(RHIZA) WEEKLY #1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "(RHIZA) WEEKLY" | |
| # Runs weekly checks that are too slow or noisy for every push: | |
| # | |
| # dep-compat-test — Resolves all dependencies fresh (ignoring the lockfile) | |
| # and runs the full test suite. Catches newly-released | |
| # packages that break compatibility before Renovate picks | |
| # them up. Runs on schedule/dispatch only. | |
| # | |
| # link-check — Verifies that all hyperlinks in README.md are reachable. | |
| # Runs on schedule/dispatch only. | |
| permissions: | |
| contents: read | |
| on: | |
| #push: | |
| # branches: [main] | |
| # paths: [README.md] | |
| #pull_request: | |
| # paths: [README.md] | |
| schedule: | |
| - cron: "0 8 * * 1" # Every Monday at 08:00 UTC | |
| workflow_dispatch: | |
| jobs: | |
| dep-compat-test: | |
| name: Test with latest compatible dependencies | |
| runs-on: ubuntu-latest | |
| #if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6.0.2 | |
| with: | |
| lfs: true | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v7.6.0 | |
| with: | |
| version: "0.11.2" | |
| - name: Configure git auth for private packages | |
| uses: ./.github/actions/configure-git-auth | |
| with: | |
| token: ${{ secrets.GH_PAT }} | |
| - name: Resolve and install latest compatible dependencies | |
| env: | |
| UV_EXTRA_INDEX_URL: ${{ secrets.UV_EXTRA_INDEX_URL }} | |
| run: | | |
| # --upgrade ignores the committed lockfile and resolves the newest | |
| # versions that satisfy pyproject.toml constraints. | |
| uv sync --upgrade | |
| - name: Show resolved package versions | |
| run: | | |
| echo "=== Installed package versions ===" | |
| uv pip list | |
| - name: Run tests | |
| env: | |
| UV_EXTRA_INDEX_URL: ${{ secrets.UV_EXTRA_INDEX_URL }} | |
| run: make test | |
| semgrep: | |
| name: Semgrep (numpy) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6.0.2 | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v7.6.0 | |
| with: | |
| version: "0.11.2" | |
| - name: Configure git auth for private packages | |
| uses: ./.github/actions/configure-git-auth | |
| with: | |
| token: ${{ secrets.GH_PAT }} | |
| - name: Run Semgrep | |
| env: | |
| UV_EXTRA_INDEX_URL: ${{ secrets.UV_EXTRA_INDEX_URL }} | |
| run: make semgrep | |
| pip-audit: | |
| name: Dependency vulnerability scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6.0.2 | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v7.6.0 | |
| with: | |
| version: "0.11.2" | |
| - name: Run pip-audit | |
| run: uvx pip-audit | |
| link-check: | |
| name: Check links in README.md | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6.0.2 | |
| - name: Check links in README.md | |
| uses: lycheeverse/lychee-action@v2 | |
| with: | |
| args: >- | |
| --verbose | |
| --no-progress | |
| --accept 200,206,429 | |
| README.md | |
| fail: true |