diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 0000000..dcd8945 --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,38 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# GitHub recommends pinning actions to a commit SHA. +# To get a newer version, you will need to update the SHA. +# You can also reference a tag or branch, but the action may change without warning. + +name: publish + +on: + workflow_dispatch: + inputs: + release-tag: + type: string + required: true + description: Git tag of the istribution to be published +jobs: + publish-to-pypi: + name: Publish to PyPI + runs-on: ubuntu-latest + + environment: + name: pypi + url: https://pypi.org/p/compliance-to-policy + + permissions: + id-token: write # IMPORTANT: mandatory for trusted publishing + + steps: + - name: Download the distributions from release + run: gh release download ${{ github.event.inputs.release-tag }} -D dist -p '*.tar.gz' -p '*.whl' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_REPO: ${{ github.REPOSITORY }} + - name: Publish distribution 📦 to PyPI + uses: pypa/gh-action-pypi-publish@release/v1 \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..903bad5 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,143 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# GitHub recommends pinning actions to a commit SHA. +# To get a newer version, you will need to update the SHA. +# You can also reference a tag or branch, but the action may change without warning. + +name: release + +on: + workflow_dispatch: + +jobs: + build: + name: Build with semantic versioning + runs-on: ubuntu-latest + outputs: + release-tag: ${{ steps.release.outputs.tag }} + release-version: ${{ steps.release.outputs.version }} + permissions: + contents: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Python Semantic Release + id: release + uses: python-semantic-release/python-semantic-release@v9.8.0 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + - name: Check release + if: steps.release.outputs.released == 'false' + run: | + echo 'No release will be made since there are no release commits. See also Commit Parsers configuration.' + exit 1 + - name: Set up Python 3.10 + uses: actions/setup-python@v5 + with: + python-version: '3.10' + - name: Install build tools + run: | + make install-dev + - name: Build + run: | + make build + - name: Store the distribution packages + uses: actions/upload-artifact@v3 + with: + name: python-package-distributions + path: dist/ + + publish-to-github: + name: Publish to GitHub + needs: + - build + runs-on: ubuntu-latest + + permissions: + contents: write + packages: write + id-token: write # IMPORTANT: mandatory for trusted publishing + + steps: + - name: Download all the dists + uses: actions/download-artifact@v3 + with: + name: python-package-distributions + path: dist/ + - name: Sign the dists with Sigstore + uses: sigstore/gh-action-sigstore-python@v3.0.0 + with: + inputs: | + ./dist/*.tar.gz + ./dist/*.whl + - name: Upload package distributions to GitHub Releases + run: gh release upload ${{needs.build.outputs.release-tag}} ./dist/* + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_REPO: ${{ github.REPOSITORY }} + + publish-to-testpypi: + name: Publish to TestPyPI + needs: + - build + - publish-to-github + runs-on: ubuntu-latest + + environment: + name: testpypi + url: https://pypi.org/p/compliance-to-policy + + permissions: + id-token: write # IMPORTANT: mandatory for trusted publishing + + steps: + - name: Download the distributions from release + run: gh release download ${{needs.build.outputs.release-tag}} -D dist -p '*.tar.gz' -p '*.whl' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_REPO: ${{ github.REPOSITORY }} + - name: Publish distribution 📦 to TestPyPI + uses: pypa/gh-action-pypi-publish@release/v1 + with: + repository-url: https://test.pypi.org/legacy/ + + test: + name: Integration Test + needs: + - build + - publish-to-testpypi + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + ref: ${{needs.build.outputs.release-tag}} + - name: Set up Python 3.10 + uses: actions/setup-python@v5 + with: + python-version: '3.10' + - name: Install + run: | + version=${{needs.build.outputs.release-version}} + version=${version/-rc./rc} + count=0 + while :; do + count=$(($count+1)) + echo "Check if ${version} is available or not ...$count" + if pip index versions -i https://test.pypi.org/simple/ compliance-to-policy | grep ${version};then + break + fi + [[ "$count" -gt 5 ]] && echo "Not found ${version}" && exit 1 + sleep 5 + done + pip index versions -i https://test.pypi.org/simple/ compliance-to-policy | grep ${version} + pip install -i https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple compliance-to-policy==${version} + pip install pytest + - name: Run test + run: make it \ No newline at end of file diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml new file mode 100644 index 0000000..6792627 --- /dev/null +++ b/.github/workflows/validate.yml @@ -0,0 +1,44 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# GitHub recommends pinning actions to a commit SHA. +# To get a newer version, you will need to update the SHA. +# You can also reference a tag or branch, but the action may change without warning. + +name: validate + +on: + pull_request_target: + types: + - opened + - edited + - synchronize + branches: + - 'main' + +jobs: + validate: + name: Validate + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Set up Python 3.10 + uses: actions/setup-python@v5 + with: + python-version: '3.10' + - name: Install for develompemnt + run: | + make install-dev + - name: Unit Test + run: | + make test + - name: Build + run: | + make build + - name: Integration Test + run: | + pip install ./dist/*.tar.gz + make it \ No newline at end of file diff --git a/Makefile b/Makefile index 254ee97..98a992f 100644 --- a/Makefile +++ b/Makefile @@ -1,57 +1,61 @@ -PYTHON := $(shell pwd)/.venv/bin/python +.PHONY: build +build: + python -m build -.venv: - @echo Please create venv firstly +.PHONY: install +install: + python -m pip install . -build: .venv - @$(PYTHON) -m build +.PHONY: install-dev +install-dev: + python -m pip install ".[dev]" -install: .venv - @$(PYTHON) -m pip install . +.PHONY: uninstall +uninstall: + python -m pip uninstall compliance-to-policy -install-dev: .venv - @$(PYTHON) -m pip install ".[dev]" +.PHONY: format +format: + python -m isort . + python -m black . -uninstall: .venv - @$(PYTHON) -m pip uninstall compliance-to-policy - - -format: .venv - @$(PYTHON) -m isort . - @$(PYTHON) -m black . - -lint: .venv - @$(PYTHON) -m pylint ./c2p ./tests +.PHONY: lint +lint: + python -m pylint ./c2p ./tests .PHONY: docs -docs: .venv - @$(PYTHON) -m mkdocs build +docs: + python -m mkdocs build .PHONY: gh-pages - gh-pages: .venv - @$(PYTHON) -m mkdocs gh-deploy + gh-pages: + python -m mkdocs gh-deploy # make test ARGS="-n 2 --dist loadscope --log-cli-level DEBUG" TARGET="tests/c2p/test_cli.py" # TODO: -n 2 (pytest-xdist plugin) results in no logs displayed. +.PHONY: test test: ARGS ?= test: TARGET ?= tests/ -test: .venv test-plugin +test: test-plugin @OUTPUT_PATH=/dev/null $(PYTHON) -m pytest $(ARGS) $(TARGET) +.PHONY: test-plugin test-plugin: ARGS ?= test-plugin: TARGET ?= plugins_public/tests/ -test-plugin: .venv +test-plugin: @OUTPUT_PATH=/dev/null $(PYTHON) -m pytest $(ARGS) $(TARGET) -# After published, the branch must be merged first-forwardly. TODO: Integrate with CI -publish: GIT_TAG ?= -publish: - @toml set --toml-path pyproject.toml project.version $(GIT_TAG) - @git add pyproject.toml - @git commit -S -s -m "update version to $(GIT_TAG)" - @git tag $(GIT_TAG) - -clean: .venv +.PHONY: it +it: + python samples_public/kyverno/compliance_to_policy.py + python samples_public/kyverno/result_to_compliance.py + python samples_public/ocm/compliance_to_policy.py + python samples_public/ocm/result_to_compliance.py + python samples_public/auditree/compliance_to_policy.py + python samples_public/auditree/result_to_compliance.py + +.PHONY: clean +clean: @rm -rf build *.egg-info dist @find ./plugins -type d \( -name '*.egg-info' -o -name 'dist' \) | while read x; do echo $$x; rm -r $$x ; done - @$(PYTHON) -m pyclean -v . \ No newline at end of file + python -m pyclean -v . \ No newline at end of file diff --git a/pyproject.toml b/pyproject.toml index b65e6b1..75da099 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -88,3 +88,13 @@ disable = ["W1203", "W1201"] [tool.pylint.format] max-line-length = 120 + +[tool.semantic_release] +version_toml = ["pyproject.toml:project.version"] +commit_message = "{version}\n\nAutomatically generated by python-semantic-release" + +[tool.semantic_release.remote.token] +env = "GITHUB_TOKEN" + +[tool.semantic_release.publish] +upload_to_vcs_release = false \ No newline at end of file