spack/.github/workflows/audit.yaml

name: audit

on:
  workflow_call:
    inputs:
      with_coverage:
        required: true
        type: string
      python_version:
        required: true
        type: string

concurrency:
  group: audit-${{inputs.python_version}}-${{github.ref}}-${{github.event.pull_request.number || github.run_number}}
  cancel-in-progress: true

jobs:
  # Run audits on all the packages in the built-in repository
  package-audits:
    runs-on: ${{ matrix.operating_system }}
    strategy:
      matrix:
        operating_system: ["ubuntu-latest", "macos-latest"]
    steps:
    - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633
    - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d
      with:
        python-version: ${{inputs.python_version}}
    - name: Install Python packages
      run: |
        pip install --upgrade pip setuptools pytest coverage[toml]        
    - name: Package audits (with coverage)
      if: ${{ inputs.with_coverage == 'true' }}
      run: |
          . share/spack/setup-env.sh
          coverage run $(which spack) audit packages
          coverage run $(which spack) audit externals        
          coverage combine
          coverage xml          
    - name: Package audits (without coverage)
      if: ${{ inputs.with_coverage == 'false' }}
      run: |
          . share/spack/setup-env.sh
          $(which spack) audit packages
          $(which spack) audit externals          
    - uses: codecov/codecov-action@84508663e988701840491b86de86b666e8a86bed
      if: ${{ inputs.with_coverage == 'true' }}
      with:
        flags: unittests,audits
        token: ${{ secrets.CODECOV_TOKEN }}
        verbose: true