add Makefile and enable local CI tests

Author: yeoldegrove

.github/workflows/bandit.yml

@@ -1,41 +1,31 @@
 name: security checks
 on:
-  push:
-    paths-ignore:
-      - 'README.md'
-      - 'docs/**'
-      - '**/README.md'
-  pull_request:
-    paths-ignore:
-      - 'README.md'
-      - 'docs/**'
-      - '**/README.md'
+    push:
+        paths-ignore:
+            - "README.md"
+            - "docs/**"
+            - "**/README.md"
+    pull_request:
+        paths-ignore:
+            - "README.md"
+            - "docs/**"
+            - "**/README.md"
 permissions:
-  contents: read
+    contents: read
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
-    - uses: actions/setup-python@v5
-      with:
-        python-version: "3.12"
-    - name: Install dependencies
-      run: |
-        python -m pip install --upgrade pip
-        pip install bandit
-
-    - name: Simple bandit security checks
-      run: bandit -ll -ii -r . -f json -o bandit-report.json
-
-    - name: Show Report in Action Output
-      if: always()
-      run: cat bandit-report.json
-
-    - name: Upload Bandit Scan Artifact
-      uses: actions/upload-artifact@v4
-      if: always()
-      with:
-        name: bandit-findings
-        path: bandit-report.json
-
+      - uses: actions/checkout@v4
+      - uses: gardenlinux/python-gardenlinux-lib/.github/actions/setup@main
+      - name: Simple bandit security checks
+        run: make security
+      - name: Show Report in Action Output
+        if: always()
+        run: cat bandit-report.json
+      - name: Upload Bandit Scan Artifact
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+            name: bandit-findings
+            path: bandit-report.json

.github/workflows/black.yml

@@ -7,4 +7,5 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: psf/black@stable
+      - uses: gardenlinux/python-gardenlinux-lib/.github/actions/setup@main
+      - run: make lint

.github/workflows/build.yml

@@ -2,28 +2,21 @@ name: Build
 on:
   push:
     paths-ignore:
-      - 'README.md'
-      - 'docs/**'
-      - '**/README.md'
+      - "README.md"
+      - "docs/**"
+      - "**/README.md"
   pull_request:
     paths-ignore:
-      - 'README.md'
-      - 'docs/**'
-      - '**/README.md'
+      - "README.md"
+      - "docs/**"
+      - "**/README.md"
 permissions:
   contents: read
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
-    - uses: actions/setup-python@v5
-      with:
-        python-version: "3.12"
-    - name: Install dependencies
-      run: |
-        python -m pip install --upgrade pip
-        pip install poetry
-    - name: Simple poetry build no package
-      run: poetry build
-
+      - uses: actions/checkout@v4
+      - uses: gardenlinux/python-gardenlinux-lib/.github/actions/setup@main
+      - name: Simple poetry build no package
+        run: make build

.github/workflows/docs.yml

@@ -3,23 +3,15 @@ name: Update Sphinx documentation
 on: [push, pull_request, workflow_dispatch]
 
 permissions:
-  contents: write
+    contents: write
 
 jobs:
   docs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
-      - name: Install dependencies
-        run: |
-          pip install sphinx poetry
-      - name: Sphinx build
-        run: |
-          python -m venv venv
-          source venv/bin/activate
-          poetry install
-          sphinx-build docs _build
+      - uses: gardenlinux/python-gardenlinux-lib/.github/actions/setup@main
+      - run: make docs
       - name: Deploy to GitHub Pages
         uses: peaceiris/actions-gh-pages@v4
         if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}

.github/workflows/pytests.yml

@@ -9,30 +9,10 @@ on:
 jobs:
   test:
     runs-on: ubuntu-latest
-
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          submodules: 'true'
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: '3.12'
-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install poetry
-      - name: Install dependencies
-        run: poetry install
-      - name: Install Zot (OCI Registry)
+      - uses: actions/checkout@v4
+      - uses: gardenlinux/python-gardenlinux-lib/.github/actions/setup@main
+      - name: Run tests
         run: |
-          sudo wget -O /usr/bin/zot https://github.com/project-zot/zot/releases/download/v2.1.0/zot-linux-amd64
-          sudo chmod +x /usr/bin/zot
-          sudo chown root:root /usr/bin/zot
-      - name: Run tests with pytest
-        run: |
-          export GLOCI_REGISTRY_USERNAME="gardenlinux"
           export GLOCI_REGISTRY_TOKEN="invalid"
-          poetry run pytest -k "not kms"
-
+          make test

.gitignore

@@ -162,3 +162,9 @@ cython_debug/
 #  and can be added to the global gitignore or merged into this file.  For a more nuclear
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
 .idea/
+
+# bandit
+bandit-report.json
+
+# zot
+test-data/zot

cert/gencert.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 
 search_and_print_directories() {

hack/print_feature_extensions.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 echo "This will take a while. Building for the following targets:"
 

test-data/build-test-data.sh

@@ -1,14 +1,49 @@
-from .helper import call_command
+import json
 import os
-import tempfile
-from .helper import spawn_background_process
-import sys
 import shutil
-import json
+import subprocess
+import sys
+import tempfile
+
 import pytest
 from dotenv import load_dotenv
 
-GL_ROOT_DIR = "test-data/gardenlinux"
+from .helper import call_command, spawn_background_process
+
+TEST_DATA_DIR = "test-data"
+GL_ROOT_DIR = f"{TEST_DATA_DIR}/gardenlinux"
+CERT_DIR = f"{TEST_DATA_DIR}/cert"
+
+
+def generate_test_certificates():
+    """Generate self-signed certificates for testing"""
+    os.makedirs(CERT_DIR, exist_ok=True)
+    key_path = os.path.join(CERT_DIR, "oci-sign.key")
+    cert_path = os.path.join(CERT_DIR, "oci-sign.crt")
+    cmd = [
+        "openssl",
+        "req",
+        "-x509",
+        "-newkey",
+        "rsa:4096",
+        "-keyout",
+        key_path,
+        "-out",
+        cert_path,
+        "-days",
+        "365",
+        "-nodes",
+        "-subj",
+        "/CN=Garden Linux test signing key for oci",
+    ]
+    try:
+        subprocess.run(cmd, check=True)
+        # Set proper permissions
+        os.chmod(key_path, 0o600)
+        print(f"Generated test certificates in {CERT_DIR}")
+    except subprocess.CalledProcessError as e:
+        print(f"Error generating certificates: {e}")
+        raise
 
 
 def write_zot_config(config_dict, file_path):
@@ -33,7 +68,7 @@ def zot_session():
 
     print(f"Spawning zot registry with config {zot_config_file_path}")
     zot_process = spawn_background_process(
-        f"zot serve {zot_config_file_path}",
+        f"{TEST_DATA_DIR}/zot serve {zot_config_file_path}",
         stdout=sys.stdout,
         stderr=sys.stderr,
     )
@@ -50,12 +85,12 @@ def zot_session():
 
 
 def pytest_sessionstart(session):
-    call_command("./cert/gencert.sh")
+    generate_test_certificates()
     call_command("./test-data/build-test-data.sh --dummy")
 
 
 def pytest_sessionfinish(session):
-    if os.path.isfile("./cert/oci-sign.crt"):
-        os.remove("./cert/oci-sign.crt")
-    if os.path.isfile("./cert/oci-sign.key"):
-        os.remove("./cert/oci-sign.key")
+    if os.path.isfile(CERT_DIR + "/oci-sign.crt"):
+        os.remove(CERT_DIR + "/oci-sign.crt")
+    if os.path.isfile(CERT_DIR + "/oci-sign.key"):
+        os.remove(CERT_DIR + "/oci-sign.key")