From 768c40c3e8c13217558d280cdfc82dfa74431841 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 17 Jul 2026 12:44:15 +0000 Subject: [PATCH 1/3] chore(deps-dev): bump frequenz-repo-config Bumps the repo-config group with 1 update in the / directory: [frequenz-repo-config](https://github.com/frequenz-floss/frequenz-repo-config-python). Updates `frequenz-repo-config` from 0.16.0 to 0.18.0 - [Release notes](https://github.com/frequenz-floss/frequenz-repo-config-python/releases) - [Changelog](https://github.com/frequenz-floss/frequenz-repo-config-python/blob/v0.x.x/RELEASE_NOTES.md) - [Commits](https://github.com/frequenz-floss/frequenz-repo-config-python/compare/v0.16.0...v0.18.0) --- updated-dependencies: - dependency-name: frequenz-repo-config dependency-version: 0.17.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: repo-config ... Signed-off-by: dependabot[bot] --- pyproject.toml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 83a428b..3247298 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -5,7 +5,7 @@ requires = [ "setuptools == 82.0.1", "setuptools_scm[toml] == 10.2.0", - "frequenz-repo-config[lib] == 0.16.0", + "frequenz-repo-config[lib] == 0.18.0", ] build-backend = "setuptools.build_meta" @@ -73,7 +73,7 @@ dev-mkdocs = [ "mkdocs-material == 9.7.6", "mkdocstrings[python] == 1.0.4", "mkdocstrings-python == 2.0.5", - "frequenz-repo-config[lib] == 0.16.0", + "frequenz-repo-config[lib] == 0.18.0", ] dev-mypy = [ "mypy == 2.1.0", @@ -83,7 +83,7 @@ dev-mypy = [ # For checking the noxfile, docs/ script, and tests "frequenz-client-assets[dev-mkdocs,dev-noxfile,dev-pytest,cli]", ] -dev-noxfile = ["nox == 2026.4.10", "frequenz-repo-config[lib] == 0.16.0"] +dev-noxfile = ["nox == 2026.4.10", "frequenz-repo-config[lib] == 0.18.0"] dev-pylint = [ # dev-pytest already defines a dependency to pylint because of the examples # For checking the noxfile, docs/ script, and tests @@ -92,7 +92,7 @@ dev-pylint = [ dev-pytest = [ "pytest == 9.1.1", "pylint == 4.0.6", # We need this to check for the examples - "frequenz-repo-config[extra-lint-examples] == 0.16.0", + "frequenz-repo-config[extra-lint-examples] == 0.18.0", "pytest-mock == 3.15.1", "pytest-asyncio == 1.4.0", "async-solipsism == 0.9", From b98b7fbeb546e87415aa8f0d40349c97038e2120 Mon Sep 17 00:00:00 2001 From: "frequenz-auto-dependabot[bot]" <261417025+frequenz-auto-dependabot[bot]@users.noreply.github.com> Date: Fri, 17 Jul 2026 12:44:57 +0000 Subject: [PATCH 2/3] Apply migration from 0.16.0 to 0.17.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit === v0.17.0 ========================================================= Script URL: https://raw.githubusercontent.com/frequenz-floss/frequenz-repo-config-python/v0.17.0/cookiecutter/migrate.py ======================================================================== Updating generated CI workflows... Updated .github/workflows/ci-pr.yaml: updated CI pull-request workflow Updated .github/workflows/ci.yaml: updated main CI workflow ======================================================================== Fixing missed CI platform matrix migrations... Skipped .github/workflows/ci.yaml: platform matrix migration already fixed ======================================================================== Updating generated Dependabot workflows... Updated .github/workflows/auto-dependabot.yaml: updated Dependabot auto-merge workflow Updated .github/workflows/repo-config-migration.yaml: updated repo-config migration workflow ======================================================================== Creating black migration workflow... Created .github/workflows/black-migration.yaml: black formatting migration workflow ======================================================================== Updating auxiliary GitHub workflows... Updated .github/workflows/dco-merge-queue.yml: updated DCO merge queue workflow Updated .github/workflows/labeler.yml: updated labeler workflow Updated .github/workflows/release-notes-check.yml: updated release notes check workflow ======================================================================== ✅ Migration script finished successfully ✅ The migration completed successfully. Applied-by: frequenz-floss/gh-action-dependabot-migrate --- .github/workflows/auto-dependabot.yaml | 11 ++- .github/workflows/black-migration.yaml | 88 ++++++++++++++++++++ .github/workflows/ci-pr.yaml | 21 +++-- .github/workflows/ci.yaml | 84 ++++++++++++------- .github/workflows/dco-merge-queue.yml | 3 + .github/workflows/labeler.yml | 2 + .github/workflows/release-notes-check.yml | 3 + .github/workflows/repo-config-migration.yaml | 11 +++ 8 files changed, 183 insertions(+), 40 deletions(-) create mode 100644 .github/workflows/black-migration.yaml diff --git a/.github/workflows/auto-dependabot.yaml b/.github/workflows/auto-dependabot.yaml index 3f5af11..572bd44 100644 --- a/.github/workflows/auto-dependabot.yaml +++ b/.github/workflows/auto-dependabot.yaml @@ -12,7 +12,9 @@ on: pull_request_target: permissions: + # Read repository contents and Dependabot metadata used by the nested action. contents: read + # The nested action also uses `github.token` internally for PR operations. pull-requests: write jobs: @@ -20,7 +22,8 @@ jobs: name: Auto-merge Dependabot PR if: > github.actor == 'dependabot[bot]' && - !contains(github.event.pull_request.title, 'the repo-config group') + !contains(github.event.pull_request.title, 'the repo-config group') && + !contains(github.event.pull_request.title, 'Bump black from ') runs-on: ubuntu-slim steps: - name: Generate GitHub App token @@ -29,6 +32,12 @@ jobs: with: app-id: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_ID }} private-key: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_PRIVATE_KEY }} + # Merge Dependabot PRs. + permission-contents: write + # Create the auto-merged label if it does not exist. + permission-issues: write + # Approve PRs, add labels, and enable auto-merge. + permission-pull-requests: write - name: Auto-merge Dependabot PR uses: frequenz-floss/dependabot-auto-approve@e943399cc9d76fbb6d7faae446cd57301d110165 # v1.5.0 diff --git a/.github/workflows/black-migration.yaml b/.github/workflows/black-migration.yaml new file mode 100644 index 0000000..1969c46 --- /dev/null +++ b/.github/workflows/black-migration.yaml @@ -0,0 +1,88 @@ +# Automatic black formatting migration for Dependabot PRs +# +# When Dependabot upgrades black, this workflow installs the new version +# and runs `black .` so the PR already contains any formatting changes +# introduced by the upgrade, while leaving the PR open for review. +# +# Black uses calendar versioning. Only the first release of a new calendar +# year may introduce formatting changes (major bump in Dependabot's terms). +# Minor and patch updates within a year keep formatting stable, so they stay +# in the regular Dependabot groups and are auto-merged normally. +# +# The companion auto-dependabot workflow skips major black PRs so they're +# handled exclusively by this migration workflow. +# +# XXX: !!! SECURITY WARNING !!! +# pull_request_target has write access to the repo, and can read secrets. +# This is required because Dependabot PRs are treated as fork PRs: the +# GITHUB_TOKEN is read-only and secrets are unavailable with a plain +# pull_request trigger. The action mitigates the risk by: +# - Never executing code from the PR (the migration script is embedded +# in this workflow file on the base branch, not taken from the PR). +# - Gating migration steps on github.actor == 'dependabot[bot]'. +# - Running checkout with persist-credentials: false and isolating +# push credentials from the migration script environment. +# For more details read: +# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ + +name: Black Migration + +on: + merge_group: # To allow using this as a required check for merging + pull_request_target: + types: [opened, synchronize, reopened, labeled, unlabeled] + +permissions: + # Commit reformatted files back to the PR branch. + contents: write + # Create and normalize migration state labels. + issues: write + # Read/update pull request metadata and comments. + pull-requests: write + +jobs: + black-migration: + name: Migrate Black + # Skip if it was triggered by the merge queue. We only need the workflow to + # be executed to meet the "Required check" condition for merging, but we + # don't need to actually run the job, having the job present as Skipped is + # enough. + if: | + github.event_name == 'pull_request_target' && + github.actor == 'dependabot[bot]' && + contains(github.event.pull_request.title, 'Bump black from ') + runs-on: ubuntu-24.04 + steps: + - name: Generate token + id: create-app-token + uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0 + with: + app-id: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_ID }} + private-key: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_PRIVATE_KEY }} + # Push reformatted files to the PR branch. + permission-contents: write + # Create and normalize migration state labels. + permission-issues: write + # Read/update pull request metadata and labels. + permission-pull-requests: write + - name: Migrate + uses: frequenz-floss/gh-action-dependabot-migrate@b389f72f9282346920150a67495efbae450ac07b # v1.1.0 + with: + migration-script: | + import os + import subprocess + import sys + + version = os.environ["MIGRATION_VERSION"].lstrip("v") + subprocess.run( + [sys.executable, "-Im", "pip", "install", f"black=={version}"], + check=True, + ) + subprocess.run([sys.executable, "-Im", "black", "."], check=True) + token: ${{ steps.create-app-token.outputs.token }} + auto-merge-on-changes: "false" + sign-commits: "true" + auto-merged-label: "tool:auto-merged" + migrated-label: "tool:black:migration:executed" + intervention-pending-label: "tool:black:migration:intervention-pending" + intervention-done-label: "tool:black:migration:intervention-done" diff --git a/.github/workflows/ci-pr.yaml b/.github/workflows/ci-pr.yaml index 27c9b64..015d585 100644 --- a/.github/workflows/ci-pr.yaml +++ b/.github/workflows/ci-pr.yaml @@ -3,6 +3,10 @@ name: Test PR on: pull_request: +permissions: + # Read repository contents for checkout and dependency resolution only. + contents: read + env: # Please make sure this version is included in the `matrix`, as the # `matrix` section can't use `env`, so it must be entered manually @@ -17,7 +21,7 @@ jobs: steps: - name: Run nox - uses: frequenz-floss/gh-action-nox@v1.1.2 + uses: frequenz-floss/gh-action-nox@e1351cf45e05e85afc1c79ab883e06322892d34c # v1.1.0 with: python-version: "3.11" nox-session: ci_checks_max @@ -27,15 +31,15 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Setup Git - uses: frequenz-floss/gh-action-setup-git@v1.0.0 + uses: frequenz-floss/gh-action-setup-git@16952aac3ccc01d27412fe0dea3ea946530dcace # v1.0.0 - name: Fetch sources - uses: actions/checkout@v7 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: true - name: Setup Python - uses: frequenz-floss/gh-action-setup-python-with-deps@v1.0.6 + uses: frequenz-floss/gh-action-setup-python-with-deps@0d0d77eac3b54799f31f25a1060ef2c6ebdf9299 # v1.0.2 with: python-version: ${{ env.DEFAULT_PYTHON_VERSION }} dependencies: .[dev-mkdocs] @@ -44,11 +48,14 @@ jobs: env: MIKE_VERSION: gh-${{ github.job }} run: | - mike deploy $MIKE_VERSION - mike set-default $MIKE_VERSION + # mike is installed as a console script, not a runnable module. + # Run the installed script under isolated mode to avoid importing from + # the workspace when building docs from checked-out code. + python -I "$(command -v mike)" deploy "$MIKE_VERSION" + python -I "$(command -v mike)" set-default "$MIKE_VERSION" - name: Upload site - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: docs-site path: site/ diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index a3a86e7..c3b4cfb 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -15,6 +15,10 @@ on: - 'dependabot/**' workflow_dispatch: +permissions: + # Read repository contents for checkout and dependency resolution only. + contents: read + env: # Please make sure this version is included in the `matrix`, as the # `matrix` section can't use `env`, so it must be entered manually @@ -43,7 +47,7 @@ jobs: steps: - name: Run nox - uses: frequenz-floss/gh-action-nox@v1.1.2 + uses: frequenz-floss/gh-action-nox@e1351cf45e05e85afc1c79ab883e06322892d34c # v1.1.0 with: python-version: ${{ matrix.python }} nox-session: ${{ matrix.nox-session }} @@ -59,6 +63,8 @@ jobs: # We skip this job only if nox was also skipped if: always() && needs.nox.result != 'skipped' runs-on: ubuntu-slim + # Drop token permissions: this job only checks matrix status from `needs`. + permissions: {} env: DEPS_RESULT: ${{ needs.nox.result }} steps: @@ -74,24 +80,24 @@ jobs: steps: - name: Setup Git - uses: frequenz-floss/gh-action-setup-git@v1.0.0 + uses: frequenz-floss/gh-action-setup-git@16952aac3ccc01d27412fe0dea3ea946530dcace # v1.0.0 - name: Fetch sources - uses: actions/checkout@v7 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: true - name: Setup Python - uses: frequenz-floss/gh-action-setup-python-with-deps@v1.0.6 + uses: frequenz-floss/gh-action-setup-python-with-deps@0d0d77eac3b54799f31f25a1060ef2c6ebdf9299 # v1.0.2 with: python-version: ${{ env.DEFAULT_PYTHON_VERSION }} dependencies: build - name: Build the source and binary distribution - run: python -m build + run: python -Im build - name: Upload distribution files - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: dist-packages path: dist/ @@ -113,13 +119,13 @@ jobs: steps: - name: Setup Git - uses: frequenz-floss/gh-action-setup-git@v1.0.0 + uses: frequenz-floss/gh-action-setup-git@16952aac3ccc01d27412fe0dea3ea946530dcace # v1.0.0 - name: Print environment (debug) run: env - name: Download package - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: dist-packages path: dist @@ -139,13 +145,13 @@ jobs: > pyproject.toml - name: Setup Python - uses: frequenz-floss/gh-action-setup-python-with-deps@v1.0.6 + uses: frequenz-floss/gh-action-setup-python-with-deps@0d0d77eac3b54799f31f25a1060ef2c6ebdf9299 # v1.0.2 with: python-version: ${{ matrix.python }} dependencies: dist/*.whl - name: Print installed packages (debug) - run: python -m pip freeze + run: python -Im pip freeze # This job runs if all the `test-installation` matrix jobs ran and succeeded. # It is only used to have a single job that we can require in branch @@ -158,6 +164,8 @@ jobs: # We skip this job only if test-installation was also skipped if: always() && needs.test-installation.result != 'skipped' runs-on: ubuntu-slim + # Drop token permissions: this job only checks matrix status from `needs`. + permissions: {} env: DEPS_RESULT: ${{ needs.test-installation.result }} steps: @@ -170,15 +178,15 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Setup Git - uses: frequenz-floss/gh-action-setup-git@v1.0.0 + uses: frequenz-floss/gh-action-setup-git@16952aac3ccc01d27412fe0dea3ea946530dcace # v1.0.0 - name: Fetch sources - uses: actions/checkout@v7 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: true - name: Setup Python - uses: frequenz-floss/gh-action-setup-python-with-deps@v1.0.6 + uses: frequenz-floss/gh-action-setup-python-with-deps@0d0d77eac3b54799f31f25a1060ef2c6ebdf9299 # v1.0.2 with: python-version: ${{ env.DEFAULT_PYTHON_VERSION }} dependencies: .[dev-mkdocs] @@ -187,11 +195,14 @@ jobs: env: MIKE_VERSION: gh-${{ github.job }} run: | - mike deploy $MIKE_VERSION - mike set-default $MIKE_VERSION + # mike is installed as a console script, not a runnable module. + # Run the installed script under isolated mode to avoid importing from + # the workspace when building docs from checked-out code. + python -I "$(command -v mike)" deploy "$MIKE_VERSION" + python -I "$(command -v mike)" set-default "$MIKE_VERSION" - name: Upload site - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: docs-site path: site/ @@ -203,18 +214,19 @@ jobs: if: github.event_name == 'push' runs-on: ubuntu-24.04 permissions: + # Push generated documentation updates to the `gh-pages` branch. contents: write steps: - name: Setup Git - uses: frequenz-floss/gh-action-setup-git@v1.0.0 + uses: frequenz-floss/gh-action-setup-git@16952aac3ccc01d27412fe0dea3ea946530dcace # v1.0.0 - name: Fetch sources - uses: actions/checkout@v7 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: true - name: Setup Python - uses: frequenz-floss/gh-action-setup-python-with-deps@v1.0.6 + uses: frequenz-floss/gh-action-setup-python-with-deps@0d0d77eac3b54799f31f25a1060ef2c6ebdf9299 # v1.0.2 with: python-version: ${{ env.DEFAULT_PYTHON_VERSION }} dependencies: .[dev-mkdocs] @@ -227,7 +239,7 @@ jobs: GIT_REF: ${{ github.ref }} GIT_SHA: ${{ github.sha }} run: | - python -m frequenz.repo.config.cli.version.mike.info + python -Im frequenz.repo.config.cli.version.mike.info - name: Fetch the gh-pages branch if: steps.mike-version.outputs.version @@ -248,13 +260,23 @@ jobs: GIT_REF: ${{ github.ref }} GIT_SHA: ${{ github.sha }} run: | - mike deploy --update-aliases --title "$TITLE" "$VERSION" $ALIASES + # Collect aliases into an array to avoid accidental (or malicious) + # shell injection when passing them to mike. + aliases=() + if test -n "$ALIASES"; then + read -r -a aliases <<<"$ALIASES" + fi + # mike is installed as a console script, not a runnable module. + # Run the installed script under isolated mode to avoid importing from + # the workspace when building docs from checked-out code. + python -I "$(command -v mike)" \ + deploy --update-aliases --title "$TITLE" "$VERSION" "${aliases[@]}" - name: Sort site versions if: steps.mike-version.outputs.version run: | git checkout gh-pages - python -m frequenz.repo.config.cli.version.mike.sort versions.json + python -Im frequenz.repo.config.cli.version.mike.sort versions.json git commit -a -m "Sort versions.json" - name: Publish site @@ -268,14 +290,12 @@ jobs: # Create a release only on tags creation if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') permissions: - # We need write permissions on contents to create GitHub releases and on - # discussions to create the release announcement in the discussion forums + # Create GitHub releases and upload distribution artifacts. contents: write - discussions: write runs-on: ubuntu-slim steps: - name: Download distribution files - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: dist-packages path: dist @@ -297,14 +317,14 @@ jobs: - name: Create GitHub release run: | set -ux - extra_opts= - if echo "$REF_NAME" | grep -- -; then extra_opts=" --prerelease"; fi + extra_opts=() + if echo "$REF_NAME" | grep -- -; then extra_opts+=(--prerelease); fi gh release create \ -R "$REPOSITORY" \ --notes-file RELEASE_NOTES.md \ --generate-notes \ - $extra_opts \ - $REF_NAME \ + "${extra_opts[@]}" \ + "$REF_NAME" \ dist/* env: REF_NAME: ${{ github.ref_name }} @@ -321,10 +341,10 @@ jobs: id-token: write steps: - name: Download distribution files - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: dist-packages path: dist - name: Publish the Python distribution to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 diff --git a/.github/workflows/dco-merge-queue.yml b/.github/workflows/dco-merge-queue.yml index d9597ad..7a4260d 100644 --- a/.github/workflows/dco-merge-queue.yml +++ b/.github/workflows/dco-merge-queue.yml @@ -3,6 +3,9 @@ name: DCO on: merge_group: +# Drop all token permissions: this workflow only runs a local echo command. +permissions: {} + jobs: DCO: runs-on: ubuntu-slim diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 67b04db..b496ee7 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -5,7 +5,9 @@ on: [pull_request_target] jobs: Label: permissions: + # Read the labeler configuration from the repository. contents: read + # Add labels to pull requests. pull-requests: write runs-on: ubuntu-slim steps: diff --git a/.github/workflows/release-notes-check.yml b/.github/workflows/release-notes-check.yml index ab3017f..5c8243b 100644 --- a/.github/workflows/release-notes-check.yml +++ b/.github/workflows/release-notes-check.yml @@ -17,6 +17,9 @@ jobs: check-release-notes: name: Check release notes are updated runs-on: ubuntu-slim + permissions: + # Read pull request metadata to evaluate labels and changed files. + pull-requests: read steps: - name: Check for a release notes update if: github.event_name == 'pull_request' diff --git a/.github/workflows/repo-config-migration.yaml b/.github/workflows/repo-config-migration.yaml index 7a88ede..4710630 100644 --- a/.github/workflows/repo-config-migration.yaml +++ b/.github/workflows/repo-config-migration.yaml @@ -24,8 +24,11 @@ on: types: [opened, synchronize, reopened, labeled, unlabeled] permissions: + # Commit migration changes back to the PR branch. contents: write + # Create and normalize migration state labels. issues: write + # Read/update pull request metadata and comments. pull-requests: write jobs: @@ -46,6 +49,14 @@ jobs: with: app-id: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_ID }} private-key: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_PRIVATE_KEY }} + # Push migration commits to the PR branch. + permission-contents: write + # Manage labels when auto-merging patch-only updates. + permission-issues: write + # Approve pull requests and enable auto-merge. + permission-pull-requests: write + # Allow pushes when migration changes workflow files. + permission-workflows: write - name: Migrate uses: frequenz-floss/gh-action-dependabot-migrate@e93e3b50930132717c9aabdd09413a6737d4b7ef # v1.3.0 with: From 647d2ef7e0301588678e6e8b7d130e52040ef037 Mon Sep 17 00:00:00 2001 From: Leandro Lucarella Date: Fri, 17 Jul 2026 14:54:56 +0200 Subject: [PATCH 3/3] Apply repo-config migration from v0.17 to v0.18 Signed-off-by: Leandro Lucarella --- .cookiecutter-replay.json | 5 +++ .../arm64-ubuntu-20.04-python-3.11.Dockerfile | 33 ------------------- .../containers/nox-cross-arch/entrypoint.bash | 9 ----- .../containers/test-installation/Dockerfile | 20 ----------- .github/dependabot.yml | 2 ++ .github/workflows/auto-dependabot.yaml | 3 +- .github/workflows/black-migration.yaml | 3 +- .github/workflows/ci-pr.yaml | 4 +-- .github/workflows/ci.yaml | 16 ++++----- .github/workflows/repo-config-migration.yaml | 4 ++- CONTRIBUTING.md | 33 ++----------------- 11 files changed, 27 insertions(+), 105 deletions(-) delete mode 100644 .github/containers/nox-cross-arch/arm64-ubuntu-20.04-python-3.11.Dockerfile delete mode 100755 .github/containers/nox-cross-arch/entrypoint.bash delete mode 100644 .github/containers/test-installation/Dockerfile diff --git a/.cookiecutter-replay.json b/.cookiecutter-replay.json index 2eb0b97..2976f05 100644 --- a/.cookiecutter-replay.json +++ b/.cookiecutter-replay.json @@ -8,6 +8,7 @@ "keywords": "client-assets, client, assets, api", "github_org": "frequenz-floss", "license": "MIT", + "private_repo": "no", "author_name": "Frequenz Energy-as-a-Service GmbH", "author_email": "floss@frequenz.com", "python_package": "frequenz.client.assets", @@ -34,6 +35,10 @@ "MIT", "Proprietary" ], + "private_repo": [ + "{{ 'yes' if cookiecutter.license == 'Proprietary' else 'no' }}", + "{{ 'no' if cookiecutter.license == 'Proprietary' else 'yes' }}" + ], "author_name": "Frequenz Energy-as-a-Service GmbH", "author_email": "floss@frequenz.com", "python_package": "{{cookiecutter | python_package}}", diff --git a/.github/containers/nox-cross-arch/arm64-ubuntu-20.04-python-3.11.Dockerfile b/.github/containers/nox-cross-arch/arm64-ubuntu-20.04-python-3.11.Dockerfile deleted file mode 100644 index 8e3b1e1..0000000 --- a/.github/containers/nox-cross-arch/arm64-ubuntu-20.04-python-3.11.Dockerfile +++ /dev/null @@ -1,33 +0,0 @@ -# License: MIT -# Copyright © 2025 Frequenz Energy-as-a-Service GmbH -# This Dockerfile is used to run the tests in arm64, which is not supported by -# GitHub Actions at the moment. - -FROM docker.io/library/ubuntu:20.04 - -ENV DEBIAN_FRONTEND=noninteractive - -# Install Python 3.11 and curl to install pip later -RUN apt-get update -y && \ - apt-get install --no-install-recommends -y \ - software-properties-common && \ - add-apt-repository ppa:deadsnakes/ppa && \ - apt-get install --no-install-recommends -y \ - ca-certificates \ - curl \ - git \ - python3.11 \ - python3.11-distutils && \ - apt-get clean && \ - rm -rf /var/lib/apt/lists/* - -# Install pip -RUN curl -sS https://bootstrap.pypa.io/get-pip.py | python3.11 - -RUN update-alternatives --install \ - /usr/local/bin/python python /usr/bin/python3.11 1 && \ - python -m pip install --upgrade --no-cache-dir pip - -COPY entrypoint.bash /usr/bin/entrypoint.bash - -ENTRYPOINT ["/usr/bin/entrypoint.bash"] diff --git a/.github/containers/nox-cross-arch/entrypoint.bash b/.github/containers/nox-cross-arch/entrypoint.bash deleted file mode 100755 index 5e8d992..0000000 --- a/.github/containers/nox-cross-arch/entrypoint.bash +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/bash -# License: MIT -# Copyright © 2025 Frequenz Energy-as-a-Service GmbH -set -e - -echo "System details:" $(uname -a) -echo "Machine:" $(uname -m) - -exec "$@" diff --git a/.github/containers/test-installation/Dockerfile b/.github/containers/test-installation/Dockerfile deleted file mode 100644 index cc0a79c..0000000 --- a/.github/containers/test-installation/Dockerfile +++ /dev/null @@ -1,20 +0,0 @@ -# License: MIT -# Copyright © 2025 Frequenz Energy-as-a-Service GmbH -# This Dockerfile is used to test the installation of the python package in -# multiple platforms in the CI. It is not used to build the package itself. - -FROM python:3.11-slim - -RUN apt-get update -y && \ - apt-get install --no-install-recommends -y \ - git && \ - apt-get clean && \ - rm -rf /var/lib/apt/lists/* && \ - python -m pip install --upgrade --no-cache-dir pip - -COPY dist dist -# This git-credentials file is made available by the GitHub ci.yaml workflow -COPY git-credentials /root/.git-credentials -RUN git config --global credential.helper store && \ - pip install dist/*.whl && \ - rm -rf dist /root/.git-credentials diff --git a/.github/dependabot.yml b/.github/dependabot.yml index c341620..5a1dd5b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -29,6 +29,7 @@ updates: exclude-patterns: # pydoclint has shipped breaking changes in patch updates often - "pydoclint" + - "isort" minor: update-types: - "minor" @@ -46,6 +47,7 @@ updates: - "mkdocstrings[python]" - "pydoclint" - "pytest-asyncio" + - "isort" # We group repo-config updates as it uses optional dependencies that are # considered different dependencies otherwise, and will create one PR for # each if we don't group them. diff --git a/.github/workflows/auto-dependabot.yaml b/.github/workflows/auto-dependabot.yaml index 572bd44..3245e91 100644 --- a/.github/workflows/auto-dependabot.yaml +++ b/.github/workflows/auto-dependabot.yaml @@ -23,7 +23,8 @@ jobs: if: > github.actor == 'dependabot[bot]' && !contains(github.event.pull_request.title, 'the repo-config group') && - !contains(github.event.pull_request.title, 'Bump black from ') + !contains(github.event.pull_request.title, 'Bump black from ') && + !contains(github.event.pull_request.title, 'Bump isort from ') runs-on: ubuntu-slim steps: - name: Generate GitHub App token diff --git a/.github/workflows/black-migration.yaml b/.github/workflows/black-migration.yaml index 1969c46..0013d70 100644 --- a/.github/workflows/black-migration.yaml +++ b/.github/workflows/black-migration.yaml @@ -66,7 +66,7 @@ jobs: # Read/update pull request metadata and labels. permission-pull-requests: write - name: Migrate - uses: frequenz-floss/gh-action-dependabot-migrate@b389f72f9282346920150a67495efbae450ac07b # v1.1.0 + uses: frequenz-floss/gh-action-dependabot-migrate@27763fb5eb56476d91abe00132e8a0614171f92f # v1.2.0 with: migration-script: | import os @@ -81,6 +81,7 @@ jobs: subprocess.run([sys.executable, "-Im", "black", "."], check=True) token: ${{ steps.create-app-token.outputs.token }} auto-merge-on-changes: "false" + version-iteration: "false" sign-commits: "true" auto-merged-label: "tool:auto-merged" migrated-label: "tool:black:migration:executed" diff --git a/.github/workflows/ci-pr.yaml b/.github/workflows/ci-pr.yaml index 015d585..52aec33 100644 --- a/.github/workflows/ci-pr.yaml +++ b/.github/workflows/ci-pr.yaml @@ -31,7 +31,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Setup Git - uses: frequenz-floss/gh-action-setup-git@16952aac3ccc01d27412fe0dea3ea946530dcace # v1.0.0 + uses: frequenz-floss/gh-action-setup-git@f9d86a01228ee1cadaac5224d4d7626f1eb23f90 # v1.0.0 - name: Fetch sources uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -39,7 +39,7 @@ jobs: submodules: true - name: Setup Python - uses: frequenz-floss/gh-action-setup-python-with-deps@0d0d77eac3b54799f31f25a1060ef2c6ebdf9299 # v1.0.2 + uses: frequenz-floss/gh-action-setup-python-with-deps@e4d0b2ef8f5a1612d7827f3abaef17c931d2b946 # v1.0.2 with: python-version: ${{ env.DEFAULT_PYTHON_VERSION }} dependencies: .[dev-mkdocs] diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index c3b4cfb..a2e5b95 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -80,7 +80,7 @@ jobs: steps: - name: Setup Git - uses: frequenz-floss/gh-action-setup-git@16952aac3ccc01d27412fe0dea3ea946530dcace # v1.0.0 + uses: frequenz-floss/gh-action-setup-git@f9d86a01228ee1cadaac5224d4d7626f1eb23f90 # v1.0.0 - name: Fetch sources uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -88,7 +88,7 @@ jobs: submodules: true - name: Setup Python - uses: frequenz-floss/gh-action-setup-python-with-deps@0d0d77eac3b54799f31f25a1060ef2c6ebdf9299 # v1.0.2 + uses: frequenz-floss/gh-action-setup-python-with-deps@e4d0b2ef8f5a1612d7827f3abaef17c931d2b946 # v1.0.2 with: python-version: ${{ env.DEFAULT_PYTHON_VERSION }} dependencies: build @@ -119,7 +119,7 @@ jobs: steps: - name: Setup Git - uses: frequenz-floss/gh-action-setup-git@16952aac3ccc01d27412fe0dea3ea946530dcace # v1.0.0 + uses: frequenz-floss/gh-action-setup-git@f9d86a01228ee1cadaac5224d4d7626f1eb23f90 # v1.0.0 - name: Print environment (debug) run: env @@ -145,7 +145,7 @@ jobs: > pyproject.toml - name: Setup Python - uses: frequenz-floss/gh-action-setup-python-with-deps@0d0d77eac3b54799f31f25a1060ef2c6ebdf9299 # v1.0.2 + uses: frequenz-floss/gh-action-setup-python-with-deps@e4d0b2ef8f5a1612d7827f3abaef17c931d2b946 # v1.0.2 with: python-version: ${{ matrix.python }} dependencies: dist/*.whl @@ -178,7 +178,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Setup Git - uses: frequenz-floss/gh-action-setup-git@16952aac3ccc01d27412fe0dea3ea946530dcace # v1.0.0 + uses: frequenz-floss/gh-action-setup-git@f9d86a01228ee1cadaac5224d4d7626f1eb23f90 # v1.0.0 - name: Fetch sources uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -186,7 +186,7 @@ jobs: submodules: true - name: Setup Python - uses: frequenz-floss/gh-action-setup-python-with-deps@0d0d77eac3b54799f31f25a1060ef2c6ebdf9299 # v1.0.2 + uses: frequenz-floss/gh-action-setup-python-with-deps@e4d0b2ef8f5a1612d7827f3abaef17c931d2b946 # v1.0.2 with: python-version: ${{ env.DEFAULT_PYTHON_VERSION }} dependencies: .[dev-mkdocs] @@ -218,7 +218,7 @@ jobs: contents: write steps: - name: Setup Git - uses: frequenz-floss/gh-action-setup-git@16952aac3ccc01d27412fe0dea3ea946530dcace # v1.0.0 + uses: frequenz-floss/gh-action-setup-git@f9d86a01228ee1cadaac5224d4d7626f1eb23f90 # v1.0.0 - name: Fetch sources uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -226,7 +226,7 @@ jobs: submodules: true - name: Setup Python - uses: frequenz-floss/gh-action-setup-python-with-deps@0d0d77eac3b54799f31f25a1060ef2c6ebdf9299 # v1.0.2 + uses: frequenz-floss/gh-action-setup-python-with-deps@e4d0b2ef8f5a1612d7827f3abaef17c931d2b946 # v1.0.2 with: python-version: ${{ env.DEFAULT_PYTHON_VERSION }} dependencies: .[dev-mkdocs] diff --git a/.github/workflows/repo-config-migration.yaml b/.github/workflows/repo-config-migration.yaml index 4710630..9608e91 100644 --- a/.github/workflows/repo-config-migration.yaml +++ b/.github/workflows/repo-config-migration.yaml @@ -58,12 +58,14 @@ jobs: # Allow pushes when migration changes workflow files. permission-workflows: write - name: Migrate - uses: frequenz-floss/gh-action-dependabot-migrate@e93e3b50930132717c9aabdd09413a6737d4b7ef # v1.3.0 + uses: frequenz-floss/gh-action-dependabot-migrate@27763fb5eb56476d91abe00132e8a0614171f92f # v1.2.0 with: script-url-template: >- https://raw.githubusercontent.com/frequenz-floss/frequenz-repo-config-python/{version}/cookiecutter/migrate.py token: ${{ steps.create-app-token.outputs.token }} migration-token: ${{ secrets.REPO_CONFIG_MIGRATION_TOKEN }} + version-iteration: "minor" + if-no-iterations: "pass" sign-commits: "true" auto-merged-label: "tool:auto-merged" migrated-label: "tool:repo-config:migration:executed" diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 761847d..50e2e28 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -50,14 +50,14 @@ pytest tests/test_*.py Or you can use `nox`: ```sh -nox -R -s pytest -- test/test_*.py +nox -R -s pytest -- tests/test_*.py ``` The same appliest to `pylint` or `mypy` for example: ```sh -nox -R -s pylint -- test/test_*.py -nox -R -s mypy -- test/test_*.py +nox -R -s pylint -- tests/test_*.py +nox -R -s mypy -- tests/test_*.py ``` ### Building the documentation @@ -154,30 +154,3 @@ These are the steps to create a new release: eventually too). 7. Celebrate! - -## Cross-Arch Testing - -This project has built-in support for testing across multiple architectures. -Currently, our CI conducts tests on `arm64` machines using QEMU emulation. We -also have the flexibility to expand this support to include additional -architectures in the future. - -This project contains Dockerfiles that can be used in the CI to test the -python package in non-native machine architectures, e.g., `arm64`. The -Dockerfiles exist in the directory `.github/containers/nox-cross-arch`, and -follow a naming scheme so that they can be easily used in build matrices in the -CI, in `nox-cross-arch` job. The naming scheme is: - -``` ---python-.Dockerfile -``` - -E.g., - -``` -arm64-ubuntu-20.04-python-3.11.Dockerfile -``` - -If a Dockerfile for your desired target architecture, OS, and python version -does not exist here, please add one before proceeding to add your options to -the test matrix.