Skip to content

CI checks for pull_request by dependabot[bot] #384

CI checks for pull_request by dependabot[bot]

CI checks for pull_request by dependabot[bot] #384

Workflow file for this run

# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# OpenFermion continuous integration status checks.
#
# This workflow runs various tests to verify that changes to the OpenFermion
# codebase pass validation and conform to project format and style standards.
# It triggers on certain events such as pull requests and merge-queue merges,
# and can also be invoked manually via the "Run workflow" button at
# https://github.com/quantumlib/OpenFermion/actions/workflows/ci.yaml
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
name: Continuous integration checks
run-name: CI checks for ${{github.event_name}} by ${{github.actor}}
on:
pull_request:
types: [opened, synchronize]
branches:
- main
merge_group:
types:
- checks_requested
# Allow manual invocation.
workflow_dispatch:
inputs:
sha:
description: 'SHA of commit to run against:'
type: string
required: true
python_ver:
description: Normal version of Python to use
type: string
python_compat_ver:
description: Max compat version of Python
type: string
# Declare default permissions as read only.
permissions: read-all
concurrency:
# Cancel any previously-started but still active runs on the same branch.
cancel-in-progress: true
group: ${{github.workflow}}-${{github.event.pull_request.number||github.ref}}
env:
# Default Python version to use. Make sure to use full x.y.z number.
python_ver: '3.12.8'
# Oldest Python version to use, for max_compat tests.
python_compat_ver: '3.11.9'
# Files listing dependencies we install using pip in the various jobs below.
# This is used by setup-python to check whether its cache needs updating.
python_dep_files: >-
dev_tools/requirements/envs/format.env.txt
dev_tools/requirements/envs/mypy.env.txt
dev_tools/requirements/envs/pylint.env.txt
dev_tools/requirements/envs/pytest-extra.env.txt
dev_tools/requirements/envs/pytest.env.txt
dev_tools/requirements/max_compat/pytest-max-compat.env.txt
jobs:
# GitHub Actions can have path filters (i.e., the use of a "paths:" keyword
# on the trigger definitions in the "on:" block earlier in this file). Path
# filters *would* be the natural way to make workflows trigger only when the
# desired files are affected by a pull request – except that the way branch
# protection rules work today is: "If a workflow is skipped due to path
# filtering [...] then checks associated with that workflow will remain in a
# Pending state. A pull request that requires those checks to be successful
# will be blocked from merging." Surprisingly, GitHub doesn't provide
# guidance on how to handle this. Discussions about solutions sometimes
# suggest hacky solutions (c.f. https://stackoverflow.com/a/78003720/743730).
# The approach taken here is to forgo the use of path filtering rules in the
# trigger condition, and instead, do our own filtering using a combination
# of testing specific file patterns (in the changes job below) and "if:"
# conditions on individual jobs in the rest of this workflow.
changes:
name: (Find changed files)
runs-on: ubuntu-24.04
timeout-minutes: 5
outputs:
gha: ${{steps.filter.outputs.gha}}
gha_files: ${{steps.filter.outputs.gha_files}}
# The rest all test both the relevant files and ALSO tools & scripts b/c
# a change in the CI workflows or scripts can affect the check results.
python: ${{steps.filter.outputs.python || steps.filter.outputs.ci}}
python_files: ${{steps.filter.outputs.python_files}}
yaml: ${{steps.filter.outputs.yaml || steps.filter.outputs.ci}}
yaml_files: ${{steps.filter.outputs.yaml_files}}
cff: ${{steps.filter.outputs.cff || steps.filter.outputs.ci}}
cff_files: ${{steps.filter.outputs.cff_files}}
json: ${{steps.filter.outputs.json || steps.filter.outputs.ci}}
json_files: ${{steps.filter.outputs.json_files}}
docker: ${{steps.filter.outputs.docker || steps.filter.outputs.ci}}
docker_files: ${{steps.filter.outputs.docker_files}}
requirements: ${{steps.filter.outputs.requirements || steps.filter.outputs.ci}}
requirements_files: ${{steps.filter.outputs.requirements_files}}
shell: ${{steps.filter.outputs.shell || steps.filter.outputs.ci}}
shell_files: ${{steps.filter.outputs.shell_files}}
steps:
# When invoked manually, use the given SHA to figure out the change list.
- if: github.event_name == 'workflow_dispatch'
name: Use the user-provided SHA as the basis for comparison
env:
GH_TOKEN: ${{github.token}}
run: |
set -x +e
url="repos/${{github.repository}}/commits/${{inputs.sha}}"
if full_sha="$(gh api $url -q '.sha')"; then
echo "base=$full_sha" >> "$GITHUB_ENV"
else
{
echo "### :x: Workflow error"
echo "The SHA provided to _Run Workflow_ does not exist:"
echo "<code>${{inputs.sha}}</code>"
} >> "$GITHUB_STEP_SUMMARY"
exit 1
fi
- if: github.event_name != 'workflow_dispatch'
name: Use ref ${{github.ref_name}} as the basis for comparison
run: |
echo base=${{github.ref_name}} >> "$GITHUB_ENV"
- name: Check out a copy of the OpenFermion git repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
- name: Determine files changed by this ${{github.event_name}} event
uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
id: filter
with:
base: ${{env.base}}
list-files: 'shell'
# The outputs will be variables named "foo_files" for a filter "foo".
filters: |
ci:
- './.github/workflows/**'
- './.github/problem-matchers/**'
- './check/**'
- './dev_tools/**'
cff:
- added|modified:
- '**/CITATION.cff'
python:
- '**/*.py'
gha:
- added|modified:
- './.github/workflows/*.yaml'
- './.github/workflows/*.yml'
yaml:
- added|modified:
- '**/*.yaml'
- '**/*.yml'
json:
- added|modified:
- '**/*.json'
docker:
- '**/dockerfile'
- '**/Dockerfile'
requirements:
- 'dev_tools/requirements/deps/*.txt'
- 'docs/**/*-requirements.txt'
- 'docs/**/requirements.txt'
shell:
- '**/*.sh'
- 'check/*'
setup:
if: needs.changes.outputs.python == 'true'
name: (Set up Python)
needs: changes
runs-on: ubuntu-24.04
timeout-minutes: 10
steps:
- name: Check out a copy of the git repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
- name: Set up Python with caching of pip dependencies
uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
with:
python-version: ${{inputs.python_ver || env.python_ver}}
architecture: 'x64'
cache: pip
cache-dependency-path: ${{env.python_dep_files}}
- name: Install Python requirements
run: |
set -x
for file in ${{env.python_dep_files}}; do
pip install -r $file
done
set +x
echo "::group::List of installed pip packages and their versions"
pip list
echo "::endgroup::"
python-format:
if: needs.changes.outputs.python == 'true'
name: Python format checks
needs: [changes, setup]
runs-on: ubuntu-24.04
timeout-minutes: 10
steps:
- name: Check out a copy of the git repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
with:
fetch-depth: 0
- name: Set up Python and restore cache
uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
with:
python-version: ${{inputs.python_ver || env.python_ver}}
architecture: 'x64'
cache: pip
cache-dependency-path: ${{env.python_dep_files}}
- name: Install requirements
run: pip install -r dev_tools/requirements/envs/format.env.txt
- name: Set up problem matcher for Black output
run: echo '::add-matcher::.github/problem-matchers/black.json'
- name: Run format checks
run: check/format-incremental
python-mypy:
if: needs.changes.outputs.python == 'true'
name: Python type checks
needs: [changes, setup]
runs-on: ubuntu-24.04
timeout-minutes: 10
steps:
- name: Check out a copy of the git repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
- name: Set up Python and restore cache
uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
with:
python-version: ${{inputs.python_ver || env.python_ver}}
architecture: 'x64'
cache: pip
cache-dependency-path: ${{env.python_dep_files}}
- name: Install requirements
run: pip install -r dev_tools/requirements/envs/mypy.env.txt
- name: Set up Mypy output problem matcher
run: echo '::add-matcher::.github/problem-matchers/mypy.json'
- name: Type check
run: check/mypy
python-lint:
if: needs.changes.outputs.python == 'true'
name: Python lint checks
needs: [changes, setup]
runs-on: ubuntu-24.04
timeout-minutes: 10
steps:
- name: Check out a copy of the git repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
- name: Set up Python and restore cache
uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
with:
python-version: ${{inputs.python_ver || env.python_ver}}
architecture: 'x64'
cache: pip
cache-dependency-path: ${{env.python_dep_files}}
- name: Install requirements
run: pip install -r dev_tools/requirements/envs/pylint.env.txt
- name: Set up Pylint output problem matcher
run: echo '::add-matcher::.github/problem-matchers/pylint.json'
- name: Run pylint
run: check/pylint
# The next set of matrix tests each consist of 2 job definitions. The job
# named "Thing-matrix" define a matrix of runs for different platforms. It's
# set with "fail-fast: false" so that a failure in one of matrix jobs doesn't
# cause this entire CI workflow to abort. Then, the job named "Thing" is the
# one that actually reports the results, and is the one used in the list of
# required status checks in the repository branch protection rules. It needs
# to be an independent job it has to test the results of all the matrix runs.
pytest-matrix:
if: needs.changes.outputs.python == 'true'
name: (Python pytest matrix)
needs: [changes, setup]
runs-on: ${{matrix.os}}
timeout-minutes: 15
strategy:
matrix:
os: [ ubuntu-24.04, macos-14, windows-2022 ]
cirq-version: [ 1.4.1 ]
fail-fast: false
steps:
- name: Check out a copy of the git repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
- name: Set up Python and restore cache
uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
with:
python-version: ${{inputs.python_ver || env.python_ver}}
cache: pip
cache-dependency-path: ${{env.python_dep_files}}
- name: Install requirements
run: |
pip install -r dev_tools/requirements/envs/pytest.env.txt
pip install cirq-core==${{matrix.cirq-version}}
- name: Set up Pytest output problem matcher
run: echo '::add-matcher::.github/problem-matchers/pytest.json'
- name: Run pytest
run: check/pytest
pytest:
if: needs.changes.outputs.python == 'true' && (success() || failure())
name: Python pytest checks
needs: [changes, pytest-matrix]
runs-on: ubuntu-24.04
steps:
- run: |
result="${{needs.pytest-matrix.result}}"
if [[ $result == "success" || $result == "skipped" ]]; then
exit 0
else
exit 1
fi
pytest-extra-matrix:
if: needs.changes.outputs.python == 'true'
name: (Python extra pytest matrix)
needs: [changes, setup]
runs-on: ${{ matrix.os }}
timeout-minutes: 15
strategy:
matrix:
os: [ubuntu-24.04, macos-14]
cirq-version: [ 1.4.1 ]
fail-fast: false
steps:
- name: Check out a copy of the git repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
- name: Set up Python and restore cache
uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
with:
python-version: ${{inputs.python_ver || env.python_ver}}
cache: pip
cache-dependency-path: ${{env.python_dep_files}}
- name: Install requirements
run: |
pip install -r dev_tools/requirements/envs/pytest-extra.env.txt
pip install cirq-core==${{matrix.cirq-version}}
- name: Set up Pytest output problem matcher
run: echo '::add-matcher::.github/problem-matchers/pytest.json'
- name: Run pytest
run: check/pytest -m "not slow" src/openfermion/resource_estimates
pytest-extra:
if: needs.changes.outputs.python == 'true' && (success() || failure())
name: Python extra pytest checks
needs: [changes, pytest-extra-matrix]
runs-on: ubuntu-24.04
steps:
- run: |
result="${{needs.pytest-extra-matrix.result}}"
if [[ $result == "success" || $result == "skipped" ]]; then
exit 0
else
exit 1
fi
python-compat:
if: needs.changes.outputs.python == 'true'
name: Python compatibility checks
needs: [changes, setup]
runs-on: ubuntu-22.04
timeout-minutes: 15
steps:
- name: Check out a copy of the git repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
# Note: deliberately not using our Python cache here b/c this runs
# a different version of Python.
- name: Set up Python and restore cache
uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
with:
python-version: ${{env.python_compat_ver}}
- name: Install requirements
run: pip install -r dev_tools/requirements/max_compat/pytest-max-compat.env.txt
- name: Set up Pytest output problem matcher
run: echo '::add-matcher::.github/problem-matchers/pytest.json'
- name: Run pytest
run: check/pytest
coverage:
if: needs.changes.outputs.python == 'true'
name: Python code coverage checks
needs: [changes, setup]
runs-on: ubuntu-24.04
timeout-minutes: 15
steps:
- name: Check out a copy of the git repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
with:
fetch-depth: 0
- name: Set up Python and restore cache
uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
with:
python-version: ${{inputs.python_ver || env.python_ver}}
cache: pip
cache-dependency-path: ${{env.python_dep_files}}
- name: Install requirements
run: pip install -r dev_tools/requirements/envs/pytest.env.txt
- name: Set up Pytest output problem matcher
run: echo '::add-matcher::.github/problem-matchers/pytest.json'
- name: Run code coverage tests
run: check/pytest-and-incremental-coverage
yaml-lint:
if: needs.changes.outputs.yaml == 'true'
name: YAML lint checks
needs: changes
runs-on: ubuntu-24.04
timeout-minutes: 5
env:
changed_files: ${{needs.changes.outputs.yaml_files}}
steps:
- name: Check out a copy of the git repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
- name: Set up yamllint output problem matcher
run: echo "::add-matcher::.github/problem-matchers/yamllint.json"
- name: Run yamllint
run: |
set -x
# shellcheck disable=SC2086
yamllint $changed_files
json-lint:
if: needs.changes.outputs.json == 'true'
name: JSON lint checks
needs: changes
runs-on: ubuntu-24.04
timeout-minutes: 5
env:
changed_files: ${{needs.changes.outputs.json_files}}
steps:
- name: Check out a copy of the git repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
- name: Install jsonlint
run: npm install -g @prantlf/jsonlint
- name: Set up jsonlint output problem matcher
run: echo '::add-matcher::.github/problem-matchers/jsonlint.json'
- name: Run jsonlint on JSON files
run: jsonlint --continue ${{env.changed_files}}
cff-validation:
if: needs.changes.outputs.cff == 'true'
name: CITATION.cff checks
needs: changes
runs-on: ubuntu-24.04
timeout-minutes: 5
env:
changed_files: ${{needs.changes.outputs.cff_files}}
steps:
- name: Check out a copy of the git repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
- name: Install cffconvert
run: pip install cffconvert
- name: Run cffconvert in validation mode
run: cffconvert --validate
docker-lint:
if: needs.changes.outputs.docker == 'true'
name: Dockerfile lint checks
needs: changes
# This uses a Mac runner because hadolint isn't available via Linux apt.
runs-on: macos-14
timeout-minutes: 5
env:
changed_files: ${{needs.changes.outputs.docker_files}}
steps:
- name: Check out a copy of the git repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
# Note: there is a hadolint GitHub Actions available, but it only accepts
# one Dockerfile to check. We have > 1 file to check, so we need the CLI.
- name: Install hadolint
run: brew install hadolint
- name: Set up hadolint output problem matcher
run: echo '::add-matcher::.github/problem-matchers/hadolint.json'
- name: Run hadolint on Dockerfiles that have been changed
run: hadolint ${{env.changed_files}}
workflow-validation:
if: needs.changes.outputs.gha == 'true'
name: GitHub Actions workflow checks
needs: [changes, yaml-lint]
# This uses a Mac runner because actionlint isn't available via Linux apt.
runs-on: macos-14
timeout-minutes: 5
env:
changed_files: ${{needs.changes.outputs.gha_files}}
steps:
- name: Check out a copy of the git repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
# The next action simply fails if there are any unpinned actions.
- name: Verify that all workflow actions have pinned versions
uses: zgosalvez/github-actions-ensure-sha-pinned-actions@9e9574ef04ea69da568d6249bd69539ccc704e74
# If we didn't fail the previous check, go on to more time-consuming ones.
- name: Install actionlint
run: HOMEBREW_NO_AUTO_UPDATE=1 brew install actionlint
- name: Set up actionlint output problem matcher
run: echo "::add-matcher::.github/problem-matchers/actionlint.json"
- name: Verify that all GitHub Actions workflows are valid
run: /opt/homebrew/bin/actionlint -color
shell-script-lint:
if: needs.changes.outputs.shell == 'true'
name: Shell script checks
needs: changes
runs-on: ubuntu-24.04
timeout-minutes: 5
env:
changed_files: ${{needs.changes.outputs.shell_files}}
steps:
- name: Check out a copy of the git repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
- name: Set up shellcheck output problem matcher
run: echo "::add-matcher::.github/problem-matchers/shellcheck.json"
- name: Run shellcheck on shell scripts that have been changed
run: shellcheck ${{env.changed_files}}
vulnerability-checks:
if: needs.changes.outputs.requirements == 'true'
name: Vulnerability checks
needs: changes
uses: ./.github/workflows/osv-scanner.yaml
permissions: write-all
with:
reason: CI
print-debugging-info:
if: failure()
name: Print debugging info upon job failure
runs-on: ubuntu-24.04
timeout-minutes: 5
steps:
- name: Check out a copy of the git repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
- name: Set up Python with caching of pip dependencies
uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
with:
python-version: ${{inputs.python_ver || env.python_ver}}
architecture: 'x64'
cache: pip
cache-dependency-path: ${{env.python_dep_files}}
- name: Print debugging info upon job failure
shell: bash
env:
GITHUB_CONTEXT: ${{toJson(github)}}
RUNNER_CONTEXT: ${{toJson(runner)}}
run: |
echo '::group:: Shell environment'
env
echo '::endgroup::'
echo '::group:: Installed Python packages'
pip list
echo '::endgroup::'
echo '::group:: GitHub context'
echo "The job_id is: $GITHUB_JOB"
echo "The id of this action is: $GITHUB_ACTION"
echo "The run id is: $GITHUB_RUN_ID"
echo "GitHub SHA: $GITHUB_SHA"
echo "$GITHUB_CONTEXT"
echo '::endgroup::'
echo '::group:: GitHub runner context'
echo "$RUNNER_CONTEXT"
echo '::endgroup::'
echo '::group:: Matrix context'