Setup basic project config (#7)

Author: uittenbroekrobbert

.devcontainer/devcontainer.json

@@ -16,14 +16,17 @@
         "streetsidesoftware.code-spell-checker",
         "redhat.vscode-yaml",
         "charliermarsh.ruff",
-        "github.vscode-github-actions"
+        "github.vscode-github-actions",
+        "mhutchie.git-graph"
       ],
       "settings": {
         "editor.formatOnPaste": false,
         "editor.formatOnSave": true,
         "editor.formatOnType": true,
+        "editor.renderWhitespace": "boundary",
         "files.trimTrailingWhitespace": true,
         "terminal.integrated.inheritEnv": true,
+        "debug.toolBarLocation": "commandCenter",
         "terminal.integrated.profiles.linux": {
           "zsh": {
             "path": "/usr/bin/zsh"

.dockerignore

@@ -12,4 +12,3 @@ __pycache__/
 *$py.class
 
 .venv
-

.github/dependabot.yml

@@ -8,8 +8,11 @@ updates:
       time: "08:00"
       timezone: "Europe/Amsterdam"
     labels:
-      - "github-actions"
       - "dependencies"
+    groups:
+      allgithubactions:
+        patterns:
+        - "*"
 
   - package-ecosystem: "pip"
     directory: "/"
@@ -19,8 +22,11 @@ updates:
       time: "08:00"
       timezone: "Europe/Amsterdam"
     labels:
-      - "pip"
       - "dependencies"
+    groups:
+      allpip:
+        patterns:
+        - "*"
 
   - package-ecosystem: "devcontainers"
     directory: "/"
@@ -30,5 +36,8 @@ updates:
       time: "08:00"
       timezone: "Europe/Amsterdam"
     labels:
-      - "devcontainers"
       - "dependencies"
+    groups:
+      alldevcontainers:
+        patterns:
+        - "*"

.github/workflows/ci.yml

@@ -0,0 +1,211 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - 'v*'
+  pull_request:
+    branches:
+      - 'main'
+
+env:
+  REGISTRY: ghcr.io
+  POETRY_CACHE_DIR: ~/.cache/pypoetry
+  IMAGE_NAME: ${{ github.repository }}
+  PYTHON_VERSION: "3.11"
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install poetry
+        run: pipx install poetry
+
+      - name: Set up Python ${{ env.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+          cache: "poetry"
+
+      - name: Install dependencies
+        run: poetry install
+
+      - name: run ruff
+        run: poetry run ruff check --output-format=github
+
+      - name: Run format
+        run: poetry run ruff format --check
+
+      - name: Run pyright
+        run: poetry run pyright
+
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install poetry
+        run: pipx install poetry
+
+      - name: Set up Python ${{ env.PYTHON_VERSION }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+          cache: "poetry"
+
+      - name: Install dependencies
+        run: poetry install
+
+      - name: Generate SBOM
+        run: poetry run cyclonedx-py poetry > sbom.json
+
+      - name: Generate licenses file
+        run: |
+          poetry run pip-licenses  --order=license --format=json --with-description > licenses.txt
+
+      - name: Upload SBOM and licenses
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom-licenses-${{ github.sha }}.json
+          path: |
+            sbom.json
+            licenses.txt
+          if-no-files-found: error
+          overwrite: true
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          trivy-config: trivy.yaml
+
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.10", "3.11", "3.12"]
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install poetry
+        run: pipx install poetry
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: "poetry"
+
+      - name: Install dependencies
+        run: poetry install
+
+      - name: Run pytest
+        run: poetry run coverage run -m pytest
+
+      - name: run coverage report
+        run: poetry run coverage report
+
+      - name: run coverage html
+        run: poetry run coverage html
+
+      - name: Upload code coverage report
+        if: matrix.python-version == '3.11'
+        uses: actions/upload-artifact@v4
+        with:
+          name: codecoverage-${{ github.sha }}
+          path: htmlcov/
+          if-no-files-found: error
+          overwrite: true
+
+      - name: run coverage xml
+        run: poetry run coverage xml
+
+      - name: SonarCloud Scan
+        if: matrix.python-version == '3.11'
+        uses: SonarSource/sonarcloud-github-action@master
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+
+  build:
+    needs: test
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      contents: read
+      security-events: write
+      actions: read
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Extract metadata for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64,linux/arm64,darwin/amd64
+
+      - name: Run Trivy vulnerability scanner
+        if: github.event_name != 'pull_request'
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ steps.meta.outputs.tags }}
+          trivy-config: trivy.yaml
+          scan-type: image
+          exit-code: 0
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+        env:
+          TRIVY_USERNAME: ${{ github.actor }}
+          TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        if: github.event_name != 'pull_request'
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+  notifyMattermost:
+    runs-on: ubuntu-latest
+    needs: [lint, security, test, build ]
+    if: ${{ always() && contains(needs.*.result, 'failure') }}
+    steps:
+      - uses: mattermost/action-mattermost-notify@master
+        if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
+        with:
+          MATTERMOST_WEBHOOK_URL: ${{ secrets.MM_WEBHOOK_URL }}
+          MATTERMOST_CHANNEL: dev
+          TEXT: |
+            ${{ github.repository }} failed build @here :unamused:
+            :rotating_light: [Pipeline](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) failed :fire:
+          MATTERMOST_USERNAME: ${{ github.triggering_actor }}

.github/workflows/codeql.yml

@@ -8,31 +8,25 @@ on:
 
 jobs:
   analyze:
-    name: Analyze (${{ matrix.language }})
+    name: Analyze (python)
     runs-on: 'ubuntu-latest'
     timeout-minutes: 360
     permissions:
       security-events: write
       packages: read
       actions: read
       contents: read
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-        - language: python
-          build-mode: none
+
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4
-      
+
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v3
       with:
-        languages: ${{ matrix.language }}
-        build-mode: ${{ matrix.build-mode }}
+        languages: python
 
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@v3
       with:
-        category: "/language:${{matrix.language}}"
+        category: "/language:python"

.github/workflows/first-interaction.yml

@@ -5,6 +5,7 @@ on: [pull_request, issues]
 jobs:
   greeting:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     permissions:
       issues: write
       pull-requests: write

.github/workflows/stale.yml

@@ -7,8 +7,9 @@ on:
 jobs:
   stale:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     permissions:
-      contents: write # only for delete-branch option
+      contents: write
       issues: write
       pull-requests: write
     steps:

.gitignore

@@ -3,6 +3,8 @@ __pycache__/
 *.py[cod]
 *$py.class
 
+# poetry build
+dist/
 
 # Unit test / coverage reports
 .coverage
@@ -22,6 +24,5 @@ __pypackages__/
 # ruff linter
 .ruff_cache/
 
-
-
-
+#mypyr
+.mypy_cache/

.pre-commit-config.yaml

@@ -18,10 +18,6 @@ repos:
     hooks:
       - id: ruff
       - id: ruff-format
-  - repo: https://github.com/RobertCraigie/pyright-python
-    rev: v1.1.359
-    hooks:
-      - id: pyright
 
 ci:
   autofix_prs: false