Initial version

.bandit.yaml

@@ -0,0 +1,2 @@
+skips:
+  - B101 # Use of assert detected.

.editorconfig

@@ -0,0 +1,17 @@
+root = true
+
+[*]
+end_of_line = lf
+insert_final_newline = true
+charset = utf-8
+indent_style = space
+indent_size = 4
+trim_trailing_whitespace = true
+max_line_length = 110
+quote_type = single
+
+[*.{yaml,json,json5,graphql,js,md,whitesource}]
+indent_size = 2
+
+[{Makefile,*.mk}]
+indent_style = tab

.gitattributes

@@ -0,0 +1,4 @@
+* text whitespace=trailing-space,tab-in-indent,cr-at-eol,tabwidth=4 eol=lf
+Makefile text whitespace=indent-with-non-tab,tabwidth=2
+*.mk text whitespace=indent-with-non-tab,tabwidth=2
+*.rst text conflict-marker-size=100

.github/publish.yaml

@@ -0,0 +1,7 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/camptocamp/tag-publish/master/tag_publish/schema.json
+
+pypi:
+  versions:
+    - version_tag
+    - version_branch
+    - rebuild

.github/renovate.json5

@@ -0,0 +1,98 @@
+{
+  extends: ['config:base'],
+  timezone: 'Europe/Zurich',
+  schedule: 'after 5pm on the first day of the month',
+  labels: ['dependencies'],
+  separateMajorMinor: true,
+  separateMinorPatch: true,
+  prHourlyLimit: 0,
+  prConcurrentLimit: 0,
+  baseBranches: ['master'],
+  'pre-commit': { enabled: true },
+  lockFileMaintenance: {
+    enabled: true,
+    automerge: true,
+    schedule: 'after 5pm on the first day of the month',
+  },
+  regexManagers: [
+    /** Do updates on pre-commit additional dependencies */
+    {
+      fileMatch: ['^\\.pre\\-commit\\-config\\.yaml$'],
+      matchStrings: [" +- '?(?<depName>[^' @=]+)(@|==)(?<currentValue>[^' @=]+)'? # (?<datasource>.+)"],
+    },
+    /** Do update on the schema present in the ci/config.yaml */
+    {
+      fileMatch: ['^ci/config\\.yaml$'],
+      matchStrings: [
+        '.*https://raw\\.githubusercontent\\.com/(?<depName>[^\\s]+)/(?<currentValue>[0-9\\.]+)/.*',
+      ],
+      datasourceTemplate: 'github-tags',
+    },
+    /** Python version in actions/setup-python action */
+    {
+      fileMatch: ['^\\.github/workflows/.*\\.yaml$'],
+      matchStrings: [' python-version: [\'"](?<currentValue>[0-9\\.]+)[\'"]'],
+      datasourceTemplate: 'python-version',
+      depNameTemplate: 'python',
+    },
+  ],
+  packageRules: [
+    /** Automerge the patch, the minor and the dev dependency */
+    {
+      matchBaseBranches: ['master'],
+      matchUpdateTypes: ['minor', 'patch'],
+      automerge: true,
+    },
+    /** Auto merge the dev dependency update */
+    {
+      matchDepTypes: ['devDependencies'],
+      automerge: true,
+    },
+    /** Group and auto merge the patch updates */
+    {
+      matchUpdateTypes: ['patch'],
+      groupName: 'all patch versions',
+      automerge: true,
+    },
+    /** Group and auto merge the minor updates */
+    {
+      matchUpdateTypes: ['minor'],
+      groupName: 'all minor versions',
+      automerge: true,
+    },
+    /** Group Poetry packages */
+    {
+      matchPackagePrefixes: ['poetry'],
+      groupName: 'CI/build dependencies',
+      automerge: true,
+    },
+    /** Group and auto merge the CI dependencies */
+    {
+      matchFileNames: ['.github/**', '.pre-commit-config.yaml', 'ci/**'],
+      groupName: 'CI/build dependencies',
+      automerge: true,
+    },
+    /** Accept only the patch on stabilization branches */
+    {
+      matchBaseBranches: ['/^[0-9]+\\.[0-9]+$/'],
+      matchUpdateTypes: ['major', 'minor', 'pin', 'digest', 'lockFileMaintenance', 'rollback', 'bump'],
+      enabled: false,
+    },
+    /** Support the 4 parts of shellcheck-py version with a v prefix */
+    {
+      versioning: 'regex:^v(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)\\.(?<build>\\d+)$',
+      matchDepNames: ['shellcheck-py/shellcheck-py'],
+    },
+    /** Disable upgrading the supported Python version */
+    {
+      matchFileNames: ['pyproject.toml'],
+      enabled: false,
+      matchDepNames: ['python'],
+    },
+    /** Packages published very recently are not pushed to stabilization branches for security reasons */
+    {
+      matchBaseBranches: ['/^[0-9]+\\.[0-9]+$/'],
+      minimumReleaseAge: '7 days',
+    },
+  ],
+}

.github/spell-ignore-words.txt

@@ -0,0 +1,2 @@
+pypi
+Snyk

.github/workflows/backport.yaml

@@ -0,0 +1,22 @@
+name: Backport
+
+on:
+  pull_request:
+    types:
+      - closed
+      - labeled
+
+env:
+  HAS_SECRETS: ${{ secrets.HAS_SECRETS }}
+
+jobs:
+  backport:
+    name: Backport
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+
+    steps:
+      - uses: camptocamp/backport-action@master
+        with:
+          token: ${{ secrets.GOPASS_CI_GITHUB_TOKEN }}
+        if: env.HAS_SECRETS == 'HAS_SECRETS'

.github/workflows/clean.yaml

@@ -0,0 +1,29 @@
+name: Clean docker hub tags
+
+on:
+  delete:
+  pull_request:
+    types:
+      - closed
+
+jobs:
+  clean:
+    name: Clean docker hub tags
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: camptocamp/initialise-gopass-summon-action@v2
+        with:
+          ci-gpg-private-key: ${{secrets.CI_GPG_PRIVATE_KEY}}
+          github-gopass-ci-token: ${{secrets.GOPASS_CI_GITHUB_TOKEN}}
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.13'
+      - run: python3 -m pip install c2cciutils
+
+      - name: Clean Docker hub tags
+        run: c2cciutils-clean

.github/workflows/main.yaml

@@ -0,0 +1,77 @@
+name: Continuous integration
+
+on:
+  push:
+    branches:
+      - master
+      - '[0-9]+.[0-9]+'
+    tags:
+      - '*'
+  pull_request:
+
+permissions:
+  packages: write
+
+env:
+  HAS_SECRETS: ${{ secrets.HAS_SECRETS }}
+
+jobs:
+  main:
+    name: Continuous integration
+    runs-on: ubuntu-24.04
+    timeout-minutes: 20
+    if: "!startsWith(github.event.head_commit.message, '[skip ci] ')"
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: camptocamp/initialise-gopass-summon-action@v2
+        with:
+          ci-gpg-private-key: ${{secrets.CI_GPG_PRIVATE_KEY}}
+          github-gopass-ci-token: ${{secrets.GOPASS_CI_GITHUB_TOKEN}}
+          patterns: pypi
+        if: env.HAS_SECRETS == 'HAS_SECRETS'
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.13'
+      - run: python3 -m pip install --requirement=requirements.txt
+
+      - uses: actions/cache@v4
+        with:
+          path: ~/.cache/pre-commit
+          key: pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}
+          restore-keys: "pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}\npre-commit-"
+      - run: pre-commit run --all-files
+      - run: git diff --exit-code --patch > /tmp/pre-commit.patch || true
+        if: failure()
+      - uses: actions/upload-artifact@v4
+        with:
+          name: Apply pre-commit fix.patch
+          path: /tmp/pre-commit.patch
+          retention-days: 1
+        if: failure()
+
+      - name: Print the environment
+        run: c2cciutils-env
+        env:
+          GITHUB_EVENT: ${{ toJson(github) }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - run: poetry install
+      - name: Prospector
+        run: poetry run prospector --die-on-tool-error --output-format=pylint
+
+      - name: Publish
+        run: tag-publish
+
+      - run: git diff --exit-code --patch > /tmp/dpkg-versions.patch || true
+        if: failure()
+      - uses: actions/upload-artifact@v4
+        with:
+          name: Update dpkg versions list.patch
+          path: /tmp/dpkg-versions.patch
+          retention-days: 1
+        if: failure()

.github/workflows/pull-request-automation.yaml

@@ -0,0 +1,51 @@
+name: Auto reviews, merge and close pull requests
+
+on:
+  pull_request:
+    types:
+      - opened
+      - reopened
+
+jobs:
+  auto-merge:
+    name: Auto reviews pull requests from bots
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+
+    steps:
+      - name: Print event
+        run: echo "${GITHUB}" | jq
+        env:
+          GITHUB: ${{ toJson(github) }}
+      - name: Print context
+        uses: actions/github-script@v7
+        with:
+          script: |-
+            console.log(context);
+      - name: Auto reviews GHCI updates
+        uses: actions/github-script@v7
+        with:
+          script: |-
+            github.rest.pulls.createReview({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: context.payload.pull_request.number,
+              event: 'APPROVE',
+            })
+        if: |-
+          startsWith(github.head_ref, 'ghci/audit/')
+          && (github.event.pull_request.user.login == 'geo-ghci-test[bot]'
+            || github.event.pull_request.user.login == 'geo-ghci-int[bot]'
+            || github.event.pull_request.user.login == 'geo-ghci[bot]')
+      - name: Auto reviews Renovate updates
+        uses: actions/github-script@v7
+        with:
+          script: |-
+            github.rest.pulls.createReview({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: context.payload.pull_request.number,
+              event: 'APPROVE',
+            })
+        if: |-
+          github.event.pull_request.user.login == 'renovate[bot]'

.gitignore

@@ -0,0 +1,4 @@
+__pycache__
+/dist/
+/tag_publish/node_modules/
+/.mypy_cache/