Merge remote-tracking branch 'upstream/master'

# Conflicts: # .gitlab-ci.yml # CHANGELOG.md # README.md # templates/gitlab-ci-python.yml

Merge remote-tracking branch 'upstream/master'
30afc2ae · Benguria Elguezabal, Gorka · afb983c1 · d7f3b951 · 30afc2ae · 30afc2ae
Commit 30afc2ae authored 3 months ago by Benguria Elguezabal, Gorka
--- a/.gitlab/merge_request_templates/new_feature.md
+++ b/.gitlab/merge_request_templates/new_feature.md
@@ -8,8 +8,8 @@ Closes #999
 ## Checklist

 * General:
-    * [ ] use [rules](https://docs.gitlab.com/ee/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ee/ci/yaml/#onlyexcept-advanced)
-    * [ ] optimized [cache](https://docs.gitlab.com/ee/ci/caching/) configuration (wherever applicable)
+    * [ ] use [rules](https://docs.gitlab.com/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ci/yaml/#onlyexcept-advanced)
+    * [ ] optimized [cache](https://docs.gitlab.com/ci/caching/) configuration (wherever applicable)
 * Publicly usable:
    * [ ] untagged runners
    * [ ] no proxy configuration but support `http_proxy`/`https_proxy`/`no_proxy`

--- a/CHANGELOG.md
+++ b/CHANGELOG.md
-# [7.8.0](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/python/compare/7.7.1...7.8.0) (2025-01-29)
+## [7.10.2](https://gitlab.com/to-be-continuous/python/compare/7.10.1...7.10.2) (2025-05-03)
+
+
+### Bug Fixes
+
+* add python cmd when python3 is present ([e6c8d7f](https://gitlab.com/to-be-continuous/python/commit/e6c8d7f98cd785d2a4ccaf777a9c3d0016a3da19))
+
+## [7.10.1](https://gitlab.com/to-be-continuous/python/compare/7.10.0...7.10.1) (2025-05-02)
+
+
+### Bug Fixes
+
+* change to pytest bin instead of module ([19be433](https://gitlab.com/to-be-continuous/python/commit/19be433bf16097a98ae5de4f633ebd9fe807e4ef)), closes [#109](https://gitlab.com/to-be-continuous/python/issues/109)
+* exclude venv on py-lint ([d459124](https://gitlab.com/to-be-continuous/python/commit/d45912485cd7e8a1d802dda72eca6b6bfe1860b8))
+* py-package remove reports dir ([300d31f](https://gitlab.com/to-be-continuous/python/commit/300d31f51e6670cc6f09d6af01531b77e9d270af)), closes [#98](https://gitlab.com/to-be-continuous/python/issues/98)
+
+# [7.10.0](https://gitlab.com/to-be-continuous/python/compare/7.9.2...7.10.0) (2025-04-16)
+
+
+### Features
+
+* **Hatch:** add Hatch support as a new build system ([f684e63](https://gitlab.com/to-be-continuous/python/commit/f684e634496711d984843b25141f57df6e3826be))
+
+## [7.9.2](https://gitlab.com/to-be-continuous/python/compare/7.9.1...7.9.2) (2025-04-02)
+
+
+### Bug Fixes
+
+* **sbom:** disable file catalogers for Syft SBOM (to minimize SBOM file) ([d83edb0](https://gitlab.com/to-be-continuous/python/commit/d83edb06767741edd400ed195981df778414e9cd))
+
+## [7.9.1](https://gitlab.com/to-be-continuous/python/compare/7.9.0...7.9.1) (2025-03-11)
+
+
+### Bug Fixes
+
+* **bump-my-version:** improve bump-my-version config verification (solves [#106](https://gitlab.com/to-be-continuous/python/issues/106)) ([64b624a](https://gitlab.com/to-be-continuous/python/commit/64b624a4d0abde429d50a00a9c595993c369fbd0))
+
+# [7.9.0](https://gitlab.com/to-be-continuous/python/compare/7.8.3...7.9.0) (2025-03-10)
+
+
+### Features
+
+* skip GCP ADC authent when GCP_JWT is not present ([b43207f](https://gitlab.com/to-be-continuous/python/commit/b43207f6eee26a8d17bc75ed19b54208534b3ad9))
+
+## [7.8.3](https://gitlab.com/to-be-continuous/python/compare/7.8.2...7.8.3) (2025-02-23)
+
+
+### Bug Fixes
+
+* change _pip to pass cmd then PIP_OPTS ([c1b277e](https://gitlab.com/to-be-continuous/python/commit/c1b277e31b977b41eedd5e213e7672d11c66da33))
+
+## [7.8.2](https://gitlab.com/to-be-continuous/python/compare/7.8.1...7.8.2) (2025-02-03)
+
+
+### Bug Fixes
+
+* **gcp:** reduce scope of GCP App Default Creds script to template ([829bfce](https://gitlab.com/to-be-continuous/python/commit/829bfceffe3a2e097914c719d4a4488d544be7ab))
+
+## [7.8.1](https://gitlab.com/to-be-continuous/python/compare/7.8.0...7.8.1) (2025-01-31)
+
+
+### Bug Fixes
+
+* **sbom:** only generate SBOMs on prod branches, integ branches and release tags ([8da756f](https://gitlab.com/to-be-continuous/python/commit/8da756f273cb22dbd12c866ba1e6f7f07b52cb4a))
+
+# [7.8.0](https://gitlab.com/to-be-continuous/python/compare/7.7.1...7.8.0) (2025-01-27)


 ### Features

--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -61,7 +61,7 @@ To contribute:

 1. Create an issue describing the bug or enhancement you want to propose (select the right issue template).
 2. Make sure the issue has been reviewed and agreed.
-3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/ee/user/project/repository/forking_workflow.html) documentation).
+3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/user/project/repository/forking_workflow/) documentation).
   Don't hesitate to mark your MR as `Draft` as long as you think it's not ready to be reviewed.

 ### Git Commit Conventions

--- a/README.md
+++ b/README.md
--- a/kicker.json
+++ b/kicker.json
@@ -21,7 +21,7 @@
      "name": "PYTHON_BUILD_SYSTEM",
      "description": "Python build-system to use to install dependencies, build and package the project",
      "type": "enum",
-      "values": ["auto", "setuptools", "poetry", "pipenv", "reqfile", "uv"],
+      "values": ["auto", "setuptools", "poetry", "pipenv", "reqfile", "uv", "hatch"],
      "default": "auto",
      "advanced": true
    },
@@ -86,7 +86,7 @@
    {
      "id":"publish",
      "name":"publish",
-      "description":"This job allows publishing the built packages to a PyPI compatible repository ([GitLab packages](https://docs.gitlab.com/ee/user/packages/pypi_repository/) by default.",
+      "description":"This job allows publishing the built packages to a PyPI compatible repository ([GitLab packages](https://docs.gitlab.com/user/packages/pypi_repository/) by default.",
      "enable_with": "PYTHON_PUBLISH_ENABLED"
    },    
    {
@@ -227,6 +227,14 @@
      "description": "This job generates a file listing all dependencies using [syft](https://github.com/anchore/syft)",
      "disable_with": "PYTHON_SBOM_DISABLED",
      "variables": [
+        {
+          "name": "TBC_SBOM_MODE",
+          "type": "enum",
+          "values": ["onrelease", "always"],
+          "description": "Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline)",
+          "advanced": true,
+          "default": "onrelease"
+        },
        {
          "name": "PYTHON_SBOM_SYFT_URL",
          "description": "Url to the `tar.gz` package for `linux_amd64` of Syft to use\n\n_When unset, the latest version will be used_",
@@ -241,7 +249,7 @@
        {
          "name": "PYTHON_SBOM_OPTS",
          "description": "Options for syft used for SBOM analysis",
-          "default": "--override-default-catalogers python-package-cataloger",
+          "default": "--override-default-catalogers python-package-cataloger --select-catalogers -file",
          "advanced": true
        },
        {
@@ -308,7 +316,7 @@
        {
          "name": "PYTHON_REPOSITORY_URL",
          "type": "url",
-          "description": "Target PyPI repository to publish packages.\n\n_defaults to [GitLab project's packages repository](https://docs.gitlab.com/ee/user/packages/pypi_repository/)_",
+          "description": "Target PyPI repository to publish packages.\n\n_defaults to [GitLab project's packages repository](https://docs.gitlab.com/user/packages/pypi_repository/)_",
          "default": "${CI_SERVER_URL}/api/v4/projects/${CI_PROJECT_ID}/packages/pypi"
        },
        {
@@ -461,7 +469,7 @@
      "variables": [
        {
          "name": "GCP_OIDC_AUD",
-          "description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/))_",
+          "description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/google_cloud/))_",
          "default": "$CI_SERVER_URL",
          "advanced": true
        },
@@ -471,7 +479,7 @@
        },
        {
          "name": "GCP_OIDC_PROVIDER",
-          "description": "Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/)"
+          "description": "Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/)"
        }
      ]
    },
@@ -493,13 +501,13 @@
        },
        {
          "name": "AWS_OIDC_AUD",
-          "description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_",
+          "description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/))_",
          "default": "$CI_SERVER_URL",
          "advanced": true
        },
        {
          "name": "AWS_OIDC_ROLE_ARN",
-          "description": "Default IAM Role ARN associated with GitLab _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_"
+          "description": "Default IAM Role ARN associated with GitLab _(only required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/))_"
        },
        {
          "name": "AWS_ACCESS_KEY_ID",

--- a/templates/gitlab-ci-python-aws-codeartifact.yml
+++ b/templates/gitlab-ci-python-aws-codeartifact.yml
@@ -16,11 +16,11 @@ spec:
      description: Default region (where the Codeartifact registry is located)
      default: ''
    aws-oidc-aud:
-      description: The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_
+      description: The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/))_
      default: $CI_SERVER_URL
    aws-oidc-role-arn:
      description: Default IAM Role ARN associated with GitLab _(only required for [OIDC
-        authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_
+        authentication](https://docs.gitlab.com/ci/cloud_services/aws/))_
      default: ''
 ---
 variables:

--- a/templates/gitlab-ci-python-gcp.yml
+++ b/templates/gitlab-ci-python-gcp.yml
@@ -5,13 +5,13 @@
 spec:
  inputs:
    gcp-oidc-aud:
-      description: The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/)))_
+      description: The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/google_cloud/)))_
      default: $CI_SERVER_URL
    gcp-oidc-account:
      description: Default Service Account to which impersonate with OpenID Connect authentication
      default: ''
    gcp-oidc-provider:
-      description: Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/)
+      description: Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/)
      default: ''
 ---
 variables:
@@ -19,12 +19,12 @@ variables:
  GCP_OIDC_ACCOUNT: $[[ inputs.gcp-oidc-account ]]
  GCP_OIDC_PROVIDER: $[[ inputs.gcp-oidc-provider ]]

-.gcp-provider-auth:
-  before_script:
-    - set -e
-    - echo -e "[\\e[1;94mINFO\\e[0m] Installing GCP authentication with env GOOGLE_APPLICATION_CREDENTIALS file"
-    - echo $GCP_JWT > "$CI_BUILDS_DIR/.auth_token.jwt"
-    - |-
+.python-gcp-adc:
+  - |
+    if [[ "$GCP_JWT" ]]
+    then
+      echo -e "[\\e[1;94mINFO\\e[0m] Installing GCP authentication with env GOOGLE_APPLICATION_CREDENTIALS file"
+      echo $GCP_JWT > "$CI_BUILDS_DIR/.auth_token.jwt"
      cat << EOF > "$CI_BUILDS_DIR/google_application_credentials.json"
      {
        "type": "external_account",
@@ -37,23 +37,24 @@ variables:
        "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${GCP_OIDC_ACCOUNT}:generateAccessToken"
      }
    EOF
-    - export GOOGLE_APPLICATION_CREDENTIALS="$CI_BUILDS_DIR/google_application_credentials.json"
-
+      export GOOGLE_APPLICATION_CREDENTIALS="$CI_BUILDS_DIR/google_application_credentials.json"
+    else
+      echo '[WARN] $GCP_JWT is not set: cannot setup Application Default Credentials (ADC) authentication'
+    fi

 .python-base:
  image: $PYTHON_IMAGE
  services:
    - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "python", "7.8.0"]
+      command: ["--service", "python", "7.10.2"]
+  id_tokens:
+    GCP_JWT:
+      aud: "$GCP_OIDC_AUD"
  variables:
    GCP_JWT: $GCP_JWT
  before_script:
-    - !reference [.gcp-provider-auth, before_script]
    - !reference [.python-scripts]
+    - !reference [.python-gcp-adc]
    - install_ca_certs "${CUSTOM_CA_CERTS:-$DEFAULT_CA_CERTS}"
    - cd ${PYTHON_PROJECT_DIR}
    - guess_build_system
-
-  id_tokens:
-    GCP_JWT:
-      aud: "$GCP_OIDC_AUD"
--- a/templates/gitlab-ci-python-vault.yml
+++ b/templates/gitlab-ci-python-vault.yml
@@ -22,7 +22,7 @@ variables:
 .python-base:
  services:
    - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "python", "7.8.0"]
+      command: ["--service", "python", "7.10.2"]
    - name: "$TBC_VAULT_IMAGE"
      alias: "vault-secrets-provider"
  variables:

--- a/templates/gitlab-ci-python.yml
+++ b/templates/gitlab-ci-python.yml