python-validators · yozachar · Aug 7, 2023 · Aug 1, 2023 · Aug 1, 2023 · Aug 1, 2023
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml
@@ -0,0 +1,52 @@
+# Documentation
+name: docs
+on:
+  workflow_dispatch:
+  push:
+    branches: ["master"]
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+concurrency:
+  group: "pages"
+  cancel-in-progress: false
+env:
+  BUILD_PATH: "."
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      # checkout repository
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      # set up specific python version
+      - name: Set up Python v3.11
+        uses: actions/setup-python@v4
+        with:
+          python-version: "3.11"
+      # building
+      - name: Install 'documentation' dependencies
+        run: pip install -r python/requirements.mkdocs.txt
+      - name: Build documentation
+        run: python src/export docs
+      # set up Pages
+      - name: Set up Pages
+        uses: actions/configure-pages@v3
+      # upload static page
+      - name: Upload artifact
+        uses: actions/upload-pages-artifact@v1
+        with:
+          path: ${{ env.BUILD_PATH }}/site
+  deploy:
+    runs-on: ubuntu-latest
+    needs: build
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    # deploy documentation
+    name: Deploy
+    steps:
+      - name: Deploy to GitHub Pages
+        uses: actions/deploy-pages@v1
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
diff --git a/.github/workflows/package.yaml b/.github/workflows/package.yaml
@@ -0,0 +1,52 @@
+# Publish to PyPI
+name: package
+on:
+  workflow_dispatch:
+  release:
+    types: [published]
+permissions:
+  contents: read
+env:
+  BUILD_PATH: "."
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      # checkout repository
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      # set up specific python version
+      - name: Set up Python v3.8
+        uses: actions/setup-python@v4
+        with:
+          python-version: "3.8"
+      # install dependencies
+      - name: Install dependencies
+        run: |
+          python -m venv .venv
+          ./.venv/Scripts/python -m pip install --upgrade pip
+          ./.venv/Scripts/pip install .
+          ./.venv/Scripts/pip install -r python/requirements.sphinx.txt
+          ./.venv/Scripts/pip install build
+      # build package
+      - name: Build package
+        run: ./.venv/Scripts/python src/export package
+      # upload package as artifact
+      - name: Upload artifact
+        uses: actions/upload-pages-artifact@v1
+        with:
+          path: ${{ env.BUILD_PATH }}/dist
+  publish:
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      # download artifact
+      - name: Download artifact
+        uses: actions/download-artifact@v3
+        with:
+          path: ${{ env.BUILD_PATH }}/dist
+      # publish package
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          password: ${{ secrets.PYPI_API_TOKEN }}
diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml
diff --git a/.github/workflows/pycqa.yaml b/.github/workflows/pycqa.yaml
@@ -0,0 +1,51 @@
+# Python Code Quality Analysis
+name: pycqa
+on:
+  workflow_dispatch:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+jobs:
+  tooling:
+    runs-on: ubuntu-latest
+    steps:
+      # checkout repository
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      # set up specific python version
+      - name: Set up Python v3.8
+        uses: actions/setup-python@v4
+        with:
+          python-version: "3.8"
+      # tooling
+      - name: Install 'tooling' dependencies
+        run: pip install -r python/requirements.tooling.txt
+      - name: Tooling
+        run: |
+          black .
+          ruff check .
+          pyright .
+  testing:
+    strategy:
+      fail-fast: true
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+        python-version: ["3.8", "3.9", "3.10", "3.11"]
+    runs-on: ${{ matrix.os }}
+    steps:
+      # checkout repository again!
+      # ref: https://github.com/actions/checkout/issues/19
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      # set up specific python version
+      - name: Set up Python v${{ matrix.python-version }}
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: "pip"
+      # testing
+      - name: Install 'testing' dependencies
+        run: pip install pytest
+      - name: Testing
+        run: pytest .
diff --git a/.github/workflows/bandit.yml → .github/workflows/sast.yaml b/.github/workflows/bandit.yml → .github/workflows/sast.yaml
@@ -1,52 +1,40 @@
-# This workflow uses actions that are not certified by GitHub.
-# They are provided by a third-party and are governed by
-# separate terms of service, privacy policy, and support
-# documentation.
-
-# Bandit is a security linter designed to find common security issues in Python code.
-# This action will run Bandit on your codebase.
-# The results of the scan will be found under the Security tab of your repository.
-
-# https://github.com/marketplace/actions/bandit-scan is ISC licensed, by abirismyname
-# https://pypi.org/project/bandit/ is Apache v2.0 licensed, by PyCQA
-
-name: Bandit
+# Static Application Security Testing
+name: sast
 on:
   workflow_dispatch:
   push:
     branches: ["master"]
   pull_request:
-    # The branches below must be a subset of the branches above
     branches: ["master"]
   schedule:
-    - cron: "28 12 * * 2"
-
+    - cron: "00 00 * * 0"
 jobs:
-  bandit:
+  sast:
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
       actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
-
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
-      - name: Bandit Scan
-        uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c
-        with: # optional arguments
+      - name: Bandit
+        uses: mdegis/bandit-action@85fcc340c3b0bf5d86029abb49b9aac916d807b2
+        with:
           # exit with 0, even with results found
-          exit_zero: true # optional, default is DEFAULT
+          # exit_zero: true # optional, default is DEFAULT
           # Github token of the repository (automatically created by Github)
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information.
           # File or directory to run bandit on
-          path: ./validators # optional, default is .
+          path: ./src/validators # optional, default is .
           # Report only issues of a given severity level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)
           # level: # optional, default is UNDEFINED
           # Report only issues of a given confidence level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)
           # confidence: # optional, default is UNDEFINED
           # comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default: .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg)
-          excluded_paths: tests,docs,.github # optional, default is DEFAULT
+          excluded_paths: .github,.pytest_cache,.venv,.vscode,site,tests # optional, default is DEFAULT
           # comma-separated list of test IDs to skip
           # skips: # optional, default is DEFAULT
           # path to a .bandit file that supplies command line arguments
           # ini_path: # optional, default is DEFAULT
+# https://github.com/marketplace/actions/bandit-scan is ISC licensed, by abirismyname
+# https://pypi.org/project/bandit/ is Apache v2.0 licensed, by PyCQA
diff --git a/.gitignore b/.gitignore
@@ -111,6 +111,8 @@ ipython_config.py
 #   in version control.
 #   https://pdm.fming.dev/#use-with-ide
 .pdm.toml
+.pdm-python
+.pdm-build/
 
 # PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
 __pypackages__/
@@ -167,3 +169,6 @@ cython_debug/
 
 # asdf
 .tool-versions
+
+# ruff
+.ruff_cache
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -14,14 +14,14 @@ repos:
         args: ["--branch", "master"]
       - id: trailing-whitespace
   - repo: https://github.com/psf/black
-    rev: 23.3.0
+    rev: 23.7.0
     hooks:
       - id: black
-  - repo: https://github.com/PyCQA/isort
-    rev: 5.12.0
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.0.282
     hooks:
-      - id: isort
-  - repo: https://github.com/PyCQA/flake8
-    rev: 6.0.0
+      - id: ruff
+  - repo: https://github.com/RobertCraigie/pyright-python
+    rev: v1.1.320
     hooks:
-      - id: flake8
+      - id: pyright