[MISC] Sync up changes from 14 (#928)

* Update charmcraft.yaml build tools (#903)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

* Update canonical/data-platform-workflows action to v31.0.1 (#902)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

* [DPE-6344] LDAP IV: Define pebble service (#897)

* Update ghcr.io/canonical/charmed-postgresql:14.17-22.04_edge Docker digest to 5f8d51a (#908)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

* [DPE-6344] LDAP V: Define mapping option (#900)

* Update charmcraft.yaml build tools (#912)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

* [DPE-6910] Remove duplicate parameters specification (#896)

* Remove duplicate parameters specification

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Enable config test

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Fix linting

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

---------

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* [MISC] Conditional checksum calculation (#901)

* Conditional checksum calculation

* Converge s3 resource creation

* Tactically deployed sleep

* Early fail

* Update charmcraft.yaml build tools (#916)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

* Create SECURITY.md (#914)

* Update pull_request_template.md (#918)

* [MISC] Add missing connection vars (#920)

* Update README file's security section (#921)

* Add empty lines after headings

* Update security section

* Update link to make it clear that's not GitHub issues

* [DPE-6218] Static code analysis (#915)

* Create actionlint.yaml

* Create tiobe_scan.yaml

* Add push event to trigger the workflow once

* Install libpq-dev

* Remove push event

* Test adding unit venv to PATH

* Test sourcing unit venv

* Fix sourcing

* Test installing dependencies

* Activate virtual environment

* Add poetry dependency

* Fix TICS auth token variable

* Move results to the right folder

* Delete .github/actionlint.yaml

* Install ops

* Install dependencies through poetry

* Install extra dependencies

* Install dependencies from all groups

* Remove unnecessary step

* Remove permission

* Remove push trigger

* Add double quotes to environment variables

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Add push trigger

* Remove push trigger

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

---------

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Update dependency uv to v0.6.14 (#924)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

---------

Signed-off-by: Marcelo Henrique Neppel <[email protected]>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Sinclert Pérez <[email protected]>
Co-authored-by: Marcelo Henrique Neppel <[email protected]>
Co-authored-by: Andreia <[email protected]>
Co-authored-by: Vladimir Izmalkov <[email protected]>

Author: 6 people

.github/pull_request_template.md

@@ -1,4 +1,7 @@
 ## Issue
 
-
 ## Solution
+
+## Checklist
+- [ ] I have added or updated any relevant documentation.
+- [ ] I have cleaned any remaining cloud resources from my accounts.

.github/workflows/tiobe_scan.yaml

@@ -0,0 +1,44 @@
+# Copyright 2025 Canonical Ltd.
+# See LICENSE file for licensing details.
+
+name: Weekly TICS scan
+
+on:
+  schedule:
+    - cron: "0 2 * * 6" # Every Saturday 2:00 AM UTC
+  workflow_dispatch:
+
+jobs:
+  TICS:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Create and activate virtual environment
+        run: |
+          python3 -m venv .venv
+          . .venv/bin/activate
+          pip install flake8 poetry pylint pytest tox
+          poetry install --all-groups
+          echo PATH="$PATH" >> "$GITHUB_ENV"
+
+      - name: Run coverage tests
+        run: |
+          tox -e unit
+
+      - name: Move results to the necessary folder for TICS
+        run: |
+          mkdir -p .cover
+          mv coverage.xml .cover/cobertura.xml
+
+      - name: TICS GitHub Action
+        uses: tiobe/tics-github-action@v3
+        with:
+          mode: qserver
+          project: postgresql-k8s-operator
+          viewerUrl: https://canonical.tiobe.com/tiobeweb/TICS/api/cfg?name=default
+          branchdir: ${{ env.GITHUB_WORKSPACE }}
+          ticsAuthToken: ${{ secrets.TICSAUTHTOKEN }}
+          installTics: true
+          calc: ALL

README.md

@@ -95,18 +95,24 @@ juju relate postgresql-k8s:db finos-waltz-k8s
 **Note:** The endpoint `db-admin` provides the same legacy interface `pgsql` with PostgreSQL admin-level privileges. It is NOT recommended to use it from security point of view.
 
 ## OCI Images
+
 This charm uses pinned and tested version of the [charmed-postgresql](https://github.com/canonical/charmed-postgresql-rock/pkgs/container/charmed-postgresql) rock.
 
 ## Security
-Security issues in the Charmed PostgreSQL K8s Operator can be reported through [LaunchPad](https://wiki.ubuntu.com/DebuggingSecurity#How%20to%20File). Please do not file GitHub issues about security issues.
+
+Security issues in the Charmed PostgreSQL K8s Operator can be reported through [private security reports](https://github.com/canonical/postgresql-k8s-operator/security/advisories/new) on GitHub.
+For more information, see the [Security policy](SECURITY.md).
 
 ## Contributing
+
 Please see the [Juju SDK docs](https://juju.is/docs/sdk) for guidelines on enhancements to this charm following best practice guidelines, and [CONTRIBUTING.md](https://github.com/canonical/postgresql-k8s-operator/blob/main/CONTRIBUTING.md) for developer guidance.
 
 ## License
+
 The Charmed PostgreSQL K8s Operator [is distributed](https://github.com/canonical/postgresql-k8s-operator/blob/main/LICENSE) under the Apache Software License, version 2.0.
 It installs/operates/depends on [PostgreSQL](https://www.postgresql.org/ftp/source/), which [is licensed](https://www.postgresql.org/about/licence/) under PostgreSQL License, a liberal Open Source license, similar to the BSD or MIT licenses.
 
 ## Trademark Notice
+
 PostgreSQL is a trademark or registered trademark of PostgreSQL Global Development Group.
 Other trademarks are property of their respective owners.

SECURITY.md

@@ -0,0 +1,25 @@
+# Security policy
+
+## What qualifies as a security issue
+
+Credentials leakage, outdated dependencies with known vulnerabilities, and
+other issues that could lead to unprivileged or unauthorized access to the
+database or the system.
+
+## Reporting a vulnerability
+
+The easiest way to report a security issue is through
+[GitHub](https://github.com/canonical/postgresql-k8s-operator/security/advisories/new). See
+[Privately reporting a security
+vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability)
+for instructions.
+
+The repository admins will be notified of the issue and will work with you
+to determine whether the issue qualifies as a security issue and, if so, in
+which component. We will then handle figuring out a fix, getting a CVE
+assigned and coordinating the release of the fix.
+
+The [Ubuntu Security disclosure and embargo
+policy](https://ubuntu.com/security/disclosure-policy) contains more
+information about what you can expect when you contact us, and what we
+expect from you.

lib/charms/postgresql_k8s/v0/postgresql.py

@@ -35,7 +35,7 @@
 
 # Increment this PATCH version before using `charmcraft publish-lib` or reset
 # to 0 if you are raising the major API version
-LIBPATCH = 48
+LIBPATCH = 49
 
 # Groups to distinguish HBA access
 ACCESS_GROUP_IDENTITY = "identity_access"
@@ -626,6 +626,7 @@ def list_access_groups(self) -> Set[str]:
         Returns:
             List of PostgreSQL database access groups.
         """
+        connection = None
         try:
             with self._connect_to_database() as connection, connection.cursor() as cursor:
                 cursor.execute(
@@ -646,6 +647,7 @@ def list_users(self) -> Set[str]:
         Returns:
             List of PostgreSQL database users.
         """
+        connection = None
         try:
             with self._connect_to_database() as connection, connection.cursor() as cursor:
                 cursor.execute("SELECT usename FROM pg_catalog.pg_user;")
@@ -664,6 +666,7 @@ def list_users_from_relation(self) -> Set[str]:
         Returns:
             List of PostgreSQL database users.
         """
+        connection = None
         try:
             with self._connect_to_database() as connection, connection.cursor() as cursor:
                 cursor.execute(

poetry.lock

@@ -8,7 +8,7 @@ requires-poetry = ">=2.0.0"
 [tool.poetry.dependencies]
 python = "^3.10"
 ops = "^2.18.1"
-boto3 = "^1.35.99"
+boto3 = "^1.37.22"
 pgconnstr = "^1.0.1"
 requests = "^2.32.3"
 tenacity = "^9.0.0"