Merge remote-tracking branch 'origin/dev' into CLIENT-2790-deprecate-value_byte_size

Author: juliannguyen4

.build.yml

@@ -2,14 +2,14 @@ name: aerospike-client-python
 
 container:
   - base:
-      - docker.qe.aerospike.com/build/aerospike-client-python:manylinux2014
-      - docker.qe.aerospike.com/build/aerospike-client-python:arm-manylinux2014
+      - docker.qe.aerospike.com/build/aerospike-client-python:manylinux_2_28
+      - docker.qe.aerospike.com/build/aerospike-client-python:arm-manylinux_2_28
 
 build:
   - name: build
     environment:
-      PYTHONS: /opt/python/cp38-cp38/bin,/opt/python/cp39-cp39/bin,/opt/python/cp310-cp310/bin,/opt/python/cp311-cp311/bin,/opt/python/cp312-cp312/bin,/opt/python/cp313-cp313/bin
+      PYTHONS: /opt/python/cp310-cp310/bin,/opt/python/cp311-cp311/bin,/opt/python/cp312-cp312/bin,/opt/python/cp313-cp313/bin,/opt/python/cp314-cp314/bin
     script:
-      - scripts/manylinux2014build.sh
+      - scripts/manylinux2_28_build.sh
     artifact:
       - /work/wheels/*.whl

.flake8

@@ -4,4 +4,5 @@ max-line-length = 120
 extend-ignore = E203
 filename =
     ./aerospike_helpers/**/*.py,
-    ./test/**/*.py
+    ./test/new_tests/**/*.py
+    ./test/standalone/**/*.py

.github/actions/get-artifact-for-stage-tests/action.yml

@@ -49,7 +49,7 @@ runs:
     run: echo "GITHUB_ARTIFACT_NAME=${{ env.PYTHON_TAG }}-${{ inputs.wheel_os }}_${{ inputs.wheel_cpu_arch }}.build" >> $GITHUB_ENV
     shell: bash
 
-  - uses: actions/download-artifact@v4
+  - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
     if: ${{ inputs.get_from_jfrog == 'false' }}
     with:
       name: ${{ env.GITHUB_ARTIFACT_NAME }}
@@ -70,7 +70,7 @@ runs:
   # End codepath that downloads artifacts from Github
   # Begin codepath that downloads from JFrog
 
-  - uses: jfrog/setup-jfrog-cli@v4
+  - uses: jfrog/setup-jfrog-cli@5b06f730cc5a6f55d78b30753f8583454b08c0aa # v4.8.1
     if: ${{ inputs.get_from_jfrog == 'true' }}
     env:
       JF_URL: ${{ inputs.JFROG_PLATFORM_URL }}

.github/actions/run-ee-server/action.yml

@@ -4,88 +4,73 @@ description: 'Run EE server. Returns once server is ready. Only tested on Linux
 # since it's using the default admin / admin credentials
 inputs:
   # All inputs in composite actions are strings
-  use-server-rc:
-    required: true
-    description: Deploy server release candidate?
-    default: 'false'
-  server-tag:
-    required: true
-    description: Specify Docker tag
-    default: 'latest'
+  registry-name:
+    description: Registry name
+    required: false
+    default: docker.io
+  registry-username:
+    description: Required for using release candidates
+    required: false
   # Github Composite Actions can't access secrets
   # so we need to pass them in as inputs
-  docker-hub-username:
+  registry-password:
     description: Required for using release candidates
     required: false
-  docker-hub-password:
-    description: Required for using release candidates
+  image-name:
     required: false
+    description: aerospike/aerospike-server-enterprise
+    default: 'aerospike/aerospike-server-enterprise'
+  server-tag:
+    required: true
+    description: Specify Docker tag
+    default: 'latest'
   where-is-client-connecting-from:
     required: false
     description: 'docker-host, separate-docker-container, "remote-connection" via DOCKER_HOST'
     default: 'docker-host'
+  env-vars:
+    required: false
+    description: Used to disable server features
+    default: 'STRONG_CONSISTENCY=1 SECURITY=1 MUTUAL_TLS=1'
 
 runs:
   using: "composite"
   steps:
   # Start up server
 
-  - name: Log into Docker Hub to get server RC
-    if: ${{ inputs.use-server-rc == 'true' }}
-    run: docker login --username ${{ inputs.docker-hub-username }} --password ${{ inputs.docker-hub-password }}
-    shell: bash
-
-  - run: echo IMAGE_NAME=aerospike/aerospike-server-enterprise${{ inputs.use-server-rc == 'true' && '-rc' || '' }}:${{ inputs.server-tag }} >> $GITHUB_ENV
-    shell: bash
+  - name: Log into registry to get non-public server RCs
+    # We can still pull public images while logged in, so just do this all the time to make things simple
+    uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+    with:
+      registry: ${{ inputs.registry-name }}
+      username: ${{ inputs.registry-username }}
+      password: ${{ inputs.registry-password }}
 
-  - run: echo NEW_IMAGE_NAME=${{ env.IMAGE_NAME }}-python-client-testing >> $GITHUB_ENV
+  - run: echo IMAGE_FULL_NAME=${{ inputs.registry-name }}/${{ inputs.image-name }}:${{ inputs.server-tag }} >> $GITHUB_ENV
     shell: bash
 
-  # macOS Github runners and Windows self-hosted runners don't have buildx installed by default
-  - if: ${{ runner.os == 'Windows' || runner.os == 'macOS' }}
-    uses: docker/setup-buildx-action@v3
-
   - run: echo CA_CERT_FILE_NAME="ca.cer" >> $GITHUB_ENV
     shell: bash
 
   - run: echo TLS_PORT="4333" >> $GITHUB_ENV
     shell: bash
 
-  - name: Build Aerospike server Docker image for testing
-    # We enable TLS standard authentication to verify that the OpenSSL library bundled with the wheel works
-    # You can manually verify this by enabling debug logging in the client and checking that the server certificate was verified
-    uses: docker/build-push-action@v6
-    with:
-      # Don't want to use default Git context or else it will clone the whole Python client repo again
-      context: .github/workflows/docker-build-context
-      build-args: |
-        SERVER_IMAGE=${{ env.IMAGE_NAME }}
-        TLS_PORT=${{ env.TLS_PORT }}
-      tags: ${{ env.NEW_IMAGE_NAME }}
-      # setup-buildx-action configures Docker to use the docker-container build driver
-      # This driver doesn't publish an image locally by default
-      # so we have to manually enable it
-      load: true
-
-  - run: echo SERVER_CONTAINER_NAME="aerospike" >> $GITHUB_ENV
-    shell: bash
-
-  - run: docker run -d --name ${{ env.SERVER_CONTAINER_NAME }} -p 3000:3000 -p ${{ env.TLS_PORT }}:${{ env.TLS_PORT }} ${{ env.NEW_IMAGE_NAME }}
-    shell: bash
-
   - name: 'macOS: install timeout command'
     if: ${{ runner.os == 'macOS' }}
     run: brew install coreutils
     shell: bash
 
-  - name: Wait for container to be healthy
-    run: |
-      timeout 30s bash -c 'until [[ "$(docker inspect -f {{.State.Health.Status}} ${{ env.SERVER_CONTAINER_NAME }})" == "healthy" ]]; do sleep 0.1; done'
+  # Github composite actions don't support env variables for the whole composite action,
+  # so this is a workaround
+  - id: get-container-name
+    run: echo container-name=aerospike >> $GITHUB_OUTPUT
     shell: bash
 
-  # For debugging
-  - run: docker logs ${{ env.SERVER_CONTAINER_NAME }}
+  - run: ${{ inputs.env-vars }} bash ./run-ee-server.bash
+    working-directory: .github/workflows/docker-setup
     shell: bash
+    env:
+      CONTAINER_NAME: ${{ steps.get-container-name.outputs.container-name }}
 
   # Configure tests
 
@@ -113,7 +98,10 @@ runs:
       crudini --existing=param --set config.conf enterprise-edition password ${{ env.SUPERUSER_NAME_AND_PASSWORD }}
       crudini --set config.conf tls enable true
       # Cannot use abs path because config.conf is copied into Docker container during cibuildwheel tests
-      crudini --set config.conf tls cafile ../.github/workflows/docker-build-context/${{ env.CA_CERT_FILE_NAME }}
+      crudini --set config.conf tls cafile ../.github/workflows/docker-setup/${{ env.CA_CERT_FILE_NAME }}
+      crudini --set config.conf tls keyfile ../.github/workflows/docker-setup/client.pem
+      crudini --set config.conf tls certfile ../.github/workflows/docker-setup/client.cer
+
     working-directory: test
     shell: bash
 
@@ -133,19 +121,19 @@ runs:
 
   - name: Set IP address to Docker container for the server
     if: ${{ inputs.where-is-client-connecting-from == 'separate-docker-container' }}
-    run: echo SERVER_IP=$(docker container inspect -f '{{ .NetworkSettings.IPAddress }}' ${{ env.SERVER_CONTAINER_NAME }}) >> $GITHUB_ENV
+    run: echo SERVER_IP=$(docker container inspect -f '{{ .NetworkSettings.IPAddress }}' ${{ steps.get-container-name.outputs.container-name }}) >> $GITHUB_ENV
     shell: bash
 
   - name: Invalid input
     if: ${{ env.SERVER_IP == '' }}
     run: exit 1
     shell: bash
 
-  - name: Get cluster name
-    run: echo CLUSTER_NAME=$(docker exec ${{ env.SERVER_CONTAINER_NAME }} asinfo -v "get-config:context=service" -l | grep -i cluster-name | cut -d = -f 2) >> $GITHUB_ENV
-    shell: bash
-
-  - name: Set EE server's IP address
-    run: crudini --existing=param --set config.conf enterprise-edition hosts "${{ env.SERVER_IP }}:${{ env.TLS_PORT }}|${{ env.CLUSTER_NAME }}"
+  # Here we just assume that TLS is enabled. Whenever the dev tests are run with run-ee-server.yml, TLS is enabled anyways.
+  # TODO: but this needs to be fixed eventually for other clients that disable TLS for their tests.
+  - name: Set EE server's IP address and TLS name for test config
+    run: |
+      cluster_name=$(docker run --rm --network host aerospike/aerospike-tools asinfo -U admin -P admin -v "get-config:context=service" -l | grep -i cluster-name | cut -d = -f 2)
+      crudini --existing=param --set config.conf enterprise-edition hosts "${{ env.SERVER_IP }}:${{ env.TLS_PORT }}|${cluster_name}"
     working-directory: test
     shell: bash

.github/actions/wait-for-ce-server-to-start/action.yml

@@ -12,15 +12,11 @@ runs:
   - run: echo WAIT_SCRIPT_FILE_NAME=wait-for-as-server-to-start.bash >> $GITHUB_ENV
     shell: bash
 
-  - name: Copy wait script in server Docker container
-    run: docker cp $WAIT_SCRIPT_FILE_NAME ${{ inputs.container-name }}:/
-    working-directory: .github/workflows/docker-build-context
-    shell: bash
-
   # There is no healthcheck by default in the server CE Docker image.
   # We can just reuse our wait script. because the CE server should be ready after it finishes.
   - name: Wait for EE server to start
     # Composite actions doesn't support step-level timeout-minutes, so we use timeout command.
     # Call bash shell explicitly since timeout uses "sh" shell by default, for some reason
-    run: docker exec ${{ inputs.container-name }} timeout 30s bash /$WAIT_SCRIPT_FILE_NAME
+    run: timeout 30s bash $WAIT_SCRIPT_FILE_NAME
     shell: bash
+    working-directory: .github/workflows/docker-setup

.github/dependabot.yml

@@ -9,3 +9,9 @@ updates:
       # Check for updates to GitHub Actions every weekday
       interval: "daily"
     target-branch: "dev"
+  - package-ecosystem: "pip"
+    directories:
+      - "**/*"
+    schedule:
+      interval: "daily"
+    target-branch: "dev"

.github/workflows/build-and-run-stage-tests.yml

@@ -1,14 +1,19 @@
 name: Build artifacts and run stage tests
-run-name: Build artifacts and run stage tests (use-server-rc=${{ inputs.use-server-rc }}, server-tag=${{ inputs.server-tag }}, test-macos-x86=${{ inputs.test-macos-x86 }})
+run-name: Build artifacts and run stage tests (registry-name=${{ inputs.registry-name }}, server-tag=${{ inputs.server-tag }}, test-macos-x86=${{ inputs.test-macos-x86 }})
 
 on:
   workflow_dispatch:
     inputs:
-      use-server-rc:
-        type: boolean
-        required: true
-        default: false
-        description: 'Test against server release candidate?'
+      registry-name:
+        type: string
+        required: false
+        description: Registry name
+        default: 'docker.io'
+      image-name:
+        type: string
+        required: false
+        description: Image name
+        default: 'aerospike/aerospike-server-enterprise'
       server-tag:
         type: string
         required: true
@@ -27,7 +32,10 @@ jobs:
         platform-tag: [
           "manylinux_x86_64",
           "manylinux_aarch64",
-          "macosx_x86_64"
+          # For macos 15
+          "macosx_x86_64",
+          # For macos 26
+          "macosx_arm64"
         ]
       # Need all the artifacts to run all the stage tests, so fail fast
     uses: ./.github/workflows/build-wheels.yml
@@ -50,6 +58,7 @@ jobs:
     secrets: inherit
     with:
       use_jfrog_builds: false
-      use-server-rc: ${{ inputs.use-server-rc }}
+      registry-name: ${{ inputs.registry-name }}
+      image-name: ${{ inputs.image-name }}
       server-tag: ${{ inputs.server-tag }}
       test-macos-x86: ${{ inputs.test-macos-x86 }}

.github/workflows/build-artifacts.yml

@@ -1,5 +1,5 @@
 name: Build artifacts
-run-name: Build artifacts (run_tests=${{ inputs.run_tests }}, use-server-rc=${{ inputs.use-server-rc }}, server-tag=${{ inputs.server-tag }})
+run-name: Build artifacts (run_tests=${{ inputs.run_tests }}, registry-name=${{ inputs.registry-name }}, server-tag=${{ inputs.server-tag }})
 
 # Builds manylinux wheels and source distribution
 # Optionally run tests on manylinux wheels
@@ -24,11 +24,16 @@ on:
         required: true
         type: boolean
         default: false
-      use-server-rc:
-        type: boolean
+      registry-name:
+        type: string
         required: true
-        default: false
-        description: 'Test against server release candidate? (e.g to test new server features)'
+        description: Registry name
+        default: 'docker.io'
+      image-name:
+        type: string
+        required: true
+        description: Image name
+        default: 'aerospike/aerospike-server-enterprise'
       server-tag:
         type: string
         required: true
@@ -68,10 +73,14 @@ on:
         type: boolean
         required: false
         default: false
-      use-server-rc:
+      registry-name:
+        type: string
         required: false
-        default: false
-        type: boolean
+        default: 'docker.io'
+      image-name:
+        type: string
+        required: false
+        default: 'aerospike/aerospike-server-enterprise'
       server-tag:
         type: string
         required: false
@@ -112,8 +121,9 @@ jobs:
       sha-to-build-and-test: ${{ inputs.is_workflow_call == true && inputs.sha-to-build-and-test || github.sha }}
       unoptimized: ${{ inputs.unoptimized }}
       include-debug-info-for-macos: ${{ inputs.include-debug-info-for-macos }}
+      registry-name: ${{ inputs.registry-name }}
+      image-name: ${{ inputs.image-name }}
       run_tests: ${{ inputs.run_tests }}
-      use-server-rc: ${{ inputs.use-server-rc }}
       server-tag: ${{ inputs.server-tag }}
       test-file: ${{ inputs.test-file }}
     secrets: inherit

.github/workflows/build-sdist.yml

@@ -19,19 +19,24 @@ jobs:
     name: Build source distribution
     runs-on: ubuntu-22.04
     steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+      with:
+        egress-policy: audit
+
     - name: Show job status for commit
       # Commit status will already be shown by the calling workflow for push and pull request events, but not
       # for any other event like workflow_dispatch. so we have to do it manually
       # If workflow_call triggered this job, github.event_name will inherit the event of the calling workflow
       # The calling workflow can be triggered by push or pull request events, so there's that
       # https://github.com/actions/runner/issues/3146#issuecomment-2000017097
       if: ${{ github.event_name != 'push' && github.event_name != 'pull_request' }}
-      uses: myrotvorets/[email protected].0
+      uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1
       with:
         sha: ${{ env.COMMIT_SHA_TO_BUILD }}
         context: ${{ env.STATUS_CHECK_MESSAGE }}
 
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       with:
         submodules: recursive
         ref: ${{ env.COMMIT_SHA_TO_BUILD }}
@@ -44,13 +49,13 @@ jobs:
       run: python3 -m build --sdist
 
     - name: Upload source distribution to GitHub
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
       with:
         path: ./dist/*.tar.gz
         name: sdist.build
 
     - name: Set final commit status
-      uses: myrotvorets/[email protected].0
+      uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1
       # Always run even if job failed or is cancelled
       # But we don't want to show anything if the calling workflow was triggered by these events
       if: ${{ always() && github.event_name != 'push' && github.event_name != 'pull_request' }}