Merge branch 'main' into az-python-3.11

.github/workflows/changie-trigger-release.yml

@@ -0,0 +1,11 @@
+---
+name: changie-trigger-release
+on:
+  workflow_dispatch:
+permissions:
+  contents: write
+  pull-requests: write
+jobs:
+  changelog:
+    uses: delineaxpm/github-workflows/.github/workflows/changie-trigger-release.yml@main
+    secrets: inherit

.github/workflows/lint.yml

@@ -1,16 +1,9 @@
 ---
 name: lint
 on:
-  # Run CI against all pushes (direct commits, also merged PRs), Pull Requests
-  push:
+  pull_request:
     branches:
       - main
-      - stable-*
-  pull_request:
-  # Run CI once per day (at 06:00 UTC)
-  # This ensures that even if there haven't been commits that we are still testing against latest version of ansible-test for each ansible-base version
-  # schedule:
-  #   - cron: '0 6 * * *'
   workflow_dispatch:
 
 permissions:

.github/workflows/release.yml

@@ -2,8 +2,8 @@ name: release
 
 on:
   push:
-    tags:
-      - "v*"
+    branches: [main]
+    paths: [CHANGELOG.md] # your changelog file if different
   workflow_dispatch:
 
 jobs:
@@ -12,7 +12,7 @@ jobs:
 
     steps:
       - id: dsv
-        uses: DelineaXPM/[email protected].2
+        uses: DelineaXPM/dsv-github-action@2559ec0943aaf9a42b634cfbfef1b689041c4270 # v2.0.3
         with:
           domain: ${{ secrets.DSV_SERVER }}
           clientId: ${{ secrets.DSV_CLIENT_ID }}
@@ -21,22 +21,43 @@ jobs:
             [
              {"secretPath": "ci:publish:pypi", "secretKey": "PYPI_API_TOKEN", "outputVariable": "PYPI_API_TOKEN"}
             ]
-      - uses: actions/checkout@v3
-      - name: Set up Python
-        uses: actions/setup-python@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+      - uses: aquaproj/aqua-installer@36dc5833b04eb63f06e3bb818aa6b7a6e6db99a9 # v2.1.2
+        continue-on-error: true
+        with:
+          aqua_version: v2.10.1
+          enable_aqua_install: true
+          aqua_opts: "--tags release" # if using aqua.yaml config any special items in your repo like Golangci-lint using tags so it only installs what's needed
+        env:
+          AQUA_LOG_LEVEL: debug
+          AQUA_OPTS: ""
+      - name: setup-python
+        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5
         with:
           python-version: "3.x"
 
-      - name: Install dependencies
+      - name: python-install-deps
         run: |
           python -m pip install --upgrade pip
           python -m pip install flit
 
       - name: Build package
         run: flit build
 
-      - name: Publish package
-        uses: pypa/gh-action-pypi-publish@release/v1
+      - name: publish-pypi
+        uses: pypa/gh-action-pypi-publish@2f6f737ca5f74c637829c0f5c3acd0e29ea5e8bf #v1.8.11
         with:
           user: __token__
           password: "${{ env.PYPI_API_TOKEN }}" # ${{ secrets.PYPI_API_TOKEN }}
+      - name: create-github-release
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          if [[ "$OSTYPE" == "linux-gnu"* ]]; then
+              datestring=$(date "+%Y-%m-%d")
+          elif [[ "$OSTYPE" == "darwin"* ]]; then
+              datestring=$(date -u "+%Y-%m-%d")
+          fi
+          cmd="gh release create \"$(changie latest)\" --title \"$(changie latest) - ${datestring}\" -F \".changes/$(changie latest).md\""
+          printf "Command to execute: $cmd\n"
+          eval "$cmd"

.github/workflows/test.yml

@@ -1,6 +1,9 @@
 name: test
 
-on: [pull_request]
+on:
+  pull_request:
+    branches:
+      - main
 
 jobs:
   build:
@@ -11,9 +14,9 @@ jobs:
         python: [3.7, 3.8, 3.9, "3.10", "3.11"]
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
       - name: Setup Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5
         with:
           python-version: ${{ matrix.python }}
 
@@ -29,6 +32,6 @@ jobs:
           DSV_CLIENT_ID: ${{ secrets.DSV_CLIENT_ID }}
           DSV_CLIENT_SECRET: ${{ secrets.DSV_CLIENT_SECRET }}
           DSV_BASE_URL: ${{ secrets.DSV_BASE_URL }}
-      - uses: codecov/codecov-action@v3
+      - uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3
         with:
           fail_ci_if_error: false

.trunk/.gitignore

@@ -2,6 +2,8 @@
 *logs
 *actions
 *notifications
+*tools
 plugins
 user_trunk.yaml
 user.yaml
+tmp

.trunk/trunk.yaml

@@ -1,24 +1,24 @@
 version: 0.1
 cli:
-  version: 1.0.1
+  version: 1.19.0
 plugins:
   sources:
     - id: trunk
-      ref: v0.0.5
+      ref: v1.2.1
       uri: https://github.com/trunk-io/plugins
 lint:
   enabled:
-    - hadolint@2.10.0
+    - hadolint@2.12.0
     - [email protected]
-    - gitleaks@8.15.0
+    - gitleaks@8.18.1
     - [email protected]
-    - taplo@release-taplo-cli-0.7.0
-    - [email protected].21
+    - taplo@0.8.1
+    - [email protected].26
     - [email protected]
     - [email protected]
     - git-diff-check
-    - prettier@2.7.1
-    - markdownlint@0.32.2
+    - prettier@3.2.4
+    - markdownlint@0.38.0
   threshold:
     - linters: [markdownlint]
       level: high

RELEASE.md

@@ -0,0 +1,7 @@
+# Release
+
+- Run [changie-trigger-release](https://github.com/DelineaXPM/python-dsv-sdk/actions/workflows/changie-trigger-release.yml).
+- Make sure `python-dsv-sdk/delinea/__init__.py` was included in the pull request.
+- Once changie files are merged, the [release](https://github.com/DelineaXPM/python-dsv-sdk/actions/workflows/release.yml) should trigger and publish.
+  - pypi should be updated: [pypi link](https://pypi.org/project/python-dsv-sdk/)
+  - [github release should also have been created](https://github.com/DelineaXPM/python-dsv-sdk/releases) (this is just for more consistent releases and also triggering update in slack channels via release).

aqua.yaml

@@ -3,21 +3,11 @@
 # https://aquaproj.github.io/
 registries:
   - type: standard
-    ref: v3.140.0 # renovate: depName=aquaproj/aqua-registry
+    ref: v4.122.1 # renovate: depName=aquaproj/aqua-registry
 packages:
-  - name: miniscruff/[email protected]
-  - name: golang/[email protected]
-  - name: direnv/[email protected]
-  - name: magefile/[email protected]
-  - name: charmbracelet/[email protected]
-  - name: goreleaser/[email protected]
-  - name: mvdan/[email protected]
-  - name: golang.org/x/tools/[email protected]
-  - name: golang/tools/[email protected]
-  - name: golang/tools/[email protected]
-  - name: golang/tools/[email protected]
-  - name: golang/tools/[email protected]
-  - name: golang/tools/[email protected]
-  - name: anchore/[email protected]
-  - name: direnv/[email protected]
-  - name: thycotic/[email protected]
+  - name: miniscruff/[email protected]
+    tags: ["release"]
+  - name: direnv/[email protected]
+  - name: charmbracelet/[email protected]
+  - name: cli/[email protected]
+    tags: ["release"]

pyproject.toml

@@ -1,5 +1,5 @@
 [build-system]
-requires = ["flit_core >=2,<4"]
+requires = ["flit_core ==3.9.0"]
 build-backend = "flit_core.buildapi"
 
 [tool.flit.metadata]

renovate.json

@@ -1,12 +1,4 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": [
-    "DelineaXPM/renovate-config"
-  ],
-  "enabled": false,
-  "vulnerabilityAlerts": {
-    "enabled": true,
-    "semanticCommitType": "security",
-    "prCreation": "immediate"
-  }
-}
+  "extends": ["DelineaXPM/renovate-config:security"]
+}

requirements.txt

@@ -1,5 +1,6 @@
-requests==2.28.2
+requests==2.32.2
 tox
 pytest
 python-dotenv
-flit
+flit
+zipp==3.19.2 # not directly required, pinned by Snyk to avoid a vulnerability