Merge pull request #269 from Skyscanner/pyproject.toml

Migrate to pyproject.toml

.github/workflows/lint-and-test.yml

@@ -9,7 +9,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-version: ['3.7', '3.8', '3.9', '3.10', '3.11', '3.12']
+        python-version: ['3.8', '3.9', '3.10', '3.11', '3.12']
 
     name: Python ${{ matrix.python-version }}
 

.github/workflows/pypi-release.yml

@@ -5,32 +5,33 @@ on:
     types: [published]
 
 jobs:
-  build:
+  pypi-publish:
+    name: Upload release to PyPI
     runs-on: ubuntu-latest
-
+    environment:
+      name: pypi
+      url: https://pypi.org/p/cfripper
+    permissions:
+      id-token: write
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout
+        uses: actions/checkout@v4
 
       - name: Setup python
         uses: actions/setup-python@v4
         with:
-          python-version: '3.7'
-
-      - run: pip install setuptools wheel
-
-      - run: make install
-
-      - name: Build a binary wheel
-        run: python setup.py sdist bdist_wheel
-
-#      This doesn't add any value. It mostly passes, and if a release fails in the non-test PyPi
-#      this step then needs to be skipped.
-#      Leaving it commented until we find a cause to keep it that adds value to the project.
-#      - name: Publish distribution 📦 to Test PyPI
-#        uses: pypa/gh-action-pypi-publish@master
-#        with:
-#          password: ${{ secrets.test_pypi_password }}
-#          repository_url: https://test.pypi.org/legacy/
+          python-version: '3.8'
+
+      - name: Install dependencies
+        run: |
+          python -m pip install -U pip setuptools
+          python -m pip install -U twine build setuptools-scm
+
+      - name: Build package
+        run: |
+          python -m setuptools_scm
+          python -m build
+          twine check --strict dist/*
 
       - name: Publish distribution 📦 to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1

Makefile

@@ -1,49 +1,50 @@
-SOURCE_DIRS = cfripper tests docs
-SOURCE_FILES = setup.py
-SOURCE_ALL = $(SOURCE_DIRS) $(SOURCE_FILES)
+SOURCES = cfripper tests docs
 
+PIP_COMMAND = pip
 install:
-	pip install -r requirements.txt
+	$(PIP_COMMAND) install -r requirements.txt
 
-install-dev: install
-	pip install -e ".[dev]"
+install-dev:
+	$(PIP_COMMAND) install -r requirements.txt -r requirements-dev.txt .
 
 install-docs:
-	pip install -e ".[dev,docs]"
+	$(PIP_COMMAND) install -r requirements.txt -r requirements-docs.txt .
 
 format:
-	isort --recursive $(SOURCE_ALL)
-	black $(SOURCE_ALL)
+	ruff format $(SOURCES)
 
-lint: isort-lint black-lint flake8-lint
-
-isort-lint:
-	isort --check-only --recursive $(SOURCE_ALL)
-
-black-lint:
-	black --check $(SOURCE_ALL)
-
-flake8-lint:
-	flake8 $(SOURCE_ALL)
+lint:
+	ruff check $(SOURCES)
 
 unit:
 	pytest -svvv tests
 
 coverage:
-	coverage run --source=cfripper --branch -m pytest tests/ --junitxml=build/test.xml -v
-	coverage report
-	coverage xml -i -o build/coverage.xml
-	coverage html
+	pytest --cov cfripper
 
 test: lint unit
 
 test-docs:
 	mkdocs build --strict
 
-freeze:
-	CUSTOM_COMPILE_COMMAND="make freeze" pip-compile --no-emit-index-url --no-annotate --output-file requirements.txt setup.py
-
-freeze-upgrade:
-	CUSTOM_COMPILE_COMMAND="make freeze" pip-compile --no-emit-index-url --upgrade --no-annotate --output-file requirements.txt setup.py
-
-.PHONY: install install-dev install-docs format lint isort-lint black-lint flake8-lint unit coverage test freeze freeze-upgrade
+FREEZE_COMMAND = CUSTOM_COMPILE_COMMAND="make freeze" uv pip compile
+FREEZE_OPTIONS = --no-emit-index-url --no-annotate -v
+freeze-base: pyproject.toml
+	$(FREEZE_COMMAND) $(FREEZE_OPTIONS) pyproject.toml --output-file requirements.txt
+freeze-dev: pyproject.toml
+	$(FREEZE_COMMAND) $(FREEZE_OPTIONS) pyproject.toml --extra dev --output-file requirements-dev.txt
+freeze-docs: pyproject.toml
+	$(FREEZE_COMMAND) $(FREEZE_OPTIONS) pyproject.toml --extra dev --extra docs --output-file requirements-docs.txt
+freeze: freeze-base freeze-dev freeze-docs
+
+freeze-upgrade-base:
+	$(FREEZE_COMMAND) $(FREEZE_OPTIONS) pyproject.toml --upgrade --output-file requirements.txt
+freeze-upgrade-dev:
+	$(FREEZE_COMMAND) $(FREEZE_OPTIONS) pyproject.toml --upgrade --extra dev --output-file requirements-dev.txt
+freeze-upgrade-docs:
+	$(FREEZE_COMMAND) $(FREEZE_OPTIONS) pyproject.toml --upgrade --extra docs --extra dev --output-file requirements-docs.txt
+freeze-upgrade: freeze-upgrade-base freeze-upgrade-dev freeze-upgrade-docs
+
+
+.PHONY: install install-dev install-docs format lint unit coverage test freeze freeze-upgrade\
+	freeze-base freeze-dev freeze-docs freeze-upgrade-base freeze-upgrade-dev freeze-upgrade-docs

cfripper/cli.py

@@ -1,6 +1,7 @@
 import logging
 import re
 import sys
+from importlib.metadata import version
 from io import TextIOWrapper
 from pathlib import Path
 from typing import Dict, List, Optional, Tuple
@@ -9,7 +10,6 @@
 import pycfmodel
 from pycfmodel.model.cf_model import CFModel
 
-from cfripper.__version__ import __version__
 from cfripper.config.config import Config
 from cfripper.config.pluggy.utils import get_all_rules
 from cfripper.exceptions import FileEmptyException
@@ -145,7 +145,7 @@ def validate_aws_principals(ctx: click.Context, param: str, value: str) -> Optio
 
 
 @click.command()
-@click.version_option(prog_name="cfripper", version=__version__)
+@click.version_option(prog_name="cfripper", version=version("cfripper"))
 @click.argument("templates", type=click.File("r"), nargs=-1)
 @click.option(
     "--resolve/--no-resolve",

cfripper/rules/storage_encrypted_rule.py

@@ -29,7 +29,6 @@ def invoke(self, cfmodel: CFModel, extras: Optional[Dict] = None) -> Result:
                     "aurora"
                 )  # not applicable for aurora since the encryption for DB instances is managed by the DB cluster
             ):
-
                 self.add_failure_to_result(
                     result,
                     self.REASON.format(db_name),

pyproject.toml

@@ -1,8 +1,132 @@
-[tool.black]
+[build-system]
+requires = ["setuptools>=64", "setuptools_scm>=8"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "cfripper"
+description="Library and CLI tool for analysing CloudFormation templates and check them for security compliance."
+readme = "README.md"
+requires-python = ">=3.8.0"
+dynamic = ["version"]
+license = { file = "LICENSE.md" }
+authors = [
+    { name = "Skyscanner Security", email = "security@skyscanner.net" }
+]
+keywords = [
+    "security",
+    "cloudformation",
+    "aws",
+    "cli"
+]
+
+classifiers = [
+    "Development Status :: 5 - Production/Stable",
+    "Environment :: Console",
+    "Intended Audience :: Developers",
+    "License :: OSI Approved :: Apache Software License",
+    "Operating System :: OS Independent",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.8",
+    "Programming Language :: Python :: 3.9",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Topic :: Security"
+]
+
+dependencies = [
+    "boto3>=1.4.7,<2",
+    "cfn_flip>=1.2.0",
+    "click>=8.0.0",
+    "pluggy~=0.13.1",
+    "pycfmodel>=0.22.0",
+    "pydash>=4.7.6",
+    "PyYAML>=4.2b1"
+]
+
+[project.urls]
+documentation = "https://cfripper.readthedocs.io/"
+repository = "https://github.com/Skyscanner/cfripper"
+
+[project.scripts]
+cfripper = "cfripper.cli:cli"
+
+[project.optional-dependencies]
+dev = [
+    "moto[all]>=5",
+    "pytest-cov>=2.5.1",
+    "pytest>=3.6",
+    "ruff",
+    "uv",
+]
+docs = [
+    "mkdocs==1.3.0",
+    "mkdocs-macros-plugin==0.7.0",
+    "mkdocs-material==8.2.8",
+    "mkdocs-material-extensions==1.0.3",
+    "mkdocs-minify-plugin==0.5.0",
+]
+
+[tool.ruff]
+# Exclude a variety of commonly ignored directories.
+exclude = [
+    ".eggs",
+    ".git",
+    ".git-rewrite",
+    ".pyenv",
+    ".pytest_cache",
+    ".ruff_cache",
+    ".venv",
+    ".vscode",
+    "__pypackages__",
+    "_build",
+    "build",
+    "dist",
+    "node_modules",
+    "site",
+    "site-packages",
+    "venv",
+]
 line-length = 120
-exclude = '''
-/(
-  | \.venv
-  | venv
-)/
-'''
+indent-width = 4
+target-version = "py38"
+
+[tool.ruff.lint]
+select = ["E", "F", "W", "A", "PLC", "PLE", "PLW", "I"]
+ignore = ["A002", "E501"]
+
+# Allow fix for all enabled rules (when `--fix`) is provided.
+fixable = ["ALL"]
+unfixable = []
+
+# Allow unused variables when underscore-prefixed.
+dummy-variable-rgx = "^(_+|(_+[a-zA-Z0-9_]*[a-zA-Z0-9]+?))$"
+
+[tool.ruff.format]
+quote-style = "double"
+indent-style = "space"
+skip-magic-trailing-comma = false
+line-ending = "auto"
+docstring-code-format = false
+docstring-code-line-length = "dynamic"
+
+[tool.pytest.ini_options]
+log_cli = true
+log_level = "INFO"
+
+[tool.coverage.report]
+show_missing = true
+skip_covered = false
+
+[tool.coverage.run]
+branch = true
+source = ["cfripper"]
+
+[tool.setuptools]
+include-package-data = false
+
+[tool.setuptools.packages.find]
+# needed only because we did not adopt src layout yet
+include = ["cfripper*"]
+
+[tool.setuptools_scm]