attrs/.github/workflows/ci.yml

---
name: CI

on:
  push:
    branches: [main]
    tags: ["*"]
  pull_request:
    branches: [main]
  workflow_dispatch:

env:
  FORCE_COLOR: "1" # Make tools pretty.
  TOX_TESTENV_PASSENV: FORCE_COLOR
  PIP_DISABLE_PIP_VERSION_CHECK: "1"
  PIP_NO_PYTHON_VERSION_WARNING: "1"
  PYTHON_LATEST: "3.11"

permissions:
  contents: read

jobs:
  tests:
    name: tox on ${{ matrix.python-version }}
    runs-on: ubuntu-20.04

    strategy:
      fail-fast: false
      matrix:
        python-version:
          - "3.6"
          - "3.7"
          - "3.8"
          - "3.9"
          - "3.10"
          - "3.11"
          - "~3.12.0-0"
          - "pypy-3.7"
          - "pypy-3.8"

    continue-on-error: >-
      ${{ contains(matrix.python-version, '~') && true || false }}      

    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@v2
        with:
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            files.pythonhosted.org:443
            github.com:443
            objects.githubusercontent.com:443
            pypi.org:443            
      - uses: actions/checkout@v3
      - uses: actions/setup-python@v4
        with:
          python-version: ${{ matrix.python-version }}

      - name: Install dependencies
        run: |
          python -VV
          python -m site
          python -m pip install --upgrade wheel tox tox-gh-actions          

      - run: python -m tox

      - name: Upload coverage data
        uses: actions/upload-artifact@v3
        with:
          name: coverage-data
          path: .coverage.*
          if-no-files-found: ignore

  coverage:
    runs-on: ubuntu-latest
    needs: tests

    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@v2
        with:
          egress-policy: block
          allowed-endpoints: >
            files.pythonhosted.org:443
            github.com:443
            pypi.org:443
            api.github.com:443            

      - uses: actions/checkout@v3
      - uses: actions/setup-python@v4
        with:
          # Use latest Python, so it understands all syntax.
          python-version: ${{env.PYTHON_LATEST}}

      - run: python -m pip install --upgrade coverage[toml]

      - name: Download coverage data
        uses: actions/download-artifact@v3
        with:
          name: coverage-data

      - name: Combine coverage and fail if it's <100%.
        run: |
          python -m coverage combine
          python -m coverage html --skip-covered --skip-empty
          python -m coverage report --fail-under=100          

      - name: Upload HTML report if check failed.
        uses: actions/upload-artifact@v3
        with:
          name: html-report
          path: htmlcov
        if: ${{ failure() }}

  docs:
    name: Build docs & run doctests
    runs-on: ubuntu-latest
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@v2
        with:
          egress-policy: block
          allowed-endpoints: >
            docs.python.org:443
            files.pythonhosted.org:443
            github.com:443
            pypi.org:443            

      - uses: actions/checkout@v3
      - uses: actions/setup-python@v4
        with:
          python-version: "3.10"

      - run: python -m pip install --upgrade wheel tox
      - run: python -m tox -e docs

  pyright:
    name: Check types using pyright
    runs-on: ubuntu-latest
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@v2
        with:
          egress-policy: block
          allowed-endpoints: >
            files.pythonhosted.org:443
            github.com:443
            nodejs.org:443
            pypi.org:443
            registry.npmjs.org:443
            api.github.com:443            

      - uses: actions/checkout@v3
      - uses: actions/setup-python@v4
        with:
          python-version: ${{env.PYTHON_LATEST}}

      - run: python -m pip install --upgrade wheel tox
      - run: python -m tox -e pyright

  package:
    name: Build & verify package
    runs-on: ubuntu-latest

    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@v2
        with:
          egress-policy: block
          allowed-endpoints: >
            files.pythonhosted.org:443
            github.com:443
            pypi.org:443            

      - uses: actions/checkout@v3
      - uses: hynek/build-and-inspect-python-package@v1

  install-dev:
    name: Verify dev env
    runs-on: ${{ matrix.os }}
    strategy:
      matrix:
        os: [ubuntu-latest, windows-latest]

    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@v2
        with:
          egress-policy: block
          allowed-endpoints: >
            files.pythonhosted.org:443
            github.com:443
            pypi.org:443
            api.github.com:443            
      - uses: actions/checkout@v3
      - uses: actions/setup-python@v4
        with:
          python-version: ${{env.PYTHON_LATEST}}
      - run: python -m pip install -e .[dev]
      - run: python -c 'import attr; print(attr.__version__)'

  # Ensure everything required is passing for branch protection.
  required-checks-pass:
    if: always()

    needs:
      - coverage
      - docs
      - install-dev
      - package
      - pyright

    runs-on: ubuntu-latest

    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@v2
        with:
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443            
      - name: Decide whether the needed jobs succeeded or failed
        uses: re-actors/alls-green@release/v1
        with:
          jobs: ${{ toJSON(needs) }}