Merge pull request #586 from camptocamp/renovate/all-minor-versions

Update all minor versions (minor)

.github/renovate.json5

@@ -17,26 +17,29 @@
     automerge: true,
   },
   'pre-commit': { enabled: true },
-  regexManagers: [
+  customManagers: [
     /** Do update on the schema present in the ci/config.yaml */
     {
       fileMatch: ['^ci/config\\.yaml$'],
       matchStrings: [
         '.*https://raw\\.githubusercontent\\.com/(?<depName>[^\\s]+)/(?<currentValue>[0-9\\.]+)/.*',
       ],
       datasourceTemplate: 'github-tags',
+      customType: 'regex',
     },
     /** Do updates on pre-commit additional dependencies */
     {
       fileMatch: ['^\\.pre\\-commit\\-config\\.yaml$'],
       matchStrings: [" +- '?(?<depName>[^' @=]+)(@|==)(?<currentValue>[^' @=]+)'? # (?<datasource>.+)"],
+      customType: 'regex',
     },
     /** Python version in actions/setup-python action */
     {
       fileMatch: ['^\\.github/workflows/.*\\.yaml$'],
       matchStrings: [' python-version: [\'"](?<currentValue>[0-9\\.]+)[\'"]'],
       datasourceTemplate: 'python-version',
       depNameTemplate: 'python',
+      customType: 'regex',
     },
   ],
   packageRules: [
@@ -64,10 +67,10 @@
     },
     /** Group Poetry packages */
     {
-      matchPackagePrefixes: ['poetry-'],
       groupName: 'Poetry',
       automerge: true,
       matchDepNames: ['poetry', 'pip'],
+      matchPackageNames: ['/^poetry\\-.*/'],
     },
     /** Support the 4 parts of shellcheck-py version with a v prefix */
     {

.github/workflows/main.yaml

@@ -46,10 +46,8 @@ jobs:
           path: ~/.cache/pre-commit
           key: pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}
           restore-keys: "pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}\npre-commit-"
-      - run: pre-commit run --all-files
-      - run: git diff --exit-code --patch > /tmp/pre-commit.patch || true
-        if: failure()
-      - run: git diff --patch > /tmp/pre-commit.patch || true
+      - run: pre-commit run --all-files --color=always
+      - run: git diff --exit-code --patch > /tmp/pre-commit.patch; git diff --color; git reset --hard || true
         if: failure()
       - uses: actions/upload-artifact@v4
         with:
@@ -78,9 +76,11 @@ jobs:
         if: always()
 
       - name: Publish
-        run: c2cciutils-publish
+        run: tag-publish
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         if: env.HAS_SECRETS == 'HAS_SECRETS'
-      - run: git diff --exit-code --patch > /tmp/dpkg-versions.patch || true
+      - run: git diff --exit-code --patch > /tmp/dpkg-versions.patch; git diff --color; git reset --hard || true
         if: failure()
       - uses: actions/upload-artifact@v4
         with:

.pre-commit-config.yaml

@@ -68,38 +68,18 @@ repos:
     rev: v0.1.8
     hooks:
       - id: ripsecrets
-  - repo: https://github.com/asottile/pyupgrade
-    rev: v3.19.0
-    hooks:
-      - id: pyupgrade
-        args:
-          - --py310-plus
-  - repo: https://github.com/PyCQA/autoflake
-    rev: v2.3.1
-    hooks:
-      - id: autoflake
-  - repo: https://github.com/PyCQA/isort
-    rev: 5.13.2
-    hooks:
-      - id: isort
-        args:
-          - -p
-          - github_app_gep_project
-  - repo: https://github.com/psf/black
-    rev: 24.10.0
-    hooks:
-      - id: black
   - repo: https://github.com/PyCQA/prospector
-    rev: v1.12.1
+    rev: v1.13.2
     hooks:
       - id: prospector
         args:
-          - --tool=pydocstyle
+          - --tool=ruff
           - --die-on-tool-error
           - --output-format=pylint
         additional_dependencies:
-          - prospector-profile-duplicated==1.6.0 # pypi
-          - prospector-profile-utils==1.9.1 # pypi
+          - prospector-profile-duplicated==1.8.0 # pypi
+          - prospector-profile-utils==1.11.1 # pypi
+          - ruff==0.7.3 # pypi
   - repo: https://github.com/camptocamp/jsonschema-gentypes
     rev: 2.8.1
     hooks:
@@ -201,3 +181,11 @@ repos:
     rev: 38.142.2
     hooks:
       - id: renovate-config-validator
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.7.2
+    hooks:
+      - id: ruff-format
+  - repo: https://github.com/sbrunner/python-versions-hook
+    rev: 0.7.0
+    hooks:
+      - id: python-versions

.prospector.yaml

@@ -3,13 +3,19 @@ inherits:
   - utils:base
   - utils:fix
   - utils:no-design-checks
-
-doc-warnings: true
+  - utils:unsafe
+  - utils:c2cwsgiutils
 
 ignore-paths:
   - github_app_geo_project/project_configuration.py
   - github_app_geo_project/application_configuration.py
+  - github_app_geo_project/module/standard/changelog_configuration.py
+  - github_app_geo_project/module/audit/configuration.py
+
+mypy:
+  options:
+    python-version: '3.11'
 
-bandit:
+ruff:
   options:
-    config: .bandit.yaml
+    target-version: py311

ci/requirements.txt

@@ -11,3 +11,4 @@ setuptools>=65.5.1 # not directly required, pinned by Snyk to avoid a vulnerabil
 jinja2>=3.1.3 # not directly required, pinned by Snyk to avoid a vulnerability
 cryptography>=42.0.8 # not directly required, pinned by Snyk to avoid a vulnerability
 zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability
+tag-publish==0.8.2

docker-compose.override.sample.yaml

@@ -1,7 +1,5 @@
-version: '2.2'
-
 services:
-  application: &app
+  application:
     command:
       - pserve
       - --reload

docker-compose.yaml

@@ -1,5 +1,3 @@
-version: '2.2'
-
 services:
   db:
     image: camptocamp/postgres:17-postgis-3

github_app_geo_project/application_configuration.py

@@ -1,6 +1,4 @@
-"""
-Automatically generated file from a JSON schema.
-"""
+"""Automatically generated file from a JSON schema."""
 
 from typing import Any, TypedDict
 

github_app_geo_project/configuration.py

@@ -20,9 +20,7 @@
 
 
 def apply_profile_inheritance(profile_name: str, profiles: dict[str, Any]) -> None:
-    """
-    Apply the inheritance of the profile.
-    """
+    """Apply the inheritance of the profile."""
     for other_name, other_profile in APPLICATION_CONFIGURATION["profiles"].items():
         if other_profile.get("inherits") == profile_name:
             _LOGGER.debug("Apply inheritance %s -> %s", profile_name, other_name)

github_app_geo_project/module/audit/__init__.py

@@ -148,10 +148,9 @@ async def _process_snyk_dpkg(
                     return ["Fail to clone the repository"], success
 
                 local_config: configuration.AuditConfiguration = {}
-                if context.module_event_data.type in ("snyk", "dpkg"):
-                    if os.path.exists(".github/ghci.yaml"):
-                        with open(".github/ghci.yaml", encoding="utf-8") as file:
-                            local_config = yaml.load(file, Loader=yaml.SafeLoader).get("audit", {})
+                if context.module_event_data.type in ("snyk", "dpkg") and os.path.exists(".github/ghci.yaml"):
+                    with open(".github/ghci.yaml", encoding="utf-8") as file:
+                        local_config = yaml.load(file, Loader=yaml.SafeLoader).get("audit", {})
 
                 logs_url = urllib.parse.urljoin(context.service_url, f"logs/{context.job_id}")
                 if context.module_event_data.type == "snyk":
@@ -163,10 +162,7 @@ async def _process_snyk_dpkg(
                                     python_version = ".".join(line.split(" ")[1].split(".")[0:2]).strip()
                                     break
 
-                    if python_version:
-                        env = _use_python_version(python_version)
-                    else:
-                        env = os.environ.copy()
+                    env = _use_python_version(python_version) if python_version else os.environ.copy()
 
                     result, body, short_message, new_success = await audit_utils.snyk(
                         branch,
@@ -186,7 +182,7 @@ async def _process_snyk_dpkg(
                         ", ".join(short_message),
                     )
                     message: module_utils.Message = module_utils.HtmlMessage(
-                        "<a href='%s'>Output</a>" % output_url
+                        f"<a href='{output_url}'>Output</a>"
                     )
                     message.title = "Output URL"
                     _LOGGER.debug(message)
@@ -210,18 +206,18 @@ async def _process_snyk_dpkg(
                 body_md += f"[Logs]({logs_url})"
                 short_message.append(f"[Logs]({logs_url})")
 
-                diff_proc = subprocess.run(  # nosec # pylint: disable=subprocess-run-check
+                diff_proc = subprocess.run(  # pylint: disable=subprocess-run-check
                     ["git", "diff", "--quiet"], timeout=30
                 )
                 if diff_proc.returncode != 0:
-                    proc = subprocess.run(  # nosec # pylint: disable=subprocess-run-check
+                    proc = subprocess.run(  # pylint: disable=subprocess-run-check
                         ["git", "diff"], timeout=30, capture_output=True, encoding="utf-8"
                     )
                     message = module_utils.ansi_proc_message(proc)
                     message.title = "Changes to be committed"
                     _LOGGER.debug(message)
 
-                    proc = subprocess.run(  # nosec # pylint: disable=subprocess-run-check
+                    proc = subprocess.run(  # pylint: disable=subprocess-run-check
                         ["git", "checkout", "-b", new_branch],
                         capture_output=True,
                         encoding="utf-8",
@@ -275,7 +271,7 @@ async def _process_snyk_dpkg(
 
 
 def _use_python_version(python_version: str) -> dict[str, str]:
-    proc = subprocess.run(  # nosec # pylint: disable=subprocess-run-check
+    proc = subprocess.run(  # pylint: disable=subprocess-run-check
         ["pyenv", "local", python_version],
         capture_output=True,
         encoding="utf-8",
@@ -288,7 +284,7 @@ def _use_python_version(python_version: str) -> dict[str, str]:
     else:
         message.title = f"Setting the Python version to {python_version}"
         _LOGGER.debug(message)
-    proc = subprocess.run(  # nosec # pylint: disable=subprocess-run-check
+    proc = subprocess.run(  # pylint: disable=subprocess-run-check
         ["python", "--version"], capture_output=True, encoding="utf-8", timeout=5
     )
 

github_app_geo_project/module/audit/configuration.py

@@ -1,6 +1,4 @@
-"""
-Automatically generated file from a JSON schema.
-"""
+"""Automatically generated file from a JSON schema."""
 
 from typing import Any, Literal, TypedDict, Union
 

github_app_geo_project/module/audit/utils.py

@@ -1,6 +1,4 @@
-"""
-The auditing functions.
-"""
+"""The auditing functions."""
 
 import asyncio
 import datetime
@@ -99,7 +97,7 @@ async def snyk(
         True if len(fixable_vulnerabilities_summary) == 0 else (snyk_fix_success and npm_audit_fix_success)
     )
 
-    diff_proc = subprocess.run(  # nosec # pylint: disable=subprocess-run-check
+    diff_proc = subprocess.run(  # pylint: disable=subprocess-run-check
         ["git", "diff", "--quiet"], timeout=30
     )
     if diff_proc.returncode != 0:
@@ -128,7 +126,6 @@ async def _select_java_version(
     local_config: configuration.SnykConfiguration,
     env: dict[str, str],
 ) -> None:
-
     if not os.path.exists("gradlew"):
         return
 
@@ -167,7 +164,7 @@ async def _install_requirements_dependencies(
     result: list[module_utils.Message],
     env: dict[str, str],
 ) -> None:
-    proc = subprocess.run(  # nosec # pylint: disable=subprocess-run-check
+    proc = subprocess.run(  # pylint: disable=subprocess-run-check
         ["git", "ls-files", "requirements.txt", "*/requirements.txt"],
         capture_output=True,
         encoding="utf-8",
@@ -210,7 +207,7 @@ async def _install_pipenv_dependencies(
     result: list[module_utils.Message],
     env: dict[str, str],
 ) -> None:
-    proc = subprocess.run(  # nosec # pylint: disable=subprocess-run-check
+    proc = subprocess.run(  # pylint: disable=subprocess-run-check
         ["git", "ls-files", "Pipfile", "*/Pipfile"], capture_output=True, encoding="utf-8", timeout=30
     )
     if proc.returncode != 0:
@@ -249,7 +246,7 @@ async def _install_poetry_dependencies(
     result: list[module_utils.Message],
     env: dict[str, str],
 ) -> None:
-    proc = subprocess.run(  # nosec # pylint: disable=subprocess-run-check
+    proc = subprocess.run(  # pylint: disable=subprocess-run-check
         ["git", "ls-files", "poetry.lock", "*/poetry.lock"],
         capture_output=True,
         encoding="utf-8",
@@ -519,7 +516,7 @@ async def _snyk_fix(
 
     snyk_fix_success = True
     snyk_fix_message = None
-    subprocess.run(["git", "reset", "--hard"], timeout=30)  # nosec # pylint: disable=subprocess-run-check
+    subprocess.run(["git", "reset", "--hard"], timeout=30)  # pylint: disable=subprocess-run-check
     if fixable_vulnerabilities_summary or vulnerabilities_in_requirements:
         command = [
             "snyk",
@@ -607,9 +604,7 @@ async def _npm_audit_fix(
 def outdated_versions(
     security: security_md.Security,
 ) -> list[str | models.OutputData]:
-    """
-    Check that the versions from the SECURITY.md are not outdated.
-    """
+    """Check that the versions from the SECURITY.md are not outdated."""
     version_index = security.headers.index("Version")
     date_index = security.headers.index("Supported Until")
 
@@ -635,9 +630,7 @@ def outdated_versions(
 def _get_sources(
     dist: str, config: configuration.DpkgConfiguration, local_config: configuration.DpkgConfiguration
 ) -> apt_repo.APTSources:
-    """
-    Get the sources for the distribution.
-    """
+    """Get the sources for the distribution."""
     if dist not in _SOURCES:
         conf = local_config.get("sources", config.get("sources", configuration.DPKG_SOURCES_DEFAULT))
         if dist not in conf:
@@ -657,9 +650,7 @@ def _get_sources(
                 name = f"{dist}/{package.package}"
                 try:
                     version = debian_inspector.version.Version.from_string(package.version)
-                    if name not in _PACKAGE_VERSION:
-                        _PACKAGE_VERSION[name] = version
-                    elif version > _PACKAGE_VERSION[name]:
+                    if name not in _PACKAGE_VERSION or version > _PACKAGE_VERSION[name]:
                         _PACKAGE_VERSION[name] = version
                 except ValueError as exception:
                     _LOGGER.warning(
@@ -680,8 +671,10 @@ async def _get_packages_version(
 ) -> str | None:
     """Get the version of the package."""
     global _GENERATION_TIME  # pylint: disable=global-statement
-    if _GENERATION_TIME is None or _GENERATION_TIME < datetime.datetime.now() - utils.parse_duration(
-        os.environ.get("GHCI_DPKG_CACHE_DURATION", "3h")
+    if (
+        _GENERATION_TIME is None
+        or datetime.datetime.now() - utils.parse_duration(os.environ.get("GHCI_DPKG_CACHE_DURATION", "3h"))
+        > _GENERATION_TIME
     ):
         _PACKAGE_VERSION.clear()
         _SOURCES.clear()
@@ -709,7 +702,7 @@ async def dpkg(
     with open(dpkg_versions_filename, encoding="utf-8") as versions_file:
         versions_config = yaml.load(versions_file, Loader=yaml.SafeLoader)
         for versions in versions_config.values():
-            for package_full in versions.keys():
+            for package_full in versions:
                 version = await _get_packages_version(package_full, config, local_config)
                 if version is None:
                     _LOGGER.warning("No version found for %s", package_full)

github_app_geo_project/module/delete_old_workflow_runs/__init__.py

@@ -52,6 +52,7 @@ def get_json_schema(self) -> dict[str, Any]:
             return schema  # type: ignore[no-any-return]
 
     def get_github_application_permissions(self) -> module.GitHubApplicationPermissions:
+        """Get the GitHub application permissions needed by the module."""
         return module.GitHubApplicationPermissions(permissions={"actions": "write"}, events=set())
 
     async def process(