PrefectHQ/marvin
8 workflows · maturity 50% · 2 patterns · GitHub ↗
Practices
✓ Matrix✓ Permissions○ Security scan○ AI review○ Cache✓ Concurrency○ Reusable workflows
Detected patterns
Security dimensions
Workflows (8)
deploy-cloudrun-revision-community perms .github/workflows/deploy-cloudrun-revision-community.yaml
View raw YAML
---
name: Deploy new revision of marvin community bot cloudrun service
on:
workflow_dispatch: {}
# Do not grant jobs any permissions by default
permissions: {}
jobs:
deploy_cloudrun_revision:
name: Deploy revision with latest image
runs-on: ubuntu-latest
permissions:
# required to read from the repo
contents: read
# required to obtain Google Cloud service account credentials
id-token: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Authenticate to google cloud
uses: google-github-actions/auth@v2
with:
workload_identity_provider: ${{ secrets.GHA_WORKLOAD_IDENTITY_PROVIDER }}
service_account: marvin-workflow-main@prefect-org-github-actions.iam.gserviceaccount.com
- name: Deploy revision
uses: google-github-actions/deploy-cloudrun@v2
with:
image: us-docker.pkg.dev/prefect-prd-external-tools/marvin/marvin-community-bot:latest
project_id: prefect-prd-external-tools
region: us-east1
service: marvin-community-bot
deploy-cloudrun-revision-internal perms .github/workflows/deploy-cloudrun-revision-internal.yaml
View raw YAML
---
name: Deploy new revision of marvin internal bot cloudrun service
on:
workflow_dispatch: {}
# Do not grant jobs any permissions by default
permissions: {}
jobs:
deploy_cloudrun_revision:
name: Deploy revision with latest image
runs-on: ubuntu-latest
permissions:
# required to read from the repo
contents: read
# required to obtain Google Cloud service account credentials
id-token: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Authenticate to google cloud
uses: google-github-actions/auth@v2
with:
workload_identity_provider: ${{ secrets.GHA_WORKLOAD_IDENTITY_PROVIDER }}
service_account: marvin-workflow-main@prefect-org-github-actions.iam.gserviceaccount.com
- name: Deploy revision
uses: google-github-actions/deploy-cloudrun@v2
with:
image: us-docker.pkg.dev/prefect-prd-internal-tools/marvin/marvin-internal-bot:latest
project_id: prefect-prd-internal-tools
region: us-east1
service: marvin-internal-bot
image-build-and-push-community perms .github/workflows/image-build-and-push-community.yaml
View raw YAML
---
name: Build and publish marvin community bot image
on:
push:
branches:
- main
paths:
- .github/workflows/image-build-and-push-community.yaml
- examples/slackbot/community_bot/**
- src/marvin/api/slackbot/**
workflow_dispatch: {}
# Limit concurrency by workflow/branch combination.
#
# For builds, pushing additional changes to the
# branch will cancel prior in-progress and pending builds.
#
# https://docs.github.com/en/actions/using-jobs/using-concurrency
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# Do not grant jobs any permissions by default
permissions: {}
jobs:
build_push_image:
name: Build marvin community bot image
runs-on: ubuntu-latest
permissions:
# required to initiate a downstream workflow (read needed for codeql scan)
actions: write
# required to read from the repo
contents: read
# required to obtain Google Cloud service account credentials
id-token: write
# required to upload CodeQL scan results to GitHub
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Authenticate to Google Cloud
uses: google-github-actions/auth@v2
with:
workload_identity_provider: ${{ secrets.GHA_WORKLOAD_IDENTITY_PROVIDER }}
service_account: marvin-general-main@prefect-org-github-actions.iam.gserviceaccount.com
- name: Configure Google Cloud credential helper
run: gcloud auth configure-docker --quiet us-docker.pkg.dev
- name: Get image version
run: |
short_sha=$(git rev-parse --short=7 HEAD)
echo "short_sha: ${short_sha}"
echo "SHORT_SHA=${short_sha}" >> $GITHUB_ENV
- name: Build container image
run: |
docker build -f examples/slackbot/Dockerfile.slackbot . \
--no-cache \
--tag us-docker.pkg.dev/prefect-prd-external-tools/marvin/marvin-community-bot:latest \
--tag us-docker.pkg.dev/prefect-prd-external-tools/marvin/marvin-community-bot:${SHORT_SHA} \
- name: Push image to prefect-prd-external-tools
run: docker push --all-tags us-docker.pkg.dev/prefect-prd-external-tools/marvin/marvin-community-bot
- name: Trigger cloudrun revision deploy workflow
run: |
gh workflow run deploy-cloudrun-revision-community.yaml \
--ref main
env:
GITHUB_TOKEN: ${{ github.token }}
image-build-and-push-internal perms .github/workflows/image-build-and-push-internal.yaml
View raw YAML
---
name: Build and publish marvin internal bot image
on:
push:
branches:
- main
paths:
- .github/workflows/image-build-and-push-internal.yaml
- examples/slackbot/**
schedule:
# Schedule to run at 7:30PM every Sunday
# ┌───────────── minute (0 - 59)
# │ ┌───────────── hour (0 - 23)
# │ │ ┌───────────── day of the month (1 - 31)
# │ │ │ ┌───────────── month (1 - 12 or JAN-DEC)
# │ │ │ │ ┌───────────── day of the week (0 - 6 or SUN-SAT)
# │ │ │ │ │
# │ │ │ │ │
# │ │ │ │ │
- cron: 30 19 * * 0
workflow_dispatch: {}
# Limit concurrency by workflow/branch combination.
#
# For builds, pushing additional changes to the
# branch will cancel prior in-progress and pending builds.
#
# https://docs.github.com/en/actions/using-jobs/using-concurrency
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# Do not grant jobs any permissions by default
permissions: {}
jobs:
build_push_image:
name: Build marvin internal bot image
runs-on: ubuntu-latest
permissions:
# required to initiate a downstream workflow (read needed for codeql scan)
actions: write
# required to read from the repo
contents: read
# required to obtain Google Cloud service account credentials
id-token: write
# required to upload CodeQL scan results to GitHub
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Authenticate to Google Cloud
uses: google-github-actions/auth@v2
with:
workload_identity_provider: ${{ secrets.GHA_WORKLOAD_IDENTITY_PROVIDER }}
service_account: marvin-general-main@prefect-org-github-actions.iam.gserviceaccount.com
- name: Configure Google Cloud credential helper
run: gcloud auth configure-docker --quiet us-docker.pkg.dev
- name: Get image version
run: |
short_sha=$(git rev-parse --short=7 HEAD)
echo "short_sha: ${short_sha}"
echo "SHORT_SHA=${short_sha}" >> $GITHUB_ENV
- name: Build container image
run: |
docker build -f examples/slackbot/Dockerfile.slackbot . \
--no-cache \
--tag us-docker.pkg.dev/prefect-prd-internal-tools/marvin/marvin-internal-bot:latest \
--tag us-docker.pkg.dev/prefect-prd-internal-tools/marvin/marvin-internal-bot:${SHORT_SHA} \
- name: Push image to prefect-prd-internal-tools
run: docker push --all-tags us-docker.pkg.dev/prefect-prd-internal-tools/marvin/marvin-internal-bot
- name: Trigger cloudrun revision deploy workflow
run: |
gh workflow run deploy-cloudrun-revision-internal.yaml \
--ref main
env:
GITHUB_TOKEN: ${{ github.token }}
labeler .github/workflows/labeler.yml
View raw YAML
name: "Pull Request Labeler"
on:
- pull_request_target
jobs:
labeler:
permissions:
contents: read
pull-requests: write
runs-on: ubuntu-latest
steps:
- uses: actions/labeler@v5
publish .github/workflows/publish.yml
View raw YAML
name: Publish marvin to PyPI
on:
release:
types: [published]
workflow_dispatch:
jobs:
pypi-publish:
name: Upload to PyPI
runs-on: ubuntu-latest
permissions:
id-token: write # For PyPI's trusted publishing
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: "Install uv"
uses: astral-sh/setup-uv@v3
- name: Build
run: uv build
- name: Publish to PyPi
run: uv publish -v dist/*run-tests matrix perms .github/workflows/run-tests.yml
View raw YAML
name: Run tests
on:
push:
branches: ["main"]
paths:
- "src/**/*.py"
- "tests/**/*.py"
- "pyproject.toml"
- "uv.lock"
pull_request:
paths:
- "src/**/*.py"
- "tests/**/*.py"
- "pyproject.toml"
- "uv.lock"
workflow_dispatch:
permissions:
contents: read
jobs:
run_tests:
# Skip the entire job for fork PRs
if: ${{ !(github.event.pull_request.head.repo.fork) }}
name: Python ${{ matrix.python-version }} on ${{ matrix.os }}
timeout-minutes: 10
strategy:
matrix:
# os: [ubuntu-latest, macos-latest, windows-latest]
os: [ubuntu-latest]
python-version: ["3.11"]
runs-on: ${{ matrix.os }}
env:
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
steps:
- uses: actions/checkout@v4
- name: Install uv and set the python version
uses: astral-sh/setup-uv@v5
with:
python-version: ${{ matrix.python-version }}
- name: Install Marvin
run: uv sync
- name: Run tests
run: uv run --frozen pytest -v -n auto
static-analysis perms .github/workflows/static-analysis.yml
View raw YAML
name: Run static analysis
on:
push:
branches: ["main"]
pull_request:
workflow_dispatch:
permissions:
contents: read
jobs:
static_analysis:
timeout-minutes: 1
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install uv and set the python version
uses: astral-sh/setup-uv@v5
with:
python-version: 3.11
- name: Run pre-commit
run: uv run pre-commit run --all-files