add Makefile and enable local CI tests

Author: yeoldegrove

.github/actions/setup/action.yml

@@ -1,17 +1,25 @@
 name: python_lib
 description: Installs the given GardenLinux Python library
 inputs:
-  version:
-    description: GardenLinux Python library version
-    default: "main"
+    version:
+        description: GardenLinux Python library version
+        default: "main"
+    dev:
+        description: Install development dependencies
+        default: false
 runs:
-  using: composite
-  steps:
-    - name: Set up Python 3.13
-      uses: actions/setup-python@v5
-      with:
-        python-version: "3.13"
-    - name: Install GardenLinux Python library
-      shell: bash
-      run: |
-        pip install git+https://github.com/gardenlinux/python-gardenlinux-lib.git@${{ inputs.version }}
+    using: composite
+    steps:
+        - name: Set up Python 3.13
+          uses: actions/setup-python@v5
+          with:
+              python-version: "3.13"
+        - name: Install GardenLinux Python library
+          shell: bash
+          run: |
+              pip install git+https://github.com/gardenlinux/python-gardenlinux-lib.git@${{ inputs.version }}
+        - name: Install GardenLinux Python library
+          if: inputs.dev == true
+          shell: bash
+          run: |
+              make install-dev

.github/workflows/bandit.yml

@@ -1,41 +1,33 @@
 name: security checks
 on:
-  push:
-    paths-ignore:
-      - 'README.md'
-      - 'docs/**'
-      - '**/README.md'
-  pull_request:
-    paths-ignore:
-      - 'README.md'
-      - 'docs/**'
-      - '**/README.md'
+    push:
+        paths-ignore:
+            - "README.md"
+            - "docs/**"
+            - "**/README.md"
+    pull_request:
+        paths-ignore:
+            - "README.md"
+            - "docs/**"
+            - "**/README.md"
 permissions:
-  contents: read
+    contents: read
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
-    - uses: actions/setup-python@v5
-      with:
-        python-version: "3.12"
-    - name: Install dependencies
-      run: |
-        python -m pip install --upgrade pip
-        pip install bandit
-
-    - name: Simple bandit security checks
-      run: bandit -ll -ii -r . -f json -o bandit-report.json
-
-    - name: Show Report in Action Output
-      if: always()
-      run: cat bandit-report.json
-
-    - name: Upload Bandit Scan Artifact
-      uses: actions/upload-artifact@v4
-      if: always()
-      with:
-        name: bandit-findings
-        path: bandit-report.json
-
+      - uses: actions/checkout@v4
+      - uses: .github/actions/setup/action.yml
+        with:
+          dev: true
+      - name: Simple bandit security checks
+        run: make security
+      - name: Show Report in Action Output
+        if: always()
+        run: cat bandit-report.json
+      - name: Upload Bandit Scan Artifact
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+            name: bandit-findings
+            path: bandit-report.json

.github/workflows/black.yml

@@ -7,4 +7,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: psf/black@stable
+      - uses: .github/actions/setup/action.yml
+        with:
+          dev: true
+      - run: make lint

.github/workflows/build.yml

@@ -2,28 +2,23 @@ name: Build
 on:
   push:
     paths-ignore:
-      - 'README.md'
-      - 'docs/**'
-      - '**/README.md'
+      - "README.md"
+      - "docs/**"
+      - "**/README.md"
   pull_request:
     paths-ignore:
-      - 'README.md'
-      - 'docs/**'
-      - '**/README.md'
+      - "README.md"
+      - "docs/**"
+      - "**/README.md"
 permissions:
   contents: read
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
-    - uses: actions/setup-python@v5
-      with:
-        python-version: "3.12"
-    - name: Install dependencies
-      run: |
-        python -m pip install --upgrade pip
-        pip install poetry
-    - name: Simple poetry build no package
-      run: poetry build
-
+      - uses: actions/checkout@v4
+      - uses: .github/actions/setup/action.yml
+        with:
+          dev: true
+      - name: Simple poetry build no package
+        run: make build

.github/workflows/docs.yml

@@ -3,23 +3,17 @@ name: Update Sphinx documentation
 on: [push, pull_request, workflow_dispatch]
 
 permissions:
-  contents: write
+    contents: write
 
 jobs:
   docs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
-      - name: Install dependencies
-        run: |
-          pip install sphinx poetry
-      - name: Sphinx build
-        run: |
-          python -m venv venv
-          source venv/bin/activate
-          poetry install
-          sphinx-build docs _build
+      - uses: .github/actions/setup/action.yml
+        with:
+          dev: true
+      - run: make docs
       - name: Deploy to GitHub Pages
         uses: peaceiris/actions-gh-pages@v4
         if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}

.github/workflows/pytests.yml

@@ -9,30 +9,12 @@ on:
 jobs:
   test:
     runs-on: ubuntu-latest
-
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          submodules: 'true'
-      - name: Set up Python
-        uses: actions/setup-python@v5
+      - uses: actions/checkout@v4
+      - uses: .github/actions/setup/action.yml
         with:
-          python-version: '3.12'
-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install poetry
-      - name: Install dependencies
-        run: poetry install
-      - name: Install Zot (OCI Registry)
+          dev: true
+      - name: Run tests
         run: |
-          sudo wget -O /usr/bin/zot https://github.com/project-zot/zot/releases/download/v2.1.0/zot-linux-amd64
-          sudo chmod +x /usr/bin/zot
-          sudo chown root:root /usr/bin/zot
-      - name: Run tests with pytest
-        run: |
-          export GLOCI_REGISTRY_USERNAME="gardenlinux"
           export GLOCI_REGISTRY_TOKEN="invalid"
-          poetry run pytest -k "not kms"
-
+          make test

.gitignore

@@ -162,3 +162,9 @@ cython_debug/
 #  and can be added to the global gitignore or merged into this file.  For a more nuclear
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
 .idea/
+
+# bandit
+bandit-report.json
+
+# zot
+test-data/zot

Makefile

@@ -0,0 +1,78 @@
+.PHONY: build install install-dev install-docs test format lint security docs clean help
+
+POETRY := poetry
+
+help:
+	@echo "Available targets:"
+	@echo "  build        - Build the package"
+	@echo "  install      - Install the package and dependencies"
+	@echo "  install-dev  - Install the package and dev dependencies"
+	@echo "  test         - Run tests"
+	@echo "  format       - Format code with black"
+	@echo "  lint         - Run linting checks"
+	@echo "  security     - Run security checks with bandit"
+	@echo "  docs         - Build the documentation"
+	@echo "  clean        - Clean build artifacts and cache"
+	@echo "  help         - Show this help message"
+
+build:
+	$(POETRY) build
+
+install:
+	$(POETRY) install
+
+install-dev:
+	which $(POETRY) || pip install poetry
+	$(POETRY) install --with dev
+
+install-docs:
+	$(POETRY) install --with dev,docs
+
+test-deps:
+	@if [ ! -f ./test-data/zot ]; then \
+		if [ "$(shell uname)" = "Darwin" ] && [ "$(shell uname -m)" = "arm64" ]; then \
+			curl -L -o ./test-data/zot https://github.com/project-zot/zot/releases/download/v2.1.0/zot-darwin-arm64; \
+		elif [ "$(shell uname)" = "Linux" ] && [ "$(shell uname -m)" = "x86_64" ]; then \
+			curl -L -o ./test-data/zot https://github.com/project-zot/zot/releases/download/v2.1.0/zot-linux-amd64; \
+		else \
+			echo "Unsupported platform or architecture"; \
+			exit 1; \
+		fi; \
+	fi
+	chmod +x ./test-data/zot
+	rm -rf test-data/gardenlinux
+	git submodule update --init --recursive
+
+test: install-dev test-deps
+	$(POETRY) run pytest -k "not kms"
+
+format: install-dev
+	$(POETRY) run black --extend-exclude test-data/gardenlinux .
+
+lint: install-dev
+	$(POETRY) run black --check --extend-exclude test-data/gardenlinux .
+
+security: install-dev
+	@if [ "$(CI)" = "true" ]; then \
+		$(POETRY) run bandit -ll -ii -r . -f json -o bandit-report.json ; \
+	else \
+		$(POETRY) run bandit -r . ; \
+	fi
+
+docs: install-docs
+	$(POETRY) run sphinx-build docs _build
+
+clean:
+	rm -rf build/
+	rm -rf dist/
+	rm -rf *.egg-info/
+	rm -rf .eggs/
+	rm -rf .pytest_cache/
+	rm -rf .coverage
+	rm -rf htmlcov/
+	find . -type d -name __pycache__ -exec rm -rf {} +
+	find . -type f -name "*.pyc" -delete
+	find . -type f -name "*.pyo" -delete
+	find . -type f -name "*.pyd" -delete
+	rm -rf test-data/zot
+	cd test-data/gardenlinux && git reset --hard

cert/gencert.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 
 search_and_print_directories() {