Merge branch 'main' into dependabot/pip/dev-utils/certifi-2025.1.31

Author: xrmx

.ci/.matrix_framework_fips.yml

@@ -0,0 +1,23 @@
+# this is a limited list of matrix builds to be used for PRs
+# see .matrix_framework_full.yml for a full list
+FRAMEWORK:
+  - none
+  - django-5.0
+  - flask-3.0
+  - jinja2-3
+  - opentelemetry-newest
+  - opentracing-newest
+  - twisted-newest
+  - celery-5-flask-2
+  - celery-5-django-5
+  - requests-newest
+  - psutil-newest
+  - gevent-newest
+  - aiohttp-newest
+  - tornado-newest
+  - starlette-newest
+  - graphene-2
+  - httpx-newest
+  - httplib2-newest
+  - prometheus_client-newest
+  - sanic-newest

.ci/.matrix_framework_full.yml

@@ -46,6 +46,7 @@ FRAMEWORK:
   - pymongo-3.3
   - pymongo-3.4
   - pymongo-3.5
+  - pymongo-3.6
   - pymongo-newest
   - redis-3
   - redis-2

.ci/.matrix_python_fips.yml

@@ -0,0 +1,2 @@
+VERSION:
+  - python-3.12

.github/workflows/docs-build.yml

@@ -0,0 +1,19 @@
+name: docs-build
+
+on:
+  push:
+    branches:
+      - main
+  pull_request_target: ~
+  merge_group: ~
+
+jobs:
+  docs-preview:
+    uses: elastic/docs-builder/.github/workflows/preview-build.yml@main
+    with:
+      path-pattern: docs/**
+    permissions:
+      deployments: write
+      id-token: write
+      contents: read
+      pull-requests: read

.github/workflows/docs-cleanup.yml

@@ -0,0 +1,14 @@
+name: docs-cleanup
+
+on:
+  pull_request_target:
+    types:
+      - closed
+
+jobs:
+  docs-preview:
+    uses: elastic/docs-builder/.github/workflows/preview-cleanup.yml@main
+    permissions:
+      contents: none
+      id-token: write
+      deployments: write

.github/workflows/release.yml

@@ -119,7 +119,7 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
+        uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
 
       - name: Log in to the Elastic Container registry
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
@@ -146,7 +146,7 @@ jobs:
 
       - name: Build and push image
         id: docker-push
-        uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991  # v6.13.0
+        uses: docker/build-push-action@0adf9959216b96bec444f325f1e493d4aa344497  # v6.14.0
         with:
           context: .
           platforms: linux/amd64,linux/arm64

.github/workflows/test-fips.yml

@@ -0,0 +1,69 @@
+
+# run test suite inside a FIPS 140 container
+name: test-fips
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 4 * * 1'
+
+permissions:
+  contents: read
+
+jobs:
+  create-matrix:
+    runs-on: ubuntu-24.04
+    outputs:
+      matrix: ${{ steps.generate.outputs.matrix }}
+    steps:
+      - uses: actions/checkout@v4
+      - id: generate
+        uses: elastic/oblt-actions/version-framework@v1
+        with:
+          versions-file: .ci/.matrix_python_fips.yml
+          frameworks-file: .ci/.matrix_framework_fips.yml
+
+  test-fips:
+    needs: create-matrix
+    runs-on: ubuntu-24.04
+    # https://docs.github.com/en/actions/writing-workflows/choosing-where-your-workflow-runs/running-jobs-in-a-container
+    # docker run -it --rm --name fipsy docker.elastic.co/wolfi/python-fips:3.12
+    container:
+      image: docker.elastic.co/wolfi/python-fips:3.12-dev
+      options: --user root
+      credentials:
+        username: ${{ secrets.ELASTIC_DOCKER_USERNAME }}
+        password: ${{ secrets.ELASTIC_DOCKER_PASSWORD }}
+    timeout-minutes: 30
+    strategy:
+      fail-fast: false
+      max-parallel: 10
+      matrix: ${{ fromJSON(needs.create-matrix.outputs.matrix) }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: check that python has fips mode enabled
+        run: |
+          python3 -c 'import _hashlib; assert _hashlib.get_fips_mode() == 1'
+      - name: install run_tests.sh requirements
+        run: apk add netcat-openbsd tzdata
+      - name: Run tests
+        run: ./tests/scripts/run_tests.sh
+        env:
+          FRAMEWORK: ${{ matrix.framework }}
+
+  notify-on-failure:
+    if: always()
+    runs-on: ubuntu-24.04
+    needs: test-fips
+    steps:
+      - id: check
+        uses: elastic/oblt-actions/check-dependent-jobs@v1
+        with:
+          jobs: ${{ toJSON(needs) }}
+      - name: Notify in Slack
+        if: steps.check.outputs.status == 'failure'
+        uses: elastic/oblt-actions/slack/notify-result@v1
+        with:
+          bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+          status: ${{ steps.check.outputs.status }}
+          channel-id: "#apm-agent-python"

.tool-versions

@@ -1 +1 @@
-updatecli v0.93.0
+updatecli v0.94.1

tests/config/tests.py

@@ -278,7 +278,10 @@ def test_file_is_readable_validator_not_a_file(tmpdir):
     assert "is not a file" in e.value.args[0]
 
 
-@pytest.mark.skipif(platform.system() == "Windows", reason="os.access() doesn't seem to work as we expect on Windows")
+@pytest.mark.skipif(
+    platform.system() == "Windows" or os.getuid() == 0,
+    reason="os.access() doesn't seem to work as we expect on Windows and test will fail as root user",
+)
 def test_file_is_readable_validator_not_readable(tmpdir):
     p = tmpdir.join("nonreadable")
     p.write("")

tests/docker-compose.yml

@@ -46,6 +46,13 @@ services:
     volumes:
       - pymongodata36:/data/db
 
+  mongodb40:
+    image: mongo:4.0
+    ports:
+      - "27017:27017"
+    volumes:
+      - pymongodata40:/data/db
+
   memcached:
     image: memcached
 
@@ -198,6 +205,8 @@ volumes:
     driver: local
   pymongodata36:
     driver: local
+  pymongodata40:
+    driver: local
   pyesdata7:
     driver: local
   pyesdata8: