diff --git a/.github/dependabot.yml b/.github/dependabot.yml index d8b0bfee0..5bf500ba1 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,3 +9,8 @@ updates: actions: patterns: - "*" + # Python + - package-ecosystem: "pip" + directory: "/" + schedule: + interval: "weekly" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 000000000..91b18fe79 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,70 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: [ "main", "*" ] + pull_request: + branches: [ "main", "*" ] + schedule: + - cron: '35 23 * * 5' + workflow_call: + inputs: + ref: + required: true + type: string + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + timeout-minutes: 360 + permissions: + # required for all workflows + security-events: write + # required to fetch internal or private CodeQL packs + packages: read + actions: read + contents: read + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + ref: ${{ inputs.ref }} + - name: Set up Python + uses: actions/setup-python@v4 + with: + python-version: 3.x + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: python + build-mode: none + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + queries: security-extended + config: | + paths-ignore: + - '.github/**' + - 'tests/**' + + - shell: bash + run: | + pip install -e . + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:python" diff --git a/.github/workflows/dist.yml b/.github/workflows/dist.yml new file mode 100644 index 000000000..4fe653bb3 --- /dev/null +++ b/.github/workflows/dist.yml @@ -0,0 +1,37 @@ +name: Python Dist + +on: + workflow_dispatch: + workflow_call: + inputs: + ref: + required: true + type: string + push: + tags: + - "[0-9]+.[0-9]+.[0-9]+" + - "[0-9]+.[0-9]+.[0-9]+.post[0-9]+" + - "[0-9]+.[0-9]+.[0-9]+[a-b][0-9]+" + - "[0-9]+.[0-9]+.[0-9]+rc[0-9]+" + +jobs: + build: + runs-on: ubuntu-latest + environment: release + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ inputs.ref }} + - name: Set up Python + uses: actions/setup-python@v4 + with: + python-version: 3.x + - name: Install dependencies + run: pip install build + - name: Create packages + run: python -m build . + - name: Store package artifacts + uses: actions/upload-artifact@v4 + with: + name: all-dist-${{ github.run_id }} + path: "dist/*" diff --git a/.github/workflows/release-python.yml b/.github/workflows/release-python.yml new file mode 100644 index 000000000..d9f7667c9 --- /dev/null +++ b/.github/workflows/release-python.yml @@ -0,0 +1,95 @@ +name: Release + +on: + workflow_dispatch: + inputs: + version: + description: "The new version to set" + required: true + following_version: + description: "The post (dev) version to set" + required: false + dry_run: + description: "Dry Run?" + default: false + type: boolean + +env: + # Changes per repo + PRODUCT_NAME: django-mongodb + # Changes per branch + SILK_ASSET_GROUP: django-mongodb-main + EVERGREEN_PROJECT: django-mongodb + +defaults: + run: + shell: bash -eux {0} + +jobs: + pre-publish: + environment: release + runs-on: ubuntu-latest + permissions: + id-token: write + contents: write + outputs: + version: ${{ steps.pre-publish.outputs.version }} + steps: + - uses: mongodb-labs/drivers-github-tools/secure-checkout@v2 + with: + app_id: ${{ vars.APP_ID }} + private_key: ${{ secrets.APP_PRIVATE_KEY }} + - uses: mongodb-labs/drivers-github-tools/setup@v2 + with: + aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} + aws_region_name: ${{ vars.AWS_REGION_NAME }} + aws_secret_id: ${{ secrets.AWS_SECRET_ID }} + artifactory_username: ${{ vars.ARTIFACTORY_USERNAME }} + - uses: mongodb-labs/drivers-github-tools/python/pre-publish@v2 + id: pre-publish + with: + version: ${{ inputs.version }} + dry_run: ${{ inputs.dry_run }} + + build-dist: + needs: [pre-publish] + uses: ./.github/workflows/dist.yml + with: + ref: ${{ needs.pre-publish.outputs.version }} + + static-scan: + needs: [pre-publish] + uses: ./.github/workflows/codeql.yml + with: + ref: ${{ needs.pre-publish.outputs.version }} + + publish: + needs: [build-dist, static-scan] + runs-on: ubuntu-latest + environment: release + permissions: + id-token: write + contents: write + attestations: write + security-events: write + steps: + - uses: mongodb-labs/drivers-github-tools/secure-checkout@v2 + with: + app_id: ${{ vars.APP_ID }} + private_key: ${{ secrets.APP_PRIVATE_KEY }} + - uses: mongodb-labs/drivers-github-tools/setup@v2 + with: + aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} + aws_region_name: ${{ vars.AWS_REGION_NAME }} + aws_secret_id: ${{ secrets.AWS_SECRET_ID }} + artifactory_username: ${{ vars.ARTIFACTORY_USERNAME }} + - uses: mongodb-labs/drivers-github-tools/python/publish@v2 + with: + version: ${{ inputs.version }} + following_version: ${{ inputs.following_version }} + product_name: ${{ env.PRODUCT_NAME }} + silk_asset_group: ${{ env.SILK_ASSET_GROUP }} + evergreen_project: ${{ env.EVERGREEN_PROJECT }} + token: ${{ github.token }} + repository_url: https://test.pypi.org/legacy/ + dry_run: ${{ inputs.dry_run }} diff --git a/pyproject.toml b/pyproject.toml index d41371041..4fd41fef0 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,10 +1,10 @@ [build-system] -requires = ["setuptools>=65.0"] -build-backend = "setuptools.build_meta" +requires = ["hatchling", "hatch-requirements-txt>=0.4.1"] +build-backend = "hatchling.build" [project] name = "django-mongodb" -dynamic = ["version"] +dynamic = ["version", "dependencies"] description = "MongoDB backend for Django" readme = "README.md" license = {file="LICENSE"} @@ -31,10 +31,6 @@ classifiers = [ "Programming Language :: Python :: 3.11", "Programming Language :: Python :: 3.12", ] -dependencies = [ - "django>=5.0,<5.1", - "pymongo>=4.6,<5.0", -] [project.optional-dependencies] docs = [ "sphinx>=7"] @@ -45,8 +41,12 @@ Documentation = "https://django-mongodb.readthedocs.io" Source = "https://github.com/mongodb-labs/django-mongodb" Tracker = "https://github.com/mongodb-labs/django-mongodb/issues" -[tool.setuptools.dynamic] -version = {attr = "django_mongodb.__version__"} +[tool.hatch.version] +path = "django_mongodb/__init__.py" +validate-bump = false + +[tool.hatch.metadata.hooks.requirements_txt] +files = ["requirements.txt"] [tool.mypy] strict = true diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 000000000..214677f9a --- /dev/null +++ b/requirements.txt @@ -0,0 +1,3 @@ +# NOTE: this needs to change per branch to track the django version. +django>=5.0,<5.1 +pymongo>=4.6,<5.0