Start releasing to pypi (#463)

* release to pypi Signed-off-by: Alex Goodman <[email protected]> * port to uv Signed-off-by: Alex Goodman <[email protected]> --------- Signed-off-by: Alex Goodman <[email protected]>
anchore · Jan 10, 2025 · 3c21f19 · 3c21f19
1 parent 0c84c44
commit 3c21f19
Show file tree

Hide file tree

Showing 14 changed files with 1,524 additions and 1,912 deletions.
diff --git a/.binny.yaml b/.binny.yaml
@@ -0,0 +1,24 @@
+tools:
+  # we want to use a pinned version of binny to manage the toolchain (so binny manages itself!)
+  - name: binny
+    version:
+      want: v0.8.0
+    method: github-release
+    with:
+      repo: anchore/binny
+
+  # used for showing the changelog at release
+  - name: glow
+    version:
+      want: v2.0.0
+    method: github-release
+    with:
+      repo: charmbracelet/glow
+
+  # used at release to generate the changelog
+  - name: chronicle
+    version:
+      want: v0.8.0
+    method: github-release
+    with:
+      repo: anchore/chronicle
diff --git a/.github/actions/bootstrap/action.yaml b/.github/actions/bootstrap/action.yaml
@@ -0,0 +1,54 @@
+name: "Bootstrap"
+description: "Bootstrap all tools and dependencies"
+inputs:
+  uv-version:
+    description: "UV version to install"
+    required: true
+    default: "0.5.16"
+  cache-key-prefix:
+    description: "Prefix all cache keys with this value"
+    required: true
+    default: "9c833ef7"
+  tools:
+    description: "whether to install tools"
+    default: "true"
+  bootstrap-apt-packages:
+    description: "Space delimited list of tools to install via apt"
+    default: ""
+
+runs:
+  using: "composite"
+  steps:
+
+    - name: Install uv
+      uses: astral-sh/setup-uv@v5
+      with:
+        enable-cache: true
+
+    - name: "Set up Python"
+      uses: actions/setup-python@v5
+      with:
+        python-version-file: "pyproject.toml"
+
+    - name: Restore tool cache
+      if: inputs.tools == 'true'
+      id: tool-cache
+      uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+      with:
+        path: ${{ github.workspace }}/.tool
+        key: ${{ inputs.cache-key-prefix }}-${{ runner.os }}-tool-${{ hashFiles('.binny.yaml') }}
+
+    - name: Install project tools
+      shell: bash
+      if: inputs.tools == 'true'
+      run: make tools
+
+    - name: Install apt packages
+      if: inputs.bootstrap-apt-packages != ''
+      shell: bash
+      run: |
+        DEBIAN_FRONTEND=noninteractive sudo apt update && sudo -E apt install -y ${{ inputs.bootstrap-apt-packages }}
+
+    - name: Install project + dependencies
+      shell: bash
+      run: uv sync --all-extras --dev
diff --git a/.github/scripts/ci-check.sh b/.github/scripts/ci-check.sh
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+red=$(tput setaf 1)
+bold=$(tput bold)
+normal=$(tput sgr0)
+
+# assert we are running in CI (or die!)
+if [[ -z "$CI" ]]; then
+    echo "${bold}${red}This script should ONLY be run in CI. Exiting...${normal}"
+    exit 1
+fi
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -10,6 +10,7 @@ permissions:
   contents: read
 
 jobs:
+
   quality-gate:
     runs-on: ubuntu-20.04
     steps:
@@ -42,42 +43,67 @@ jobs:
           echo "Validations Status: ${{ steps.validations.conclusion }}"
           false
 
-
-  release:
-    needs: [quality-gate]
-    runs-on: ubuntu-20.04
-    environment: release
+  tag:
+    needs:
+      - quality-gate
+    runs-on: ubuntu-22.04
     permissions:
       contents: write
-      packages: write
-      issues: read
-      pull-requests: read
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
         with:
           # in order to properly resolve the version from git
           fetch-depth: 0
 
-      - name: Restore tool cache
-        id: tool-cache
-        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
-        with:
-          path: ${{ github.workspace }}/.tmp
-          key: ${{ runner.os }}-tool-${{ hashFiles('Makefile') }}
-
-      - name: (cache-miss) Bootstrap tools
-        if: steps.tool-cache.outputs.cache-hit != 'true'
-        run: make bootstrap
-
       - name: Tag release
         run: |
           git config --global user.name "anchoreci"
           git config --global user.email "[email protected]"
-          git tag -a ${{ github.event.inputs.version }} -m "Release ${{ github.event.inputs.version }}"
+          git tag ${{ github.event.inputs.version }}
           git push origin --tags
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+  release-pypi:
+    needs:
+      - tag
+    runs-on: ubuntu-22.04
+    environment: release
+    permissions:
+      contents: read
+      # required to authenticate with PyPI via OIDC token
+      id-token: write
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        with:
+          # in order to properly resolve the version from git
+          fetch-depth: 0
+
+      - name: Bootstrap environment
+        uses: ./.github/actions/bootstrap
+
+      # note: authentication is via the OIDC token
+      - name: Publish to PyPI
+        run: make ci-publish-pypi
+
+  release-github:
+    needs:
+      - tag
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: write
+      packages: write
+      issues: read
+      pull-requests: read
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        with:
+          # in order to properly resolve the version from git
+          fetch-depth: 0
+
+      - name: Bootstrap environment
+        uses: ./.github/actions/bootstrap
+
       - name: Create github release
         run: |
           make changelog

diff --git a/.github/workflows/validations.yaml b/.github/workflows/validations.yaml
@@ -9,10 +9,6 @@ on:
 permissions:
   contents: read
 
-env:
-  PYTHON_VERSION: "3.11"
-  POETRY_VERSION: "1.8.3"
-
 jobs:
 
   # note: changing the job name requires a quality gate reference change in .github/workflows/release.yaml
@@ -21,41 +17,17 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
-        with:
-          python-version: ${{ env.PYTHON_VERSION }}
-
-      - name: Install poetry
-        uses: abatilo/actions-poetry@0dd19c9498c3dc8728967849d0d2eae428a8a3d8 # v2.3.0
-        with:
-          poetry-version: ${{ env.POETRY_VERSION }}
-
-      - name: Cache Poetry virtualenv
-        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
-        id: cache
-        with:
-          path: ~/.virtualenvs
-          key: python-${{ env.PYTHON_VERSION }}-poetry-${{ env.POETRY_VERSION }}-${{ hashFiles('poetry.lock') }}
-          restore-keys: |
-            python-${{ env.PYTHON_VERSION }}-poetry-${{ env.POETRY_VERSION }}
-
-      - name: Setup Poetry config
-        run: |
-          poetry config virtualenvs.in-project false
-          poetry config virtualenvs.path ~/.virtualenvs
-
-      - name: Install dependencies and package
-        run: poetry install
-        if: steps.cache.outputs.cache-hit != 'true'
+      - name: Bootstrap environment
+        uses: ./.github/actions/bootstrap
 
       - name: Run static analysis
-        run: poetry run make static-analysis
+        run: make static-analysis
 
       - name: Run unit tests
-        run: poetry run make unit
+        run: make unit
 
       - name: Build test
-        run: poetry run make build
+        run: make build
 
       - name: Run CLI tests
         run: make cli
diff --git a/.gitignore b/.gitignore
@@ -2,6 +2,8 @@ CHANGELOG.md
 VERSION
 .tmp/
 .tool-versions
+.mise.toml
+.tool
 
 .idea/
 .vscode/

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -52,19 +52,11 @@ repos:
       stages:
         - pre-push
 
-  # why use the local repo instead of hosted hooks? so that dependencies are centrally managed through poetry
+  # why use the local repo instead of hosted hooks? so that dependencies are centrally managed through uv
   - repo: local
     hooks:
 
-      # note: this is used in lieu of autopep8 and yapf
-      - id: black
-        name: black
-        # note: why not use the official black pre-commit hook? so we can use poetry to control which version of black is used.
-        entry: make format
-        pass_filenames: false
-        language: system
-
-      # this is used in lieu of several flake8 plugins, isort, unimport, pulint, pyupgrade, pydocstyle, autoflake, mccabe
+      # this is used in lieu of several flake8 plugins, isort, unimport, pulint, pyupgrade, pydocstyle, autoflake, mccabe, black, autopep8 and yapf
       - id: ruff
         name: ruff
         entry: make lint-fix

diff --git a/DEVELOPING.md b/DEVELOPING.md
@@ -3,39 +3,32 @@
 ## Getting Started
 
 This project requires:
-- python (>= 3.7)
-- pip (>= 22.2)
-- poetry (>= 1.2): see [installation instructions](https://python-poetry.org/docs/#installation)
+- python (>= 3.11)
+- uv (>= 0.5): see [installation instructions](https://docs.astral.sh/uv/getting-started/installation/)
 
-Once you have python and poetry installed, get the project bootstrapped:
+Once you have python and uv installed, get the project bootstrapped:
 
 ```bash
 # get basic project tooling
-make bootstrap
-
-# get a persistent virtual environment to work within
-poetry shell
+make tools
 
 # install project dependencies
-poetry install
+uv sync
 ```
 
 [Pre-commit](https://pre-commit.com/) is used to help enforce static analysis checks with git hooks:
 
 ```bash
-poetry run pre-commit install --hook-type pre-push
+uv run pre-commit install --hook-type pre-push
 ```
 
-To jump into a poetry-managed virtualenv run `poetry shell`, this will prevent the need for `poetry run...` prefix for each command.
-
 ## Developing
 
 If you want to use a locally-editable copy of yardstick while you develop:
 
 ```bash
-poetry shell
-pip uninstall yardstick  #... if you already have yardstick installed in this virtual env
-pip install -e .
+uv pip uninstall yardstick  #... if you already have yardstick installed in this virtual env
+uv pip install -e .
 ```
 
 To run all static-analysis and tests:
-Original file line number
+Diff line change
@@ Expand Up / @@ -2,6 +2,8 @@ CHANGELOG.md @@
     VERSION
     .tmp/
     .tool-versions
+    .mise.toml
+    .tool
     .idea/
     .vscode/
@@ Expand Down @@