{ matrix.tox_extras }}
 
   test_pip_install:

diff --git a/.github/workflows/test_prereleases.yml b/.github/workflows/test_prereleases.yml
@@ -53,6 +53,7 @@ jobs:
           git clone --depth 1 https://github.com/pyvista/gl-ci-helpers.git
           powershell gl-ci-helpers/appveyor/install_opengl.ps1
           if (Test-Path -Path "C:\Windows\system32\opengl32.dll" -PathType Leaf) {Exit 0} else {Exit 1}
+        shell: powershell
 
       - name: Install dependencies
         run: |

diff --git a/.github/workflows/test_pull_requests.yml b/.github/workflows/test_pull_requests.yml
@@ -70,7 +70,7 @@ jobs:
           pip install --upgrade pip semgrep
           # f"..." and f'...' are the same for semgrep
           semgrep --error --lang python --pattern 'trans._(f"...")' napari
-          semgrep --error --lang python --pattern 'trans._($X.format(...))' napari
+          semgrep --error --lang python --pattern "trans._(\$X.format(...))" napari
 
   build_wheel:
     name: Build wheel
@@ -89,11 +89,13 @@ jobs:
             backend: pyqt5
             pydantic: "_pydantic_1"
             coverage: no_cov
+            min_req: ""
           - python: 3.12
             platform: ubuntu-latest
             backend: pyqt6
             pydantic: ""
             coverage: no_cov
+            min_req: ""
     with:
       python_version: ${{ matrix.python }}
       platform: ${{ matrix.platform }}
@@ -166,7 +168,6 @@ jobs:
       qt_backend: ${{ matrix.backend }}
       min_req: ${{ matrix.MIN_REQ }}
       coverage: ${{ matrix.coverage }}
-      toxenv: ${{ matrix.toxenv }}
       tox_extras: ${{ matrix.tox_extras }}
       constraints_suffix: ${{ matrix.pydantic }}
 
@@ -200,7 +201,7 @@ jobs:
   test_benchmarks:
     name: test benchmarks
     runs-on: ubuntu-latest
-#    needs: test_initial
+    needs: test_initial
     timeout-minutes: 60
     env:
       GIT_LFS_SKIP_SMUDGE: 1
@@ -229,7 +230,7 @@ jobs:
       - name: install dependencies
         run: |
           pip install --upgrade pip
-          pip install asv[virtualenv]
+          pip install "asv[virtualenv]"
         env:
           PIP_CONSTRAINT: resources/constraints/benchmark.txt
 

diff --git a/.github/workflows/test_translations.yml b/.github/workflows/test_translations.yml
@@ -22,8 +22,8 @@ jobs:
           cache-dependency-path: pyproject.toml
       - name: Install napari
         run: |
-          pip install -e .[all]
-          pip install -e .[testing]
+          pip install -e ".[all]"
+          pip install -e ".[testing]"
       - name: Run check
         run: |
           python -m pytest -Wignore tools/ --tb=short

diff --git a/.github/workflows/upgrade_test_constraints.yml b/.github/workflows/upgrade_test_constraints.yml
@@ -86,11 +86,11 @@ jobs:
               "https://api.github.com/repos/${{ github.repository }}/pulls/$PR_number" \
           )
 
-          FULL_NAME=$(echo $PR_data  | jq -r .head.repo.full_name)
-          echo "FULL_NAME=$FULL_NAME" >> $GITHUB_ENV
+          FULL_NAME=$(echo "${PR_data}"  | jq -r .head.repo.full_name)
+          echo "FULL_NAME=$FULL_NAME" >> "$GITHUB_ENV"
 
-          BRANCH=$(echo $PR_data  | jq -r .head.ref)
-          echo "BRANCH=$BRANCH" >> $GITHUB_ENV
+          BRANCH=$(echo "${PR_data}"  | jq -r .head.ref)
+          echo "BRANCH=$BRANCH" >> "$GITHUB_ENV"
 
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -99,8 +99,8 @@ jobs:
         # when schedule or workflow_dispatch triggers workflow, then we need to get info about which branch to use
         if: github.event_name != 'issue_comment' && github.event_name != 'pull_request'
         run: |
-          echo "FULL_NAME=${{ github.repository }}" >> $GITHUB_ENV
-          echo "BRANCH=${{ github.ref_name }}" >> $GITHUB_ENV
+          echo "FULL_NAME=${{ github.repository }}" >> "$GITHUB_ENV"
+          echo "BRANCH=${{ github.ref_name }}" >> "$GITHUB_ENV"
 
       - uses: actions/checkout@v4
         with:
@@ -156,35 +156,29 @@ jobs:
         run: |
           set -x
           pip install -U uv
-          flags="--quiet"
+          flags=(--quiet --extra pyqt5 --extra pyqt6 --extra pyside2 --extra pyside6_experimental --extra testing --extra testing_extra --extra optional)
+
           # Explanation of below commands
           # uv pip compile --python-version 3.9 - call uv pip compile but ensure proper interpreter
           # --upgrade upgrade to the latest possible version. Without this pip-compile will take a look to output files and reuse versions (so will ad something on when adding dependency.
           # -o resources/constraints/constraints_py3.9.txt - output file
           # pyproject.toml resources/constraints/version_denylist.txt - source files. the resources/constraints/version_denylist.txt - contains our test specific constraints like pytes-cov`
           #
           # --extra pyqt5 etc - names of extra sections from pyproject.toml that should be checked for the dependencies list (maybe we could create a super extra section to collect them all in)
-          flags+=" --extra pyqt5"
-          flags+=" --extra pyqt6"
-          flags+=" --extra pyside2"
-          flags+=" --extra pyside6_experimental"
-          flags+=" --extra testing"
-          flags+=" --extra testing_extra"
-          flags+=" --extra optional"
           prefix="napari_repo"
           pyproject_toml="${prefix}/pyproject.toml"
           constraints="${prefix}/resources/constraints"
 
 
           for pyv in 3.9 3.10 3.11 3.12; do
-            uv pip compile --python-version ${pyv} --upgrade --output-file $constraints/constraints_py${pyv}.txt  $pyproject_toml $constraints/version_denylist.txt ${flags}
-            uv pip compile --python-version ${pyv} --upgrade --output-file $constraints/constraints_py${pyv}_pydantic_1.txt  $pyproject_toml $constraints/version_denylist.txt $constraints/pydantic_le_2.txt ${flags}
-            uv pip compile --python-platform aarch64-apple-darwin  --python-version ${pyv} --upgrade --output-file $constraints/constraints_py${pyv}_macos_arm.txt  $pyproject_toml $constraints/version_denylist.txt ${flags}
+            uv pip compile --python-version ${pyv} --upgrade --output-file $constraints/constraints_py${pyv}.txt  $pyproject_toml $constraints/version_denylist.txt "${flags[@]}"
+            uv pip compile --python-version ${pyv} --upgrade --output-file $constraints/constraints_py${pyv}_pydantic_1.txt  $pyproject_toml $constraints/version_denylist.txt $constraints/pydantic_le_2.txt "${flags[@]}"
+            uv pip compile --python-platform aarch64-apple-darwin  --python-version ${pyv} --upgrade --output-file $constraints/constraints_py${pyv}_macos_arm.txt  $pyproject_toml $constraints/version_denylist.txt "${flags[@]}"
           done
 
 
-          uv pip compile --python-version 3.9 --upgrade --output-file $constraints/constraints_py3.9_examples.txt $pyproject_toml $constraints/version_denylist.txt resources/constraints/version_denylist_examples.txt ${flags}
-          uv pip compile --python-version 3.10 --upgrade --output-file $constraints/constraints_py3.10_docs.txt $pyproject_toml $constraints/version_denylist.txt resources/constraints/version_denylist_examples.txt docs/requirements.txt $constraints/pydantic_le_2.txt ${flags}
+          uv pip compile --python-version 3.9 --upgrade --output-file $constraints/constraints_py3.9_examples.txt $pyproject_toml $constraints/version_denylist.txt resources/constraints/version_denylist_examples.txt "${flags[@]}"
+          uv pip compile --python-version 3.10 --upgrade --output-file $constraints/constraints_py3.10_docs.txt $pyproject_toml $constraints/version_denylist.txt resources/constraints/version_denylist_examples.txt docs/requirements.txt $constraints/pydantic_le_2.txt "${flags[@]}"
           uv pip compile --python-version 3.11 --upgrade --output-file ${prefix}/resources/requirements_mypy.txt ${prefix}/resources/requirements_mypy.in
 
       # END PYTHON DEPENDENCIES