name: CI on: push: branches: [ "**" ] pull_request: branches: [ "**" ] schedule: - cron: '0 3 * * *' jobs: secret-scan: name: Secret Scan runs-on: ubuntu-latest if: github.event_name == 'pull_request' || github.event_name == 'schedule' steps: - uses: actions/checkout@v4 with: fetch-depth: 0 - name: Run gitleaks uses: gitleaks/gitleaks-action@v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITLEAKS_CONFIG: .gitleaks.toml lock-check: name: Lock Check runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Install uv run: | curl -LsSf https://astral.sh/uv/install.sh | sh echo "$HOME/.cargo/bin" >> $GITHUB_PATH - name: Compile lockfile run: uv pip compile --python-version 3.11 --emit-index-url src/requirements.txt -o requirements.lock - name: Verify lockfile run: git diff --exit-code requirements.lock build: needs: lock-check strategy: matrix: os: [ubuntu-latest, windows-latest, macos-latest] python-version: ["3.11"] exclude: - os: windows-latest python-version: "3.11" include: - os: windows-latest python-version: "3.10" runs-on: ${{ matrix.os }} env: HYPOTHESIS_SEED: 123456 steps: - uses: actions/checkout@v3 - uses: actions/setup-python@v4 with: python-version: ${{ matrix.python-version }} - name: Install build tools (Linux/macOS) if: runner.os != 'Windows' shell: bash run: | if [ "$RUNNER_OS" = "Linux" ]; then sudo apt-get update sudo apt-get install -y pkg-config build-essential else brew install pkg-config fi - name: Install MSYS2 toolchain if: runner.os == 'Windows' id: msys uses: msys2/setup-msys2@v2 with: update: true install: >- mingw-w64-x86_64-toolchain base-devel - name: Set PKG_CONFIG_PATH if: runner.os == 'Windows' shell: bash run: echo "PKG_CONFIG_PATH=${{ steps.msys.outputs.msys2-location }}/mingw64/lib/pkgconfig" >> $GITHUB_ENV - name: Add MSYS2 tools to PATH if: runner.os == 'Windows' shell: bash run: echo "${{ steps.msys.outputs.msys2-location }}/mingw64/bin" >> $GITHUB_PATH - name: Cache dependencies uses: actions/cache@v3 with: path: ~/.cache/uv key: ${{ runner.os }}-uv-${{ hashFiles('requirements.lock') }} restore-keys: | ${{ runner.os }}-uv- - name: Install uv run: | curl -LsSf https://astral.sh/uv/install.sh | sh echo "$HOME/.cargo/bin" >> $GITHUB_PATH - name: Sync dependencies run: uv pip sync --frozen requirements.lock - name: Run dependency scan run: scripts/dependency_scan.sh --ignore-vuln GHSA-wj6h-64fc-37mp - name: Determine stress args shell: bash run: | if [ "${{ github.event_name }}" = "schedule" ]; then echo "STRESS_ARGS=--stress" >> $GITHUB_ENV fi - name: Enable Nostr network tests on main branch or nightly if: github.ref == 'refs/heads/main' || github.event_name == 'schedule' run: echo "NOSTR_E2E=1" >> $GITHUB_ENV - name: Run tests with coverage timeout-minutes: 16 shell: bash run: scripts/run_ci_tests.sh - name: Run desktop tests timeout-minutes: 10 shell: bash env: TOGA_BACKEND: toga_dummy run: scripts/run_gui_tests.sh - name: Upload pytest log if: always() uses: actions/upload-artifact@v4 with: name: pytest-log-${{ matrix.os }} path: pytest.log - name: Upload GUI pytest log if: always() uses: actions/upload-artifact@v4 with: name: gui-pytest-log-${{ matrix.os }} path: pytest_gui.log - name: Upload coverage report uses: actions/upload-artifact@v4 with: name: coverage-xml-${{ matrix.os }} path: coverage.xml