{"id":21029411,"url":"https://github.com/alexmalins/github-actions-cicd-example","last_synced_at":"2025-08-23T10:36:37.871Z","repository":{"id":46056526,"uuid":"427912822","full_name":"alexmalins/github-actions-cicd-example","owner":"alexmalins","description":"Example Python repo employing GitHub Actions for CI/CD","archived":false,"fork":false,"pushed_at":"2021-12-21T15:01:21.000Z","size":30,"stargazers_count":5,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-05-30T07:36:34.317Z","etag":null,"topics":["black","cicd","codecov","continuous-integration","coverage","documentation","github-actions","mypy","pylint","python","test-automation","unittest"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/alexmalins.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-11-14T11:43:30.000Z","updated_at":"2025-04-08T04:24:47.000Z","dependencies_parsed_at":"2022-09-15T01:00:40.975Z","dependency_job_id":null,"html_url":"https://github.com/alexmalins/github-actions-cicd-example","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/alexmalins/github-actions-cicd-example","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alexmalins%2Fgithub-actions-cicd-example","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alexmalins%2Fgithub-actions-cicd-example/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alexmalins%2Fgithub-actions-cicd-example/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alexmalins%2Fgithub-actions-cicd-example/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/alexmalins","download_url":"https://codeload.github.com/alexmalins/github-actions-cicd-example/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alexmalins%2Fgithub-actions-cicd-example/sbom","scorecard":{"id":182120,"data":{"date":"2025-08-11","repo":{"name":"github.com/alexmalins/github-actions-cicd-example","commit":"a83bfc42aecce58a3cef54db2aad46c3f7532b19"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":2.5,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Code-Review","score":0,"reason":"Found 0/28 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/1_tests.yml:1","Warn: no topLevel permission defined: .github/workflows/2_coverage.yml:1","Warn: no topLevel permission defined: .github/workflows/3_linting.yml:1","Warn: no topLevel permission defined: .github/workflows/4_docs_build.yml:1","Warn: no topLevel permission defined: .github/workflows/5_docs_deploy.yml:1","Warn: no topLevel permission defined: .github/workflows/6_pypi_release.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/1_tests.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/alexmalins/github-actions-cicd-example/1_tests.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/1_tests.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/alexmalins/github-actions-cicd-example/1_tests.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/2_coverage.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/alexmalins/github-actions-cicd-example/2_coverage.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/2_coverage.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/alexmalins/github-actions-cicd-example/2_coverage.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/2_coverage.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/alexmalins/github-actions-cicd-example/2_coverage.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/3_linting.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/alexmalins/github-actions-cicd-example/3_linting.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/3_linting.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/alexmalins/github-actions-cicd-example/3_linting.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/3_linting.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/alexmalins/github-actions-cicd-example/3_linting.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/4_docs_build.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/alexmalins/github-actions-cicd-example/4_docs_build.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/4_docs_build.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/alexmalins/github-actions-cicd-example/4_docs_build.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/5_docs_deploy.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/alexmalins/github-actions-cicd-example/5_docs_deploy.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/5_docs_deploy.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/alexmalins/github-actions-cicd-example/5_docs_deploy.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/5_docs_deploy.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/alexmalins/github-actions-cicd-example/5_docs_deploy.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/6_pypi_release.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/alexmalins/github-actions-cicd-example/6_pypi_release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/6_pypi_release.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/alexmalins/github-actions-cicd-example/6_pypi_release.yml/main?enable=pin","Warn: pipCommand not pinned by hash: .github/workflows/1_tests.yml:35","Warn: pipCommand not pinned by hash: .github/workflows/1_tests.yml:36","Warn: pipCommand not pinned by hash: .github/workflows/1_tests.yml:37","Warn: pipCommand not pinned by hash: .github/workflows/2_coverage.yml:33","Warn: pipCommand not pinned by hash: .github/workflows/2_coverage.yml:34","Warn: pipCommand not pinned by hash: .github/workflows/2_coverage.yml:35","Warn: pipCommand not pinned by hash: .github/workflows/2_coverage.yml:36","Warn: pipCommand not pinned by hash: .github/workflows/3_linting.yml:33","Warn: pipCommand not pinned by hash: .github/workflows/3_linting.yml:34","Warn: pipCommand not pinned by hash: .github/workflows/3_linting.yml:35","Warn: pipCommand not pinned by hash: .github/workflows/4_docs_build.yml:33","Warn: pipCommand not pinned by hash: .github/workflows/4_docs_build.yml:34","Warn: pipCommand not pinned by hash: .github/workflows/4_docs_build.yml:35","Warn: pipCommand not pinned by hash: .github/workflows/5_docs_deploy.yml:41","Warn: pipCommand not pinned by hash: .github/workflows/5_docs_deploy.yml:42","Warn: pipCommand not pinned by hash: .github/workflows/5_docs_deploy.yml:43","Warn: pipCommand not pinned by hash: .github/workflows/6_pypi_release.yml:30","Warn: pipCommand not pinned by hash: .github/workflows/6_pypi_release.yml:31","Info:   0 out of  13 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   2 third-party GitHubAction dependencies pinned","Info:   0 out of  18 pipCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact 0.0.1 not signed: https://api.github.com/repos/alexmalins/github-actions-cicd-example/releases/55101039","Warn: release artifact 0.0.1 does not have provenance: https://api.github.com/repos/alexmalins/github-actions-cicd-example/releases/55101039"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":2,"reason":"8 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: PYSEC-2018-34 / GHSA-2fc2-6r4j-p65h","Warn: Project is vulnerable to: PYSEC-2021-856 / GHSA-5545-2q6w-2gh6","Warn: Project is vulnerable to: PYSEC-2019-108 / GHSA-9fq2-x9r6-wfmf","Warn: Project is vulnerable to: PYSEC-2018-33 / GHSA-cw6w-4rcx-xphc","Warn: Project is vulnerable to: PYSEC-2021-857 / GHSA-f7c7-j99h-c22f","Warn: Project is vulnerable to: GHSA-fpfv-jqm9-f5jm","Warn: Project is vulnerable to: PYSEC-2017-1 / GHSA-frgw-fgh6-9g52","Warn: Project is vulnerable to: PYSEC-2024-48 / GHSA-fj7x-q9j7-g6q6"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 3 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-16T19:03:16.659Z","repository_id":46056526,"created_at":"2025-08-16T19:03:16.659Z","updated_at":"2025-08-16T19:03:16.659Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":271746660,"owners_count":24813575,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-23T02:00:09.327Z","response_time":69,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["black","cicd","codecov","continuous-integration","coverage","documentation","github-actions","mypy","pylint","python","test-automation","unittest"],"created_at":"2024-11-19T12:12:17.386Z","updated_at":"2025-08-23T10:36:37.853Z","avatar_url":"https://github.com/alexmalins.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![License: MIT](https://img.shields.io/badge/license-MIT-blue)](https://github.com/alexmalins/github-actions-cicd-example/blob/main/LICENSE)\r\n[![Tests](https://github.com/alexmalins/github-actions-cicd-example/actions/workflows/1_tests.yml/badge.svg)](https://github.com/alexmalins/github-actions-cicd-example/actions/workflows/1_tests.yml)\r\n[![codecov](https://codecov.io/gh/alexmalins/github-actions-cicd-example/branch/main/graph/badge.svg?token=EXFQHNBA9Z)](https://codecov.io/gh/alexmalins/github-actions-cicd-example)\r\n[![Code Style: Black](https://img.shields.io/badge/code%20style-black-000000.svg)](https://github.com/alexmalins/github-actions-cicd-example/actions/workflows/3_linting.yml)\r\n[![Checked with mypy](https://img.shields.io/badge/mypy-checked-blue)](https://github.com/alexmalins/github-actions-cicd-example/actions/workflows/3_linting.yml)\r\n[![Latest Documentation](https://img.shields.io/badge/docs-latest-brightgreen)](https://alexmalins.github.io/github-actions-cicd-example)\r\n\r\n\r\n# Example repo: using GitHub Actions for CI/CD  for a Python project\r\n\r\nThis is a minimal repo demonstrating the use of GitHub Actions for Continuous\r\nIntegration (CI) \u0026 Continous Deployment (CD) for a Python project.\r\n\r\nThe GitHub Actions are:\r\n\r\n1. **Tests:** Automatically unit test code using `unittest` from Python's\r\nstandard library.\r\n2. **Code coverage:** Generate code coverage reports using\r\n[coverage.py](https://github.com/nedbat/coveragepy). The reports are\r\nautomatically uploaded to [codecov](https://about.codecov.io/). The\r\n@codecov-commenter bot adds a comment to PR on code coverage status.\r\n3.  **Lint and format code:** Lint using [pylint](https://www.pylint.org/). Check code formatting using\r\n[black](https://github.com/psf/black). Check type hints using\r\n[mypy](http://mypy-lang.org/).\r\n4. **Check docs build:** Check [Sphinx](https://www.sphinx-doc.org) docs build successfully.\r\n5. **Deploy docs to GitHub pages:** Automatically deploy docs to a\r\n[GitHub Pages repo](https://github.com/alexmalins/alexmalins.github.io)  upon\r\nmerges to `main` branch.\r\n6. **Upload release to PyPI:** Publish the latest version of the package on\r\n[PyPI](https://pypi.org/) when a new GitHub Release is created.\r\n\r\nEach of these actions is stored in a YAML file in the\r\n[.github/workflows](https://github.com/alexmalins/github-actions-cicd-example/tree/main/.github/workflows)\r\ndirectory. \r\n\r\n## File system structure\r\n\r\nTBA...\r\n\r\n## Push Token for Deploying Docs\r\n\r\nAction #5 requires setting up a Personal Access Token with full repo access via\r\nthe Developer Settings page. Store this token as an Actions secret under the\r\nname `PUSH_TOKEN` in the main repo (i.e. the repo where the docs source code is\r\nheld). See more [here](https://stackoverflow.com/questions/65997950/how-let-github-actions-workflow-push-generated-documentation-to-other-repository).\r\n\r\n## Useful resources on the topic\r\n\r\n- mCoding's [YouTube video](https://www.youtube.com/watch?v=DhUpxWjOhME) on\r\nusing GitHub actions for automated testing (see associated\r\n[code repo](https://github.com/mCodingLLC/SlapThatLikeButton-TestingStarterProject)).\r\n- Alex Damiani's YouTube videos on automated testing\r\n[[1](https://www.youtube.com/watch?v=oi94qEvi9Qo)],\r\n[[2](https://www.youtube.com/watch?v=rY-igT2N8zU)] \u0026\r\n[[3](https://www.youtube.com/watch?v=OOZtW3iF0is)] and associated code repos:\r\n[[1](https://github.com/alexanderdamiani/test_repo_pylinter_v1)]\r\n[[2](https://github.com/alexanderdamiani/test_repo_pylinter_v2)], \u0026\r\n[[3](https://github.com/alexanderdamiani/pytester_test_repo)].\r\n- [librosa](https://github.com/librosa/librosa) is a real-world example of\r\n`pyproject.toml`, `setup.cfg` \u0026 `setup.py` working together.\r\n- [Pharmpy](https://github.com/pharmpy/pharmpy) uses Actions for building docs\r\nthen deploying them to a separate GitHub Pages repo.\r\n- Vinod Kurup's\r\n[blog post](https://www.caktusgroup.com/blog/2021/02/11/automating-pypi-releases/)\r\non automating PyPI releases with GitHub Actions.\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falexmalins%2Fgithub-actions-cicd-example","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Falexmalins%2Fgithub-actions-cicd-example","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falexmalins%2Fgithub-actions-cicd-example/lists"}