Skip to content

Commit fa61c12

Browse files
authored
Enhance actions and tidy up code (#78)
* Add zizmor * Update the ruff action * Pin actions to commit hashes * Tidy up based on code quality checks
1 parent 001b666 commit fa61c12

6 files changed

Lines changed: 185 additions & 66 deletions

File tree

.github/workflows/publish.yml

Lines changed: 50 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -4,21 +4,39 @@ on:
44
release:
55
types: [published]
66

7+
concurrency:
8+
group: ${{ github.workflow }}-${{ github.ref }}
9+
cancel-in-progress: true
10+
11+
permissions: {}
12+
713
jobs:
814
build:
15+
name: Build
916
runs-on: ubuntu-latest
1017
permissions:
1118
contents: read # to fetch code (actions/checkout)
1219
steps:
13-
- uses: actions/checkout@v4
20+
- name: Harden Runner
21+
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
22+
with:
23+
disable-sudo: true
24+
egress-policy: block
25+
allowed-endpoints: >
26+
files.pythonhosted.org:443
27+
objects.githubusercontent.com:443
28+
github.com:443
29+
pypi.org:443
30+
api.github.com:443
31+
32+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
1433
with:
1534
fetch-depth: 0
35+
persist-credentials: false
1636

17-
- uses: actions/setup-python@v5
37+
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
1838
with:
1939
python-version: '3.14'
20-
cache: "pip"
21-
cache-dependency-path: "**/pyproject.toml"
2240

2341
- name: ⬇️ Install build dependencies
2442
run: |
@@ -27,25 +45,44 @@ jobs:
2745
- name: 🏗️ Build
2846
run: python -Im flit build
2947

30-
- uses: actions/upload-artifact@v4
48+
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
3149
with:
3250
path: ./dist
3351

3452
# https://docs.pypi.org/trusted-publishers/using-a-publisher/
35-
pypi-publish:
36-
needs: build
37-
environment: 'publish'
38-
53+
publish-pypi:
3954
name: ⬆️ Upload release to PyPI
55+
environment: 'publish'
4056
runs-on: ubuntu-latest
57+
needs: build
58+
4159
permissions:
4260
# Mandatory for trusted publishing
4361
id-token: write
62+
4463
steps:
45-
- uses: actions/download-artifact@v4
64+
- name: 🔒 Harden Runner
65+
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
66+
with:
67+
disable-sudo: true
68+
egress-policy: block
69+
allowed-endpoints: >
70+
github.com:443
71+
api.github.com:443
72+
ghcr.io:443
73+
pkg-containers.githubusercontent.com:443
74+
pypi.org:443
75+
upload.pypi.org:443
76+
files.pythonhosted.org:443
77+
fulcio.sigstore.dev:443
78+
rekor.sigstore.dev:443
79+
tuf-repo-cdn.sigstore.dev:443
80+
81+
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
82+
with:
83+
path: dist
4684

4785
- name: 🚀 Publish package distributions to PyPI
48-
uses: pypa/gh-action-pypi-publish@release/v1
86+
uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
4987
with:
50-
packages-dir: artifact/
51-
print-hash: true
88+
attestations: true

.github/workflows/ruff.yml

Lines changed: 29 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -8,16 +8,39 @@ on:
88
pull_request:
99
branches: [main]
1010

11+
concurrency:
12+
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
13+
cancel-in-progress: true
14+
15+
permissions: {}
16+
1117
jobs:
1218
ruff:
19+
name: Ruff
1320
runs-on: ubuntu-latest
21+
permissions:
22+
contents: read # to fetch code (actions/checkout)
1423

1524
steps:
16-
- uses: actions/checkout@v4
25+
- name: Harden Runner
26+
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
27+
with:
28+
disable-sudo: true
29+
egress-policy: block
30+
allowed-endpoints: >
31+
files.pythonhosted.org:443
32+
objects.githubusercontent.com:443
33+
github.com:443
34+
pypi.org:443
35+
api.github.com:443
36+
37+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
38+
with:
39+
persist-credentials: false
1740

18-
# Keep in sync with .pre-commit-config.yaml
19-
- run: python -Im pip install --user ruff==0.15.12
41+
# Keep in sync with .pre-commit-config.yaml
42+
- run: python -Im pip install --user ruff==0.15.14
2043

21-
- name: Run ruff
22-
working-directory: ./src
23-
run: ruff check --output-format=github wagtail_headless_preview
44+
- name: Run ruff
45+
working-directory: ./src
46+
run: ruff check --output-format=github wagtail_headless_preview

.github/workflows/test.yml

Lines changed: 72 additions & 44 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ on:
77
branches: [main]
88

99
concurrency:
10-
group: ${{ github.head_ref || github.run_id }}
10+
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
1111
cancel-in-progress: true
1212

1313
permissions:
@@ -30,61 +30,89 @@ jobs:
3030
python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"]
3131

3232
steps:
33-
- uses: actions/checkout@v4
34-
35-
- name: 🐍 Set up Python ${{ matrix.python-version }}
36-
uses: actions/setup-python@v5
37-
with:
38-
python-version: ${{ matrix.python-version }}
39-
40-
- name: 🌍 Start dummy client
41-
uses: Eun/http-server-action@v1
42-
with:
43-
directory: ${{ github.workspace }}/wagtail_headless_preview/tests/client
44-
port: 8020
45-
no-cache: false
46-
content-types: |
47-
{
48-
"html": "text/html",
49-
"js": "text/javascript",
50-
"json": "application/json",
51-
"txt": "text/plain"
52-
}
53-
54-
- name: ⬇️ Install dependencies
55-
run: |
56-
python -Im pip install --upgrade pip setuptools wheel flit tox tox-gh-actions
57-
58-
- name: 🏗️ Build wheel
59-
run: python -Im flit build --format wheel
60-
61-
- name: 🧪 Run tox targets for Python ${{ matrix.python-version }}
62-
run: tox --installpkg ./dist/*.whl
63-
64-
- name: ⬆️ Upload coverage data
65-
uses: actions/upload-artifact@v4
66-
with:
67-
name: coverage-data-${{ matrix.python-version }}
68-
path: .coverage.*
69-
if-no-files-found: ignore
70-
include-hidden-files: true
71-
retention-days: 1
33+
- name: Harden Runner
34+
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
35+
with:
36+
disable-sudo: true
37+
egress-policy: block
38+
allowed-endpoints: >
39+
files.pythonhosted.org:443
40+
objects.githubusercontent.com:443
41+
github.com:443
42+
pypi.org:443
43+
api.github.com:443
44+
45+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
46+
with:
47+
persist-credentials: false
48+
49+
- name: 🐍 Set up Python ${{ matrix.python-version }}
50+
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
51+
with:
52+
python-version: ${{ matrix.python-version }}
53+
54+
- name: 🌍 Start dummy client
55+
uses: Eun/http-server-action@dadebd209d4a902eeefceb524c24c38b364c46a7 # v1.0.13
56+
with:
57+
directory: ${{ github.workspace }}/wagtail_headless_preview/tests/client
58+
port: 8020
59+
no-cache: false
60+
content-types: |
61+
{
62+
"html": "text/html",
63+
"js": "text/javascript",
64+
"json": "application/json",
65+
"txt": "text/plain"
66+
}
67+
68+
- name: ⬇️ Install dependencies
69+
run: |
70+
python -Im pip install --upgrade pip setuptools wheel flit tox tox-gh-actions
71+
72+
- name: 🏗️ Build wheel
73+
run: python -Im flit build --format wheel
74+
75+
- name: 🧪 Run tox targets for Python ${{ matrix.python-version }}
76+
run: tox --installpkg ./dist/*.whl
77+
78+
- name: ⬆️ Upload coverage data
79+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
80+
with:
81+
name: coverage-data-${{ matrix.python-version }}
82+
path: .coverage.*
83+
if-no-files-found: ignore
84+
include-hidden-files: true
85+
retention-days: 1
7286

7387
coverage:
88+
name: Combine & check coverage.
7489
runs-on: ubuntu-latest
7590
needs: tests
7691

7792
steps:
78-
- uses: actions/checkout@v4
79-
- uses: actions/setup-python@v5
93+
- name: Harden Runner
94+
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
95+
with:
96+
disable-sudo: true
97+
egress-policy: block
98+
allowed-endpoints: >
99+
files.pythonhosted.org:443
100+
objects.githubusercontent.com:443
101+
github.com:443
102+
pypi.org:443
103+
api.github.com:443
104+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
105+
with:
106+
persist-credentials: false
107+
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
80108
with:
81109
# Use latest Python, so it understands all syntax.
82110
python-version: ${{env.PYTHON_LATEST}}
83111

84112
- run: python -Im pip install --upgrade coverage[toml]
85113

86114
- name: Download coverage data
87-
uses: actions/download-artifact@v4
115+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
88116
with:
89117
pattern: coverage-data-*
90118
merge-multiple: true
@@ -98,7 +126,7 @@ jobs:
98126
python -Im coverage report --format=markdown >> $GITHUB_STEP_SUMMARY
99127
100128
- name: 📈 Upload HTML report if check failed.
101-
uses: actions/upload-artifact@v4
129+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
102130
with:
103131
name: html-report
104132
path: htmlcov

.github/workflows/zizmor.yml

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
# https://github.com/woodruffw/zizmor
2+
name: Zizmor 🌈
3+
4+
on:
5+
push:
6+
branches: ["main"]
7+
pull_request:
8+
branches: ["**"]
9+
10+
concurrency:
11+
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
12+
cancel-in-progress: true
13+
14+
permissions: {}
15+
16+
jobs:
17+
zizmor:
18+
name: Run zizmor 🌈
19+
runs-on: ubuntu-latest
20+
permissions:
21+
security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files.
22+
steps:
23+
- name: Checkout repository
24+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
25+
with:
26+
persist-credentials: false
27+
28+
- name: Run zizmor 🌈
29+
uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
30+
with:
31+
persona: pedantic

.pre-commit-config.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ repos:
1818
- id: trailing-whitespace
1919
- repo: https://github.com/astral-sh/ruff-pre-commit
2020
# keep in sync with .github/workflows/ruff.yml
21-
rev: 'v0.15.12'
21+
rev: 'v0.15.14'
2222
hooks:
2323
- id: ruff
2424
args: [--fix, --exit-non-zero-on-fix]

src/wagtail_headless_preview/models.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -89,7 +89,7 @@ def get_page_from_preview_token(cls, token: str) -> Optional["Page"]:
8989
content_type=content_type, token=token
9090
).as_page()
9191
except PagePreview.DoesNotExist:
92-
return
92+
return None
9393

9494
def update_page_preview(self, token: str) -> PagePreview:
9595
return PagePreview.objects.update_or_create(
@@ -122,7 +122,7 @@ def get_preview_url(self, request: "HttpRequest", token: str) -> str:
122122
+ urlencode({"content_type": self.get_content_type_str(), "token": token})
123123
)
124124

125-
def serve_preview(self, request: "HttpRequest", preview_mode):
125+
def serve_preview(self, request: "HttpRequest", preview_mode: str):
126126
PagePreview.garbage_collect()
127127
page_preview = self.create_page_preview()
128128
page_preview.save()

0 commit comments

Comments
 (0)