Merge remote-tracking branch 'upstream/master'

# Conflicts: # .gitlab-ci.yml # CHANGELOG.md # README.md # kicker.json

Merge remote-tracking branch 'upstream/master'
c9cbddd4 · Benguria Elguezabal, Gorka · 564109aa · 081c1e6b · c9cbddd4 · c9cbddd4
Commit c9cbddd4 authored 6 months ago by Benguria Elguezabal, Gorka
--- a/.gitleaksignore
+++ b/.gitleaksignore
 dda82d21c9ba0e572abb74e0adb97268dc46d438:README.md:private-key:320
+ff8b9856a0bb045932f4810410404261cd848ea4:README.md:private-key:320
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
-## [7.0.2](https://git.code.tecnalia.com/smartdatalab/public/ci-cd-components/python/compare/7.0.1...7.0.2) (2024-07-26)
+## [7.7.1](https://gitlab.com/to-be-continuous/python/compare/7.7.0...7.7.1) (2025-01-12)


 ### Bug Fixes

-* issue [#73](https://git.code.tecnalia.com/smartdatalab/public/ci-cd-components/python/issues/73) github_get_latest_version ([ce26d5a](https://git.code.tecnalia.com/smartdatalab/public/ci-cd-components/python/commit/ce26d5abba8950f30bad1d992a2481bf252359b7))
-* README for trivy now enabled by default ([f5d5f2e](https://git.code.tecnalia.com/smartdatalab/public/ci-cd-components/python/commit/f5d5f2e9c186b6aeb0c55ef45a65b85615b9ad7b))
+* move back 'reports' dir creation at job level to fix variants missing reports dir ([bf15efe](https://gitlab.com/to-be-continuous/python/commit/bf15efe4b008a5f292e782d0363a52000bf43f37))
+
+# [7.7.0](https://gitlab.com/to-be-continuous/python/compare/7.6.0...7.7.0) (2025-01-12)
+
+
+### Features
+
+* add auto-release as an optional feature for releases ([9db709a](https://gitlab.com/to-be-continuous/python/commit/9db709ad8fe96c7ed524f8083e57b845914e4009))
+
+# [7.6.0](https://gitlab.com/to-be-continuous/python/compare/7.5.2...7.6.0) (2025-01-08)
+
+
+### Features
+
+* add separate 'publish-enabled' to enable publishing package ([6f9ee56](https://gitlab.com/to-be-continuous/python/commit/6f9ee56d00ee5408953fa24323dbba81aa2d4f3a))
+
+## [7.5.2](https://gitlab.com/to-be-continuous/python/compare/7.5.1...7.5.2) (2024-12-22)
+
+
+### Bug Fixes
+
+* **test:** handle decimal coverage ([4fb81f8](https://gitlab.com/to-be-continuous/python/commit/4fb81f8b66bf285f173a2335f8c34523d0f7ca3d))
+
+## [7.5.1](https://gitlab.com/to-be-continuous/python/compare/7.5.0...7.5.1) (2024-11-21)
+
+
+### Bug Fixes
+
+* **CodeArtifact:** fix AWS CodeArtifact variant ([c913e65](https://gitlab.com/to-be-continuous/python/commit/c913e6538d88efaf1d6f0eb7742e7531d66a32c2))
+
+# [7.5.0](https://gitlab.com/to-be-continuous/python/compare/7.4.0...7.5.0) (2024-11-11)
+
+
+### Features
+
+* **Ruff:** add `ruff-format` job for code formatting ([142589f](https://gitlab.com/to-be-continuous/python/commit/142589f2c260336d3a703af3e149c1c666fd5373))
+
+# [7.4.0](https://gitlab.com/to-be-continuous/python/compare/7.3.3...7.4.0) (2024-11-08)
+
+
+### Features
+
+* add AWS CodeArtifact support (variant) ([128fb99](https://gitlab.com/to-be-continuous/python/commit/128fb9950c1354c211abe17d5cba19d75dd66ecc))
+
+## [7.3.3](https://gitlab.com/to-be-continuous/python/compare/7.3.2...7.3.3) (2024-11-06)
+
+
+### Bug Fixes
+
+* correct bandit exclude of .venv and .cache ([ed95527](https://gitlab.com/to-be-continuous/python/commit/ed955279f56f2d66a2a7532b35515f2309f05f5c)), closes [#92](https://gitlab.com/to-be-continuous/python/issues/92)
+
+## [7.3.2](https://gitlab.com/to-be-continuous/python/compare/7.3.1...7.3.2) (2024-11-02)
+
+
+### Bug Fixes
+
+* limit security reports access to developer role or higher ([40c85ef](https://gitlab.com/to-be-continuous/python/commit/40c85eff562a00ceb9b381ef72472ce1910b97ab))
+
+## [7.3.1](https://gitlab.com/to-be-continuous/python/compare/7.3.0...7.3.1) (2024-10-25)
+
+
+### Bug Fixes
+
+* **Trivy:** trivy scan fails when issues are found ([671b781](https://gitlab.com/to-be-continuous/python/commit/671b78142c08cdd5bbf1441a81705b96dbf0740f))
+* use right options for uv with extras deps ([354af5a](https://gitlab.com/to-be-continuous/python/commit/354af5ad8294ad8f3de3f7ad6aeaf8752d5f2625))
+
+# [7.3.0](https://gitlab.com/to-be-continuous/python/compare/7.2.0...7.3.0) (2024-10-15)
+
+
+### Features
+
+* **uv:** add uv support as a new build system ([8aeb20b](https://gitlab.com/to-be-continuous/python/commit/8aeb20b09347ff35398a4a707852a9cc17cc6842)), closes [#80](https://gitlab.com/to-be-continuous/python/issues/80)
+* **uv:** add uv support as a new build system ([d22ffba](https://gitlab.com/to-be-continuous/python/commit/d22ffbacb4228cb4ffdc6396bca9e43ad194bfff))
+
+# [7.2.0](https://gitlab.com/to-be-continuous/python/compare/7.1.1...7.2.0) (2024-10-04)
+
+
+### Bug Fixes
+
+* **release:** support full semantic-versioning specifcation (with prerelease and build metadata) ([08e9d7e](https://gitlab.com/to-be-continuous/python/commit/08e9d7e9f7f1bdd43a2070c9ee5abb16a8b8aaa0))
+* **trivy:** use --pkg-types instead of deprecated --vuln-type option ([5e0a0d2](https://gitlab.com/to-be-continuous/python/commit/5e0a0d2918fd7539bd2e1cb955e99ef5857db1f5))
+
+
+### Features
+
+* **trivy:** enable comprehensive priority ([322eb1b](https://gitlab.com/to-be-continuous/python/commit/322eb1b88c49d9a1662ad6b6199541f1a82860ef))
+
+## [7.1.1](https://gitlab.com/to-be-continuous/python/compare/7.1.0...7.1.1) (2024-10-03)
+
+
+### Bug Fixes
+
+* Poetry Build system test ([9505604](https://gitlab.com/to-be-continuous/python/commit/95056049e7ee8239b6358def7c594e7002036574))
+
+# [7.1.0](https://gitlab.com/to-be-continuous/python/compare/7.0.2...7.1.0) (2024-09-15)
+
+
+### Bug Fixes
+
+* check trivy activity to match new log format ([edd8fcf](https://gitlab.com/to-be-continuous/python/commit/edd8fcf71f1b251c467d6bbce6e8a190d4584dda))
+* pylint --ignore .cache not working now use find to exclude .cache ([e1463bc](https://gitlab.com/to-be-continuous/python/commit/e1463bc750fbd24b12d407267061d8ae8a3718f1))
+
+
+### Features
+
+* isort exclude .cache ([e333183](https://gitlab.com/to-be-continuous/python/commit/e333183ca48aa98baf9d510caf0c8f3f93d04b82))
+* remove unnecesary install when use poetry or pipenv ([f025c6d](https://gitlab.com/to-be-continuous/python/commit/f025c6df22d48bd735458fc478b18d2235a715a2))

 ## [7.0.2](https://gitlab.com/to-be-continuous/python/compare/7.0.1...7.0.2) (2024-05-20)


--- a/README.md
+++ b/README.md
--- a/bumpversion.sh
+++ b/bumpversion.sh
@@ -27,7 +27,7 @@ if [[ "$curVer" ]]; then
  log_info "Bump version from \\e[33;1m${curVer}\\e[0m to \\e[33;1m${nextVer}\\e[0m (release type: $relType)..."

  # replace in README
-  sed -e "s/ref: *'$curVer'/ref: '$nextVer'/" -e "s/ref: *\"$curVer\”/ref: \”$nextVer\”/" -e "s/component: *\(.*\)@$curVer/component: \1@$nextVer/" README.md > README.md.next
+  sed -e "s/ref: *'$curVer'/ref: '$nextVer'/" -e "s/ref: *\"$curVer\"/ref: \"$nextVer\"/" -e "s/component: *\(.*\)@$curVer/component: \1@$nextVer/" README.md > README.md.next
  mv -f README.md.next README.md

  # replace in template and variants

--- a/kicker.json
+++ b/kicker.json
@@ -21,7 +21,7 @@
      "name": "PYTHON_BUILD_SYSTEM",
      "description": "Python build-system to use to install dependencies, build and package the project",
      "type": "enum",
-      "values": ["auto", "setuptools", "poetry", "pipenv", "reqfile"],
+      "values": ["auto", "setuptools", "poetry", "pipenv", "reqfile", "uv"],
      "default": "auto",
      "advanced": true
    },
@@ -83,6 +83,12 @@
        }
      ]
    },
+    {
+      "id":"publish",
+      "name":"publish",
+      "description":"This job allows publishing the built packages to a PyPI compatible repository ([GitLab packages](https://docs.gitlab.com/ee/user/packages/pypi_repository/) by default.",
+      "enable_with": "PYTHON_PUBLISH_ENABLED"
+    },    
    {
      "id": "pylint",
      "name": "pylint",
@@ -192,7 +198,7 @@
    {
      "id": "trivy",
      "name": "Trivy",
-      "description": "Detect security vulnerabilities with [Trivy](https://github.com/aquasecurity/trivy/) (dependencies analysis)",
+      "description": "Detect security vulnerabilities with [Trivy](https://aquasecurity.github.io/trivy) (dependencies analysis)",
      "disable_with": "PYTHON_TRIVY_DISABLED",
      "variables": [
        {
@@ -202,8 +208,8 @@
        },
        {
          "name": "PYTHON_TRIVY_ARGS",
-          "description": "Additional [Trivy CLI options](https://aquasecurity.github.io/trivy/v0.21.1/getting-started/cli/fs/)",
-          "default": "--vuln-type library",
+          "description": "Additional [Trivy CLI options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_filesystem/)",
+          "default": "--ignore-unfixed --pkg-types library --detection-priority comprehensive",
          "advanced": true
        },
        {
@@ -253,6 +259,12 @@
      "description": "Manually trigger a release of your code (uses [bumpversion](https://pypi.org/project/bumpversion/))",
      "enable_with": "PYTHON_RELEASE_ENABLED",
      "variables": [
+        {
+          "name": "PYTHON_AUTO_RELEASE_ENABLED",
+          "description": "When set the job start automatically. When not set (default), the job is manual. Note that this behavior also depends on release-enabled being set.",
+          "type": "boolean",
+          "advanced": true
+        },        
        {
          "name": "PYTHON_RELEASE_NEXT",
          "type": "enum",
@@ -375,6 +387,14 @@
        }
      ]
    },
+    {
+      "id": "ruff-format",
+      "name": "Ruff Format",
+      "description": "An extremely fast Python linter and code formatter, written in Rust. [Ruff](https://docs.astral.sh/ruff/)",
+      "enable_with": "RUFF_FORMAT_ENABLED",
+      "variables": [
+      ]
+    },
    {
      "id": "mypy",
      "name": "mypy",
@@ -459,6 +479,61 @@
          "description": "Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/)"
        }
      ]
+    },
+    {
+      "id": "aws-codeartifact",
+      "name": "AWS CodeArtifact",
+      "description": "Retrieves AWS CodeArtifact credentials",
+      "template_path": "templates/gitlab-ci-python-aws-codeartifact.yml",
+      "variables": [
+        {
+          "name": "TBC_AWS_PROVIDER_IMAGE",
+          "description": "The [AWS Auth Provider](https://gitlab.com/to-be-continuous/tools/aws-auth-provider) image to use",
+          "default": "registry.gitlab.com/to-be-continuous/tools/aws-auth-provider:latest",
+          "advanced": true
+        },
+        {
+          "name": "AWS_REGION",
+          "description": "Default region (where the codeartifact repository is located)"
+        },
+        {
+          "name": "AWS_OIDC_AUD",
+          "description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_",
+          "default": "$CI_SERVER_URL",
+          "advanced": true
+        },
+        {
+          "name": "AWS_OIDC_ROLE_ARN",
+          "description": "Default IAM Role ARN associated with GitLab _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_"
+        },
+        {
+          "name": "AWS_ACCESS_KEY_ID",
+          "description": "Default access key ID (only required for basic authentication)",
+          "secret": true,
+          "advanced": true
+        },
+        {
+          "name": "AWS_SECRET_ACCESS_KEY",
+          "description": "Default secret access key (only required for basic authentication)",
+          "secret": true,
+          "advanced": true
+        },
+        {
+          "name": "AWS_CODEARTIFACT_DOMAIN",
+          "description": "The AWS CodeArtifact domain",
+          "mandatory": true
+        },
+        {
+          "name": "AWS_CODEARTIFACT_DOMAIN_OWNER",
+          "description": "The AWS CodeArtifact domain owner",
+          "mandatory": true
+        },
+        {
+          "name": "AWS_CODEARTIFACT_REPOSITORY",
+          "description": "The AWS CodeArtifact repository",
+          "mandatory": true
+        }
+      ]
    }
  ]
 }
--- a/templates/gitlab-ci-python-aws-codeartifact.yml
+++ b/templates/gitlab-ci-python-aws-codeartifact.yml
+# =====================================================================================================================
+# === AWS CodeArtifact Auth template variant
+# =====================================================================================================================
+spec:
+  inputs:
+    aws-codeartifact-domain:
+      description: AWS CodeArtifact domain name
+      default: ''
+    aws-codeartifact-domain-owner:
+      description: AWS CodeArtifact domain owner account ID
+      default: ''
+    aws-codeartifact-repository:
+      description: AWS CodeArtifact repository name
+      default: ''
+    aws-region:
+      description: Default region (where the Codeartifact registry is located)
+      default: ''
+    aws-oidc-aud:
+      description: The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_
+      default: $CI_SERVER_URL
+    aws-oidc-role-arn:
+      description: Default IAM Role ARN associated with GitLab _(only required for [OIDC
+        authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_
+      default: ''
+---
+variables:
+  TBC_AWS_PROVIDER_IMAGE: registry.gitlab.com/to-be-continuous/tools/aws-auth-provider:latest
+  AWS_OIDC_AUD: $[[ inputs.aws-oidc-aud ]]
+  AWS_REGION: $[[ inputs.aws-region ]]
+  AWS_OIDC_ROLE_ARN: $[[ inputs.aws-oidc-role-arn ]]
+  AWS_CODEARTIFACT_DOMAIN: $[[ inputs.aws-codeartifact-domain ]]
+  AWS_CODEARTIFACT_DOMAIN_OWNER: $[[ inputs.aws-codeartifact-domain-owner ]]
+  AWS_CODEARTIFACT_REPOSITORY: $[[ inputs.aws-codeartifact-repository ]]
+
+
+.codeartifact-pip-config:
+  before_script:
+    - CODEARTIFACT_URL=https://aws:${PYTHON_REPOSITORY_PASSWORD}@${PYTHON_REPOSITORY_URL#https://}simple
+    - pip config set global.index-url $CODEARTIFACT_URL
+
+.python-base:
+  services:
+    - name: "$TBC_TRACKING_IMAGE"
+      command: ["--service", "python", "7.3.0"]
+    - name: "$TBC_AWS_PROVIDER_IMAGE"
+      alias: "aws-auth-provider"
+  id_tokens:
+    # required for OIDC auth
+    AWS_JWT:
+      aud: "$AWS_OIDC_AUD"
+  variables:
+    PYTHON_REPOSITORY_USERNAME: aws
+    PYTHON_REPOSITORY_PASSWORD: "@url@http://aws-auth-provider/codeartifact/auth/token"
+    PYTHON_REPOSITORY_URL: "@url@http://aws-auth-provider/codeartifact/repository/endpoint?format=pypi"
+    AWS_JWT: "$AWS_JWT"
+  before_script:
+    - !reference [.python-scripts]
+    - install_ca_certs "${CUSTOM_CA_CERTS:-$DEFAULT_CA_CERTS}"
+    - cd ${PYTHON_PROJECT_DIR}
+    - guess_build_system
+    - !reference [.codeartifact-pip-config, before_script]
--- a/templates/gitlab-ci-python-gcp.yml
+++ b/templates/gitlab-ci-python-gcp.yml
@@ -44,7 +44,7 @@ variables:
  image: $PYTHON_IMAGE
  services:
    - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "python", "7.0.2"]
+      command: ["--service", "python", "7.7.1"]
  variables:
    GCP_JWT: $GCP_JWT
  before_script:

--- a/templates/gitlab-ci-python-vault.yml
+++ b/templates/gitlab-ci-python-vault.yml
@@ -22,7 +22,7 @@ variables:
 .python-base:
  services:
    - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "python", "7.0.2"]
+      command: ["--service", "python", "7.7.1"]
    - name: "$TBC_VAULT_IMAGE"
      alias: "vault-secrets-provider"
  variables:

--- a/templates/gitlab-ci-python.yml
+++ b/templates/gitlab-ci-python.yml