Merge pull request #5 from Expensify/cole/paramiko

coleaeason · web-flow · commit ab0bb44be84f · 2026-01-22T09:37:36.000-05:00
Fork fab-classic to support packaged saltfab
diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
@@ -36,7 +36,7 @@ jobs:
 
     container: "python:${{matrix.imgtag}}"
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: System dependencies
         run: |
           apt-get -q -y update
@@ -47,7 +47,7 @@ jobs:
         run: |
           pip install -r dev-requirements.txt
           pip install "$PARAMIKO"
-          if [ "$(echo $PARAMIKO | cut -d= -f1)" != paramiko-ng ]; then
+          if [ "$(echo "$PARAMIKO" | cut -d= -f1)" != paramiko-ng ]; then
             export PARAMIKO_REPLACE=1
           fi
           pip install -e .
@@ -67,7 +67,7 @@ jobs:
       - name: Test
         run: |
           export USER=root HOME=/root
-          eval $(ssh-agent)
+          eval "$(ssh-agent)"
           ssh-add ~/.ssh/testkey
           script -e -q -c "fab test"                          /dev/null
           script -e -q -c "fab -H localhost test:integration" /dev/null
@@ -78,7 +78,7 @@ jobs:
     container: "python:3.9-bookworm"
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Install dependencies
         run: |
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,80 @@
+# This workflow is used to release the python-libs package to the expensify index.
+# It uses "trusted publishing" which is a python index feature that allows for
+# Github and other CI providers to self authenticate and publish packages to the index.
+# See https://docs.pyx.dev/trusted-publishing/ for more information.
+#
+# The name of this file is important, it must be named release.yml as part of the trusted
+# publishing setup, if you change the file name you will have to update the trusted publishing
+# setup in pyx.dev.
+name: Release
+
+# Only allow one release job to run at a time
+# this prevents a race condition where two merges occur
+# which causes two version bumps and then the releases
+# being done out of order.
+concurrency: release
+
+# Create a release on any new tag which is a valid version number.
+on:
+  push:
+    tags:
+      - '*.*.*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read # for actions/checkout in private repos
+
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Set up uv
+        uses: astral-sh/setup-uv@2ddd2b9cb38ad8efd50337e8ab201519a34c9f24 # v7.1.1
+
+      - name: Build distributions
+        run: uv build
+
+      - name: Upload distributions
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: dists
+          path: dist/
+          if-no-files-found: error
+
+  pyx-publish:
+    needs: [build]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read # for actions/checkout in private repos
+      id-token: write # for Trusted Publishing to pyx
+
+    # Deploy environment requires that certain conditions are met for this code to run.
+    # These conditions are configured in the repo settings. This below string is also
+    # used in the trusted publishing setup in pyx.dev.
+    environment: pyx.dev
+
+    steps:
+      # This checkout might seem useless but it lets the uv step below use the uv cache.
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Download distributions
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+        with:
+          name: dists
+          path: dist/
+
+      - uses: astral-sh/pyx-auth-action@08873fa2b19cf2361327222bea1657faed760ae2 # v0.0.6
+        id: auth
+        with:
+          workspace: expensify
+          registry: main
+
+      - run: uv publish dist/*
+        env:
+          UV_PUBLISH_URL: ${{ steps.auth.outputs.url }}
+          UV_PUBLISH_TOKEN: ${{ steps.auth.outputs.token }}
diff --git a/.github/workflows/version.yml b/.github/workflows/version.yml
@@ -0,0 +1,98 @@
+name: Bump version
+
+# Don't let more than one version bump job run at a time
+# this prevents a race condition where two merges occur
+# at the same time and the version bump of the first one is not
+# finished before the second one starts, then they will both
+# try to bump to the same version.
+concurrency: version
+
+on:
+  push:
+    branches: [main]
+
+jobs:
+  version:
+    runs-on: ubuntu-latest
+    if: ${{ github.actor != 'botify-app[bot]' }} # prevent infinite loop
+    steps:
+      - name: Generate a GitHub App token
+        id: generateAppToken
+        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
+        with:
+          app-id: ${{ vars.BOTIFY_APP_CLIENT_ID }}
+          private-key: ${{ secrets.BOTIFY_APP_PRIVATE_KEY }}
+
+      # This step setups up the git config which is then used later to push the tag.
+      # Auth for the repo is setup at this step, so we need to pass the bot token
+      # in so that it does not use the GITHUB_TOKEN when the tag is pushed. This
+      # allows this workflow to trigger another workflow from the tag event.
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: main
+          token: ${{ steps.generateAppToken.outputs.token }}
+
+      - name: Install the latest version of uv
+        uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2
+        with:
+          enable-cache: true
+          cache-dependency-glob: "uv.lock"
+
+      - name: Get merged pull request
+        id: getMergedPullRequest
+        run: |
+          echo "ORIGINAL_PR_URL=$(gh pr list --state merged --json 'mergeCommit,url' --jq '.[] | select(.mergeCommit.oid | contains("${{ github.sha }}")) | .url')" >> "$GITHUB_ENV"
+        shell: bash
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      # Bumps the version and automatically locks and syncs.
+      - name: Bump version
+        id: bump-version
+        run: ./scripts/bump-version.sh
+        shell: bash
+
+      - name: Created signed commit and push tags
+        run: |
+          set -euxo pipefail
+          VERSION="$(uv version --short)"
+          readonly VERSION
+
+          # Push commits for the updated files
+          for FILE in pyproject.toml uv.lock ; do
+            MESSAGE="Update $FILE version to $VERSION"
+            SHA=$(git rev-parse "main:$FILE")
+            # Create a file with the base64 encoded content
+            base64 -i "$FILE" > "base64.txt"
+            NEW_COMMIT_SHA=$(gh api --method PUT "/repos/:owner/:repo/contents/$FILE" \
+              --field message="$MESSAGE" \
+              --field content="@base64.txt" \
+              --field encoding="base64" \
+              --field branch="main" \
+              --field sha="$SHA" \
+              --jq '.commit.sha')
+          done
+
+          # Set up git user info so we can push a tag
+          # botify-app[bot] GitHub App ID can be found here: https://api.github.com/users/botify-app[bot]
+          git config --global user.name "botify-app[bot]"
+          git config --global user.email "208549588+botify-app[bot]@users.noreply.github.com"
+
+          # Fetch the commit that was made via the API
+          git fetch origin main
+
+          # Tag new_commit_sha with our new version
+          git tag -a "$VERSION" "$NEW_COMMIT_SHA" -m "$VERSION"
+
+          # Push the new tag
+          git push origin tag "$VERSION"
+        shell: bash
+        env:
+          GH_TOKEN: ${{ steps.generateAppToken.outputs.token }}
+
+      - name: Comment on PR
+        run: |
+          gh pr comment ${{ env.ORIGINAL_PR_URL }} --body ":rocket: Released in version $(uv version --short) :rocket:"
+        env:
+          GH_TOKEN: ${{ steps.generateAppToken.outputs.token }}
+        shell: bash
diff --git a/.python-version b/.python-version
@@ -0,0 +1 @@
+3.12
diff --git a/pyproject.toml b/pyproject.toml
@@ -0,0 +1,74 @@
+[project]
+name = "fab-classic"
+version = "1.20.2"
+description = "fab-classic is a simple, Pythonic tool for remote execution and deployment."
+readme = "README.rst"
+requires-python = ">=3.5"
+authors =[{ name = "Jeff Forcier", email = "jeff@bitprophet.org" }]
+maintainers = [{ name = "Pierce Lopez", email = "pierce.lopez@gmail.com" }]
+urls = { Homepage = "https://github.com/ploxiln/fab-classic" }
+dependencies = [
+    "paramiko>=2.0"
+]
+
+classifiers = [
+    "Development Status :: 5 - Production/Stable",
+    "Environment :: Console",
+    "Intended Audience :: Developers",
+    "Intended Audience :: System Administrators",
+    "License :: OSI Approved :: BSD License",
+    "Operating System :: MacOS :: MacOS X",
+    "Operating System :: POSIX",
+
+    # Only allow publishing to expensify's private index
+    "Private :: pyx :: expensify",
+]
+
+[project.scripts]
+fab = "fabric.main:main"
+
+[build-system]
+# We don't specify a specific version of uv_build because the below constraints allow
+# uv to use the version bundled with uv instead of having to install a standalone
+# package to build with. `uv` and all of astral's products use semantic versioning
+# so by requiring anything less than the next minor version means we won't get
+# any breaking changes automatically but we will get bug fixes and improvements.
+# If the bundled version is outside of these constraints, uv will auto download
+# a compatible version.
+requires = ["uv_build>=0.9.17,<0.10.0"]
+build-backend = "uv_build"
+
+[tool.uv.build-backend]
+module-name = ["fabric"]
+module-root = ""
+
+[[tool.uv.index]]
+name = "expensify"
+url = "https://api.pyx.dev/simple/expensify/main"
+publish-url = "https://api.pyx.dev/v1/upload/expensify/main"
+
+# This makes it so that uv will only use the expensify index for
+# any package that is listed in the sources section below. All others
+# will be pulled from the default index (pypi)
+explicit = true
+
+[tool.uv.sources]
+fudge = { git = "https://github.com/ploxiln/fudge", branch = "py3" }
+
+[dependency-groups]
+dev = [
+    "flake8==7.3.0 ; python_full_version >= '3.9'",
+    "fudge",
+    "jinja2<4.0",
+    "nose-py3>=1.9.0",
+]
+doc = [
+    "alabaster==0.7.12",
+    "docutils==0.16",
+    "markupsafe==1.1.1",
+    "pygments==2.7.4",
+    "releases==1.6.3",
+    "semantic-version==2.6.0",
+    "sphinx==1.8.5",
+]
+
diff --git a/setup.py b/setup.py
@@ -8,7 +8,10 @@
 long_description = open("README.rst").read()
 
 # set PARAMIKO_REPLACE=1 to require "paramiko" instead of "paramiko-ng"
-paramiko = 'paramiko' if os.environ.get('PARAMIKO_REPLACE') else 'paramiko-ng'
+# FORKED FROM MAIN: we are hard coding this to paramiko because paramiko-ng
+# is broken -- see https://github.com/ploxiln/paramiko-ng/issues/130 and 
+# https://github.com/ploxiln/paramiko-ng/pull/149
+paramiko = 'paramiko' # if os.environ.get('PARAMIKO_REPLACE') else 'paramiko-ng'
 
 setup(
     name='fab-classic',
diff --git a/uv.lock b/uv.lock
