Import configuration enhancements from python-project-template

Signed-off-by: Gaëtan Lehmann <[email protected]>

Author: glehmann

.github/workflows/code-checkers.yml

@@ -2,13 +2,17 @@ name: Static code checkers
 
 on: [push]
 
+permissions: {}
+
 jobs:
   mypy:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
+      with:
+        persist-credentials: false
     - name: Install uv
-      uses: astral-sh/setup-uv@v6
+      uses: astral-sh/setup-uv@bd01e18f51369d5a26f1651c3cb451d3417e3bba  # v6.3.1
       with:
         version: "0.7.x"
     - name: Install dependencies
@@ -22,8 +26,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
+      with:
+        persist-credentials: false
     - name: Install uv
-      uses: astral-sh/setup-uv@v6
+      uses: astral-sh/setup-uv@bd01e18f51369d5a26f1651c3cb451d3417e3bba  # v6.3.1
       with:
         version: "0.7.x"
     - name: Install dependencies
@@ -35,15 +41,38 @@ jobs:
 
   ruff:
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write  # needed for SARIF uploads
     steps:
     - uses: actions/checkout@v2
+      with:
+        persist-credentials: false
     - name: Install uv
-      uses: astral-sh/setup-uv@v6
+      uses: astral-sh/setup-uv@bd01e18f51369d5a26f1651c3cb451d3417e3bba  # v6.3.1
       with:
         version: "0.7.x"
     - name: Install dependencies
       run: uv sync --frozen
     - name: Create a dummy data.py
       run: cp data.py-dist data.py
     - name: Check with ruff
-      run: uv run ruff check lib/ tests/
+      run: uv run ruff check lib/ tests/ --output-format sarif > results.sarif  
+    - uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f  # v3.28.18
+      with:
+        sarif_file: results.sarif
+        category: ruff
+
+  flake8:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+      with:
+        persist-credentials: false
+    - name: Install uv
+      uses: astral-sh/setup-uv@bd01e18f51369d5a26f1651c3cb451d3417e3bba  # v6.3.1
+      with:
+        version: "0.7.x"
+    - name: Install dependencies
+      run: uv sync --frozen
+    - name: flake8
+      run: uv run flake8

.github/workflows/format.yml

@@ -2,18 +2,22 @@ name: Check jobs consistency
 
 on: [push]
 
+permissions: {}
+
 jobs:
   jobs-check:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
+      with:
+        persist-credentials: false
     - name: Install uv
-      uses: astral-sh/setup-uv@v6
+      uses: astral-sh/setup-uv@bd01e18f51369d5a26f1651c3cb451d3417e3bba  # v6.3.1
       with:
         version: "0.7.x"
     - name: Install dependencies
-      run: uv sync --frozen
+      run: uv sync --frozen --no-dev
     - name: Create a dummy data.py
       run: cp data.py-dist data.py
     - name: jobs-check
-      run: uv run ./jobs.py check
+      run: uv run --no-dev ./jobs.py check

.github/workflows/jobs-check.yml

@@ -2,16 +2,20 @@ name: Check requirements file consistency
 
 on: [push]
 
+permissions: {}
+
 jobs:
   requirements-check:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
+      with:
+        persist-credentials: false
     - name: Install uv
-      uses: astral-sh/setup-uv@v6
+      uses: astral-sh/setup-uv@bd01e18f51369d5a26f1651c3cb451d3417e3bba  # v6.3.1
       with:
         version: "0.7.x"
     - name: Install dependencies
-      run: uv sync --frozen
-    - run: uv run ./requirements/update_requirements.py
+      run: uv sync --frozen --no-dev
+    - run: uv run --no-dev ./requirements/update_requirements.py
     - run: git diff --exit-code

.github/workflows/requirements-check.yml

@@ -2,24 +2,28 @@ name: Check test-sequences consistency
 
 on: [push]
 
+permissions: {}
+
 jobs:
   jobs-check:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
+      with:
+        persist-credentials: false
     - name: Install uv
-      uses: astral-sh/setup-uv@v6
+      uses: astral-sh/setup-uv@bd01e18f51369d5a26f1651c3cb451d3417e3bba  # v6.3.1
       with:
         version: "0.7.x"
     - name: Install dependencies
-      run: uv sync --frozen
+      run: uv sync --frozen --no-dev
     - name: Create a dummy data.py
       run: cp data.py-dist data.py
     - name: jobs-check
       run: |
         FAILURES=""
         for seq in $(find -name "*.lst"); do
-          if ! uv run pytest @$seq --collect-only --quiet; then
+          if ! uv run --no-dev pytest @$seq --collect-only --quiet; then
             FAILURES="$FAILURES $seq"
           fi
         done

.github/workflows/test-sequences.yml

@@ -0,0 +1,24 @@
+name: GitHub Actions Security Analysis with zizmor 🌈
+
+on: [push]
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: zizmor latest
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write  # needed for SARIF uploads
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - uses: astral-sh/setup-uv@bd01e18f51369d5a26f1651c3cb451d3417e3bba  # v6.3.1
+      - run: uvx zizmor --format=sarif . > results.sarif 
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} 
+      - uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f  # v3.28.18
+        with:
+          sarif_file: results.sarif
+          category: zizmor

.github/workflows/zizmor.yml

@@ -3,7 +3,7 @@ name = "xcp-ng-tests"
 version = "0.1.0"
 description = "Testing scripts for XCP-ng"
 readme = "README.md"
-requires-python = "~=3.11"
+requires-python = ">=3.11"
 dependencies = [
     "cryptography>=3.3.1",
     "gitpython",
@@ -21,6 +21,7 @@ dev = [
     "bs4>=0.0.1",
     "mypy",
     "flake8",
+    "flake8-pyproject",
     "pydocstyle",
     "pyright",
     "pyyaml>=6.0",
@@ -42,17 +43,38 @@ quote-style = "preserve"
 
 [tool.ruff.lint]
 select = [
+  "D",  # pydocstyle
   "F",  # Pyflakes
   "I",  # isort
   "SLF",  # flake8-self
   "SIM",  # flake8-simplify
 ]
-# don't use some of the SIM rules
+# don't use some of the default D and SIM rules
 ignore = [
+  "D100",  # undocumented-public-module
+  "D101",  # undocumented-public-class
+  "D102",  # undocumented-public-method
+  "D103",  # undocumented-public-function
+  "D104",  # undocumented-public-package
+  "D105",  # undocumented-magic-method
+  "D106",  # undocumented-public-nested-class
+  "D107",  # undocumented-public-init
+  "D200",  # unnecessary-multiline-docstring
+  "D203",  # incorrect-blank-line-before-class
+  "D204",  # incorrect-blank-line-after-class
+  "D205",  # missing-blank-line-after-summary
+  "D210",  # surrounding-whitespace
+  "D212",  # incorrect-blank-line-before-class
+  "D400",  # missing-trailing-period
+  "D401",  # non-imperative-mood
+  "D403",  # first-word-uncapitalized
   "SIM105",  # suppressible-exception
   "SIM108",  # if-else-block-instead-of-if-exp
 ]
 
+# restrict to the PEP 257 rules
+pydocstyle.convention = "pep257"
+
 [tool.ruff.lint.extend-per-file-ignores]
 # pytest requires some import and function arguments to match, but
 # the linter doesn't know that
@@ -76,3 +98,16 @@ section-order = [
     "local-folder",
     "typing",
 ]
+
+# ruff doesn't provide all the pycodestyle rules, and pycodestyle is not well
+# supported by some IDEs, so we use flake8 for that
+[tool.flake8]
+max-line-length = 120
+ignore = [
+  "E261",  # At least two spaces before inline comment
+  "E302",  # Expected 2 blank lines, found 0
+  "E305",  # Expected 2 blank lines after end of function or class
+  "W503",  # Line break occurred before a binary operator
+  "F",  # already done by ruff
+]
+exclude=[".git", ".venv", "data.py", "vm_data.py"]

pyproject.toml

@@ -3,6 +3,7 @@ ansible>=5.0.1
 bs4>=0.0.1
 mypy
 flake8
+flake8-pyproject
 pydocstyle
 pyright
 pyyaml>=6.0