From a60d9b7c6bfe47a8473ad58e9ca621e54b8b4ffd Mon Sep 17 00:00:00 2001 From: "Christopher J. Markiewicz" Date: Fri, 16 Apr 2021 09:13:18 -0400 Subject: [PATCH 1/2] CI: Submit coverage to codecov via pinned PyPI pkg Following a security incident at Codecov, the GitHub action should be considered unsafe as it internally runs `curl | bash`. Moving to our CI scripts. --- .github/workflows/misc.yml | 5 ++--- .github/workflows/pre-release.yml | 5 ++--- .github/workflows/stable.yml | 5 ++--- tools/ci/submit_coverage.sh | 21 +++++++++++++++++++++ 4 files changed, 27 insertions(+), 9 deletions(-) create mode 100755 tools/ci/submit_coverage.sh diff --git a/.github/workflows/misc.yml b/.github/workflows/misc.yml index 677cada4f2..12e621c957 100644 --- a/.github/workflows/misc.yml +++ b/.github/workflows/misc.yml @@ -51,9 +51,8 @@ jobs: - name: Run tests run: tools/ci/check.sh if: ${{ matrix.check != 'skiptests' }} - - uses: codecov/codecov-action@v1 - with: - file: for_testing/coverage.xml + - name: Submit coverage + run: tools/ci/submit_coverage.sh if: ${{ always() }} - name: Upload pytest test results uses: actions/upload-artifact@v2 diff --git a/.github/workflows/pre-release.yml b/.github/workflows/pre-release.yml index 7dc9a035f5..91a99c4e2a 100644 --- a/.github/workflows/pre-release.yml +++ b/.github/workflows/pre-release.yml @@ -74,9 +74,8 @@ jobs: - name: Run tests run: tools/ci/check.sh if: ${{ matrix.check != 'skiptests' }} - - uses: codecov/codecov-action@v1 - with: - file: for_testing/coverage.xml + - name: Submit coverage + run: tools/ci/submit_coverage.sh if: ${{ always() }} - name: Upload pytest test results uses: actions/upload-artifact@v2 diff --git a/.github/workflows/stable.yml b/.github/workflows/stable.yml index 60aaeae80c..babcf8738d 100644 --- a/.github/workflows/stable.yml +++ b/.github/workflows/stable.yml @@ -117,9 +117,8 @@ jobs: - name: Run tests run: tools/ci/check.sh if: ${{ matrix.check != 'skiptests' }} - - uses: codecov/codecov-action@v1 - with: - file: for_testing/coverage.xml + - name: Submit coverage + run: tools/ci/submit_coverage.sh if: ${{ always() }} - name: Upload pytest test results uses: actions/upload-artifact@v2 diff --git a/tools/ci/submit_coverage.sh b/tools/ci/submit_coverage.sh new file mode 100755 index 0000000000..17bfe3933b --- /dev/null +++ b/tools/ci/submit_coverage.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +echo Submitting coverage + +source tools/ci/activate.sh + +set -eu + +set -x + +COVERAGE_FILE="for_testing/coverage.xml" + +if [ -e "$COVERAGE_FILE" ]; then + # Pin codecov version to reduce scope for malicious updates + python -m pip install "codecov==2.1.11" + python -m codecov --file for_testing/coverage.xml +fi + +set +eux + +echo Done submitting coverage From 710dadb37e8f2f0367396af824fe072a2dddd835 Mon Sep 17 00:00:00 2001 From: "Christopher J. Markiewicz" Date: Fri, 16 Apr 2021 09:55:36 -0400 Subject: [PATCH 2/2] MNT: Skip pytest-doctestplus 0.9.0 due to unlisted packaging requirement --- setup.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.cfg b/setup.cfg index 67ee2356c8..e4a706467f 100644 --- a/setup.cfg +++ b/setup.cfg @@ -59,7 +59,7 @@ test = coverage pytest !=5.3.4 pytest-cov - pytest-doctestplus + pytest-doctestplus !=0.9.0 all = %(dicomfs)s %(dev)s