diff --git a/.copier-answers.yml b/.copier-answers.yml index 0066038f..e4b2f2d3 100644 --- a/.copier-answers.yml +++ b/.copier-answers.yml @@ -1,6 +1,6 @@ # Autogenerated. Do not edit this by hand, use `copier update`. --- -_commit: 0.8.0 +_commit: 0.9.0 _src_path: https://github.com/lkubb/salt-extension-copier author: EITR Technologies, LLC author_email: devops@eitr.tech diff --git a/.github/actions/upload-exitstatus/action.yml b/.github/actions/upload-exitstatus/action.yml new file mode 100644 index 00000000..66915ebe --- /dev/null +++ b/.github/actions/upload-exitstatus/action.yml @@ -0,0 +1,32 @@ +--- +name: upload-exitstatus +description: Upload a job's status as an artifact +inputs: + artifact_prefix: + required: false + default: exitstatus- + name: + required: false + default: '' + +runs: + using: composite + + steps: + + - name: Set Exit Status + if: always() + env: + OUTFILE: exitstatus/${{ inputs.name == '' && github.job || inputs.name }} + shell: bash + run: | + mkdir exitstatus + echo "${{ job.status }}" > "$OUTFILE" + + - name: Upload Exit Status + if: always() + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + with: + name: ${{ inputs.artifact_prefix }}${{ inputs.name == '' && github.job || inputs.name }} + path: exitstatus + if-no-files-found: error diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 74f69834..77a95f21 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -3,37 +3,24 @@ name: CI on: workflow_call: - inputs: - deploy-docs: - required: false - type: boolean - default: false - release: - required: false - type: boolean - default: false - version: - required: false - type: string - secrets: - PYPI_API_TOKEN: - required: false - TEST_PYPI_API_TOKEN: - required: false - jobs: get-changed-files: name: Get Changed Files uses: ./.github/workflows/get-changed-files.yml + permissions: + contents: read + pull-requests: read # for dorny/paths-filter to read pull requests pre-commit: name: Pre-Commit - uses: ./.github/workflows/pre-commit-action.yml needs: - get-changed-files + uses: ./.github/workflows/pre-commit-action.yml with: changed-files: ${{ needs.get-changed-files.outputs.changed-files }} + permissions: + contents: read test: name: Test @@ -46,130 +33,13 @@ jobs: needs: - pre-commit uses: ./.github/workflows/docs-action.yml - - check-prepare-release: - name: Check if we can prepare release PR - if: >- - github.event_name == 'push' && - github.ref == format('refs/heads/{0}', github.event.repository.default_branch) - needs: - - docs - - test - runs-on: ubuntu-24.04 - outputs: - news-fragments-available: ${{ steps.check-available.outputs.available }} - - steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - - name: Check if news fragments are available - id: check-available - run: | - if [ -n "$(find changelog -type f -not -name '.*' -print -quit)" ]; then - echo "available=1" >> "$GITHUB_OUTPUT" - else - echo "available=0" >> "$GITHUB_OUTPUT" - fi - - prepare-release: - name: Prepare Release PR - if: ${{ needs.check-prepare-release.outputs.news-fragments-available == '1' }} - needs: - - check-prepare-release - - docs - - test permissions: - contents: write - pull-requests: write - uses: ./.github/workflows/prepare-release-action.yml - - deploy-docs: - name: Deploy Docs - uses: ./.github/workflows/deploy-docs-action.yml - # Only build doc deployments from the default branch of the repo and never for PRs, - # unless the triggering event was the release PR being merged. - if: >- - inputs.deploy-docs && - ( - github.event_name != 'pull_request' || - inputs.release - ) && - github.ref == format('refs/heads/{0}', github.event.repository.default_branch) - needs: - - docs - - test + contents: read build-python-package: name: Python Package - if: ${{ inputs.release && success() }} - uses: ./.github/workflows/package-action.yml needs: - pre-commit - with: - version: "${{ inputs.version }}" - - deploy-python-package-test-pypi: - name: Deploy Python Package (Test PyPI) - uses: ./.github/workflows/deploy-package-action.yml - if: ${{ inputs.release && success() }} - needs: - - test - - docs - - build-python-package - secrets: - TEST_PYPI_API_TOKEN: "${{ secrets.TEST_PYPI_API_TOKEN }}" - with: - version: "${{ inputs.version }}" - - deploy-python-package: - name: Deploy Python Package (PyPI) - uses: ./.github/workflows/deploy-package-action.yml - if: ${{ inputs.release && success() }} - needs: - - deploy-python-package-test-pypi - secrets: - PYPI_API_TOKEN: "${{ secrets.PYPI_API_TOKEN }}" - with: - test: false - version: "${{ inputs.version }}" - - set-pipeline-exit-status: - # This step is just so we can make github require this step, to pass checks - # on a pull request instead of requiring all - name: Set the CI Pipeline Exit Status - runs-on: ubuntu-24.04 - if: always() - needs: - - test - - docs - - deploy-docs - - build-python-package - - deploy-python-package-test-pypi - - deploy-python-package - - steps: - - name: Download Exit Status Files - if: always() - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 - with: - path: exitstatus - pattern: exitstatus-* - merge-multiple: true - - - name: Delete Exit Status Artifacts - if: always() - uses: geekyeggo/delete-artifact@7ee91e82b4a7f3339cd8b14beace3d826a2aac39 # v5.1.0 - with: - name: exitstatus-* - useGlob: true - failOnError: false - - - name: Set Pipeline Exit Status - run: | - tree exitstatus - grep -RE 'failure|cancelled' exitstatus/ && exit 1 || exit 0 - - - name: Done - if: always() - run: - echo "All workflows finished" + uses: ./.github/workflows/package-action.yml + permissions: + contents: read diff --git a/.github/workflows/deploy-docs-action.yml b/.github/workflows/deploy-docs-action.yml index 9e2e89e6..861804b5 100644 --- a/.github/workflows/deploy-docs-action.yml +++ b/.github/workflows/deploy-docs-action.yml @@ -11,6 +11,12 @@ on: required: false default: html-docs + +permissions: + actions: read # For downloading artifacts of other runs when called via workflow_run trigger + pages: write + id-token: write + jobs: # The released docs are not versioned currently, only the latest ones are deployed. @@ -31,18 +37,17 @@ jobs: name: github-pages url: ${{ steps.deployment.outputs.page_url }} - permissions: - pages: write - id-token: write - runs-on: ubuntu-24.04 steps: + - name: Download built docs - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 with: name: ${{ inputs.artifact-name }} path: html-docs + github-token: ${{ github.token }} + run-id: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.id || github.run_id }} - name: Upload GitHub Pages artifact uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0 @@ -63,16 +68,8 @@ jobs: name: html-docs-pages failOnError: false - - name: Set Exit Status - if: always() - run: | - mkdir exitstatus - echo "${{ job.status }}" > exitstatus/${{ github.job }} + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Upload Exit Status if: always() - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 - with: - name: exitstatus-${{ github.job }} - path: exitstatus - if-no-files-found: error + uses: ./.github/actions/upload-exitstatus diff --git a/.github/workflows/deploy-package-action.yml b/.github/workflows/deploy-package-action.yml index 869b7f5a..68b5caa6 100644 --- a/.github/workflows/deploy-package-action.yml +++ b/.github/workflows/deploy-package-action.yml @@ -1,60 +1,148 @@ --- -name: Deploy Salt Extension Python Package +name: Release Salt Extension Python Package on: - workflow_call: - inputs: - test: - type: boolean - required: false - default: true - version: - type: string - required: true - secrets: - PYPI_API_TOKEN: - required: false - TEST_PYPI_API_TOKEN: - required: false + workflow_run: + types: + - completed + workflows: + - Auto PR Releases + - Tagged Releases jobs: - build: - name: Publish Python Package to ${{ ! inputs.test && 'PyPI' || 'Test PyPI' }} + get_version: + name: Get package version runs-on: ubuntu-24.04 + if: github.event.workflow_run.conclusion == 'success' + permissions: + actions: read + outputs: + version: ${{ steps.extract-version.outputs.version }} steps: + - name: Download expected version + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 + with: + name: version.txt + path: ${{ runner.temp }} + github-token: ${{ secrets.GITHUB_TOKEN }} + run-id: ${{ github.event.workflow_run.id }} + - name: Download Python Package Artifacts - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 with: - name: salt-extension-${{ inputs.version }}-packages + name: salt-extension-packages path: dist + github-token: ${{ secrets.GITHUB_TOKEN }} + run-id: ${{ github.event.workflow_run.id }} + + - name: Extract and verify package version + id: extract-version + run: |- + wheel_file="$(find dist -name '*.whl' | head -n 1)" + test -n "$wheel_file" || exit 1 + unzip "$wheel_file" -d "$RUNNER_TEMP/extract" + dist_info="$(find "$RUNNER_TEMP/extract" -type d -name '*.dist-info' | head -n 1)" + test -n "$dist_info" || exit 1 + package_version="$(sed -n 's/^Version:\s*\(\S*\)$/\1/p' "$dist_info/METADATA")" + test -n "$package_version" || exit 1 + expected_version="$(cat "$RUNNER_TEMP/version.txt" | head -n 1)" + echo "Detected package version: $package_version" + echo "Expected version: $expected_version" + test "$package_version" = "$expected_version" || exit 1 + echo "version=$expected_version" >> "$GITHUB_OUTPUT" + + test_release: + name: Publish Python Package to Test PyPI + runs-on: ubuntu-24.04 + needs: + - get_version + permissions: + actions: read + id-token: write + + steps: + - name: Download Python Package Artifacts + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 + with: + name: salt-extension-packages + path: dist + github-token: ${{ secrets.GITHUB_TOKEN }} + run-id: ${{ github.event.workflow_run.id }} - name: Publish distribution to Test PyPI - uses: pypa/gh-action-pypi-publish@1bb664cc2ddedbbfdde43d4ac135d5836b7bf40f # v1.11.0 - if: ${{ inputs.test }} + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 with: - attestations: false + attestations: ${{ secrets.TEST_PYPI_API_TOKEN == '' }} password: ${{ secrets.TEST_PYPI_API_TOKEN }} repository-url: https://test.pypi.org/legacy/ + verbose: ${{ runner.debug == '1' }} + + pypi_release: + name: Publish Python Package to PyPI + runs-on: ubuntu-24.04 + needs: + - test_release + permissions: + actions: read + id-token: write + environment: + name: release + url: https://pypi.org/p/saltext.github + + steps: + - name: Download Python Package Artifacts + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 + with: + name: salt-extension-packages + path: dist + github-token: ${{ secrets.GITHUB_TOKEN }} + run-id: ${{ github.event.workflow_run.id }} + + - name: Publish distribution to PyPI + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 + with: + attestations: ${{ secrets.PYPI_API_TOKEN == '' }} + password: ${{ secrets.PYPI_API_TOKEN }} + verbose: ${{ runner.debug == '1' }} + + docs_release: + name: Deploy Docs + uses: ./.github/workflows/deploy-docs-action.yml + needs: + - pypi_release + - get_version + permissions: + actions: read + pages: write + id-token: write + + gh_release: + name: Create GitHub release + runs-on: ubuntu-24.04 + needs: + - pypi_release + - get_version + permissions: + actions: read + contents: write + + steps: + - name: Download Python Package Artifacts + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 + with: + name: salt-extension-packages + path: dist + github-token: ${{ secrets.GITHUB_TOKEN }} + run-id: ${{ github.event.workflow_run.id }} - name: Create GitHub Release - if: ${{ !inputs.test }} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + VERSION: ${{ needs.get_version.outputs.version }} run: | - gh release create "v${{ inputs.version }}" \ + gh release create "v${{ needs.get_version.outputs.version }}" \ --repo="$GITHUB_REPOSITORY" \ - --title="${GITHUB_REPOSITORY#*/} ${{ inputs.version }}" \ + --title="${GITHUB_REPOSITORY#*/} $VERSION" \ --generate-notes \ dist/* - - - name: Publish distribution to PyPI - uses: pypa/gh-action-pypi-publish@1bb664cc2ddedbbfdde43d4ac135d5836b7bf40f # v1.11.0 - if: ${{ !inputs.test }} - with: - # Attestations are only submitted when using Trusted Publishing, - # which is triggered by secrets.PYPI_API_TOKEN not being set. - # They don't work with reusable workflows at the moment. - # It's related to https://github.com/pypi/warehouse/issues/11096 - attestations: false - password: ${{ secrets.PYPI_API_TOKEN }} diff --git a/.github/workflows/docs-action.yml b/.github/workflows/docs-action.yml index 182571bc..9df39709 100644 --- a/.github/workflows/docs-action.yml +++ b/.github/workflows/docs-action.yml @@ -4,6 +4,9 @@ name: Build Documentation on: workflow_call: +permissions: + contents: read + jobs: Docs: runs-on: ubuntu-24.04 @@ -24,8 +27,8 @@ jobs: python -m pip install --upgrade pip pip install "nox==$NOX_VERSION" "uv==$UV_VERSION" env: - NOX_VERSION: '2025.11.12' - UV_VERSION: '0.9.27' + NOX_VERSION: '2026.2.9' + UV_VERSION: '0.10.11' - name: Install Doc Requirements run: | @@ -38,21 +41,11 @@ jobs: nox --force-color -e docs - name: Upload built docs as artifact - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: html-docs path: docs/_build/html - - name: Set Exit Status - if: always() - run: | - mkdir exitstatus - echo "${{ job.status }}" > exitstatus/${{ github.job }} - - name: Upload Exit Status if: always() - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 - with: - name: exitstatus-${{ github.job }} - path: exitstatus - if-no-files-found: error + uses: ./.github/actions/upload-exitstatus diff --git a/.github/workflows/get-changed-files.yml b/.github/workflows/get-changed-files.yml index 85404a98..f19fca24 100644 --- a/.github/workflows/get-changed-files.yml +++ b/.github/workflows/get-changed-files.yml @@ -6,13 +6,14 @@ on: description: "Changed file JSON output from dorny/paths-filter" value: ${{ jobs.get-changed-files.outputs.changed-files }} +permissions: + contents: read # for dorny/paths-filter to fetch a list of changed files + pull-requests: read # for dorny/paths-filter to read pull requests + jobs: get-changed-files: name: Get Changed Files runs-on: ubuntu-24.04 - permissions: - contents: read # for dorny/paths-filter to fetch a list of changed files - pull-requests: read # for dorny/paths-filter to read pull requests outputs: changed-files: ${{ toJSON(steps.changed-files.outputs) }} @@ -25,7 +26,7 @@ jobs: with: token: ${{ github.token }} list-files: escape - filters: | + filters: |- repo: - added|modified: - '**' diff --git a/.github/workflows/package-action.yml b/.github/workflows/package-action.yml index 165ae6a9..150364ae 100644 --- a/.github/workflows/package-action.yml +++ b/.github/workflows/package-action.yml @@ -1,12 +1,11 @@ --- -name: Salt Extension Python Package +name: Build Salt Extension Python Package on: workflow_call: - inputs: - version: - required: true - type: string + +permissions: + contents: read jobs: build: @@ -30,35 +29,16 @@ jobs: build --user - - name: Echo Version - run: echo "${{ inputs.version }}" - - name: Build Wheel - run: | - # The version of our PyPA publish action (specifically the twine version used in it) - # does not support Core Metadata 2.4, which was introduced in setuptools release 77. - # We cannot upgrade it until the release workflow has been refactored into standalone one. - echo "setuptools<77" > "$RUNNER_TEMP/build-constraints.txt" - PIP_CONSTRAINT="$RUNNER_TEMP/build-constraints.txt" python -m build --outdir dist/ + run: python -m build --outdir dist/ - name: Upload build artifacts - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 - if: always() + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: - name: salt-extension-${{ inputs.version }}-packages + name: salt-extension-packages path: dist/* retention-days: 5 - - name: Set Exit Status - if: always() - run: | - mkdir exitstatus - echo "${{ job.status }}" > exitstatus/${{ github.job }} - - name: Upload Exit Status if: always() - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 - with: - name: exitstatus-${{ github.job }} - path: exitstatus - if-no-files-found: error + uses: ./.github/actions/upload-exitstatus diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 64a94703..447ce9cb 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -1,56 +1,23 @@ --- -name: Pull Request or Push +name: Pull Request on: - push: - branches: - - 'main' # Run on pushes to main - tags-ignore: - - '*' # Ignore pushes to tags pull_request: jobs: - # After merging the release PR, we don't want to trigger - # this workflow in addition to the Tagged Releases one. - # This pauses CI on pushes to the main branch completely. - check_release_in_progress: - name: Skip CI While Releasing - runs-on: ubuntu-24.04 - if: github.event_name == 'push' - outputs: - count: ${{ steps.workflow_count.outputs.count }} - - steps: - - name: Count Running Release Workflows Triggered by Automated PR - id: workflow_count - env: - GH_TOKEN: ${{ github.token }} - run: | - count="$(gh run list \ - --repo "$GITHUB_REPOSITORY" \ - --event pull_request \ - --branch release/auto \ - --workflow 'Tagged Releases' \ - --json status \ - --jq 'map(select(.status == ("queued","in_progress"))) | length')" - echo "count=$count" >> "$GITHUB_OUTPUT" - call_central_workflow: name: CI - needs: - - check_release_in_progress - if: > - always() && - github.event_name != 'push' || - ( - needs.check_release_in_progress.result == 'success' && - needs.check_release_in_progress.outputs.count == '0' - ) uses: ./.github/workflows/ci.yml - with: - deploy-docs: true permissions: - contents: write + contents: read id-token: write - pages: write - pull-requests: write + pull-requests: read + + set_resolution: + # This step is just so we can make github require this step, to pass checks + # on a pull request instead of requiring all + name: Set the CI Pipeline Exit Status + if: always() + needs: + - call_central_workflow + uses: ./.github/workflows/set-resolution-action.yml diff --git a/.github/workflows/pre-commit-action.yml b/.github/workflows/pre-commit-action.yml index b5ef1155..39cc2425 100644 --- a/.github/workflows/pre-commit-action.yml +++ b/.github/workflows/pre-commit-action.yml @@ -9,12 +9,15 @@ on: type: string description: JSON string containing information about changed files +permissions: + contents: read + jobs: Pre-Commit: name: Pre-Commit runs-on: ubuntu-24.04 container: - image: 'docker.io/library/python:3.10.19-slim-bookworm@sha256:ac7bf2ae912299e41783a8e4eff07369dc6de3444bdc1cc29626a05241f957d7' + image: 'docker.io/library/python:3.10.20-slim-bookworm@sha256:b1f549b1c3da651d93802122ebcb0c3177702a6d549676236c859ad19e79e9da' steps: - name: Install System Deps @@ -41,16 +44,6 @@ jobs: run: | pre-commit run --show-diff-on-failure --color=always --files ${{ fromJSON(inputs.changed-files)['repo_files'] }} - - name: Set Exit Status - if: always() - run: | - mkdir exitstatus - echo "${{ job.status }}" > exitstatus/${{ github.job }} - - name: Upload Exit Status if: always() - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 - with: - name: exitstatus-${{ github.job }} - path: exitstatus - if-no-files-found: error + uses: ./.github/actions/upload-exitstatus diff --git a/.github/workflows/prepare-release-action.yml b/.github/workflows/prepare-release-action.yml index db088cb7..c63552a2 100644 --- a/.github/workflows/prepare-release-action.yml +++ b/.github/workflows/prepare-release-action.yml @@ -3,6 +3,11 @@ name: Prepare Release PR on: workflow_call: + secrets: + AUTORELEASE_CLID: + required: false + AUTORELEASE_PRIV: + required: false workflow_dispatch: inputs: version: @@ -16,11 +21,30 @@ jobs: name: Render changelog and create/update PR runs-on: ubuntu-24.04 if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) - permissions: - contents: write - pull-requests: write steps: + # We support running with and without a dedicated app. + # Registering a dedicated app allows CI to run on the release PR. + - name: Check if autorelease app was setup + id: check-app + env: + AUTORELEASE_CLID: ${{ secrets.AUTORELEASE_CLID }} + AUTORELEASE_PRIV: ${{ secrets.AUTORELEASE_PRIV }} + run: |- + if [ -n "$AUTORELEASE_CLID" ] && [ -n "$AUTORELEASE_PRIV" ]; then + echo "available=1" >> "$GITHUB_OUTPUT" + else + echo "available=0" >> "$GITHUB_OUTPUT" + fi + + - name: Generate autorelease token + uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0 + if: steps.check-app.outputs.available == '1' + id: generate-token + with: + app-id: ${{ secrets.AUTORELEASE_CLID }} + private-key: ${{ secrets.AUTORELEASE_PRIV }} + - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -35,7 +59,7 @@ jobs: python -m pip install '.[changelog]' pre-commit - name: Get next version - if: github.event_name == 'push' || inputs.version == '' + if: github.event_name != 'workflow_dispatch' || inputs.version == '' id: next-version run: echo "version=$(python tools/version.py next)" >> "$GITHUB_OUTPUT" @@ -51,11 +75,13 @@ jobs: - name: Create/update release PR uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 with: + token: ${{ steps.check-app.outputs.available == '1' && steps.generate-token.outputs.token || github.token }} commit-message: Release v${{ (github.event_name == 'workflow_dispatch' && inputs.version != '') && inputs.version || steps.next-version.outputs.version }} branch: release/auto sign-commits: true + labels: release title: Release v${{ (github.event_name == 'workflow_dispatch' && inputs.version != '') && inputs.version || steps.next-version.outputs.version }} - body: | + body: |- This automated PR builds the latest changelog. When merged, a new release is published automatically. Before merging, please ensure it's based on the most recent default branch HEAD. @@ -63,3 +89,7 @@ jobs: If you want to rebuild this PR with a custom version or the current date, you can also trigger the corresponding workflow manually in `Actions` > `Prepare Release PR` > `Run workflow`. You can still follow the manual release procedure outlined in: https://salt-extensions.github.io/salt-extension-copier/topics/publishing.html + + - name: Upload Exit Status + if: always() + uses: ./.github/actions/upload-exitstatus diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml new file mode 100644 index 00000000..5cea567b --- /dev/null +++ b/.github/workflows/push.yml @@ -0,0 +1,100 @@ +--- +name: Push + +on: + push: + branches: + - 'main' # Run on pushes to main + tags-ignore: + - '*' # Ignore pushes to tags + +jobs: + # After merging the release PR, we don't want to trigger + # this workflow in addition to the Tagged Releases one. + # This pauses CI on pushes to the main branch completely. + check_release_in_progress: + name: Skip CI While Releasing + runs-on: ubuntu-24.04 + outputs: + count: ${{ steps.workflow_count.outputs.count }} + + steps: + - name: Count Running Release Workflows Triggered by Automated PR + id: workflow_count + env: + GH_TOKEN: ${{ github.token }} + run: | + count="$(gh run list \ + --repo "$GITHUB_REPOSITORY" \ + --event pull_request \ + --branch release/auto \ + --workflow 'Auto PR Releases' \ + --json status \ + --jq 'map(select(.status == ("queued","in_progress"))) | length')" + echo "count=$count" >> "$GITHUB_OUTPUT" + + call_central_workflow: + name: CI + needs: + - check_release_in_progress + if: needs.check_release_in_progress.outputs.count == '0' + uses: ./.github/workflows/ci.yml + permissions: + contents: read + id-token: write + pull-requests: read + + deploy-docs: + name: Deploy Docs + needs: + - call_central_workflow + # Only build doc deployments from the default branch of the repo + if: success() && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + uses: ./.github/workflows/deploy-docs-action.yml + permissions: + actions: read + pages: write + id-token: write + + check-prepare-release: + name: Check if we can prepare release PR + needs: + - call_central_workflow + if: success() && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + runs-on: ubuntu-24.04 + outputs: + news-fragments-available: ${{ steps.check-available.outputs.available }} + + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - name: Check if news fragments are available + id: check-available + run: | + if [ -n "$(find changelog -type f -not -name '.*' -print -quit)" ]; then + echo "available=1" >> "$GITHUB_OUTPUT" + else + echo "available=0" >> "$GITHUB_OUTPUT" + fi + + prepare-release: + name: Prepare Release PR + needs: + - check-prepare-release + if: success() && needs.check-prepare-release.outputs.news-fragments-available == '1' + uses: ./.github/workflows/prepare-release-action.yml + secrets: + AUTORELEASE_CLID: ${{ secrets.AUTORELEASE_CLID }} + AUTORELEASE_PRIV: ${{ secrets.AUTORELEASE_PRIV }} + + set_resolution: + # This step is just so we can make github require this step, to pass checks + # on a pull request instead of requiring all + name: Set the CI Pipeline Exit Status + needs: + - check_release_in_progress + - call_central_workflow + - deploy-docs + - prepare-release + if: always() && needs.check_release_in_progress.outputs.count == '0' + uses: ./.github/workflows/set-resolution-action.yml diff --git a/.github/workflows/set-resolution-action.yml b/.github/workflows/set-resolution-action.yml new file mode 100644 index 00000000..67143b35 --- /dev/null +++ b/.github/workflows/set-resolution-action.yml @@ -0,0 +1,41 @@ +--- +name: Set the CI Pipeline Exit Status + +on: + workflow_call: + +jobs: + set-pipeline-exit-status: + # This step is just so we can make github require this step, to pass checks + # on a pull request instead of requiring all + name: Set the CI Pipeline Exit Status + runs-on: ubuntu-24.04 + if: always() + + steps: + - name: Download Exit Status Files + if: always() + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 + with: + path: exitstatus + pattern: exitstatus-* + merge-multiple: true + + - name: Delete Exit Status Artifacts + if: always() + uses: geekyeggo/delete-artifact@7ee91e82b4a7f3339cd8b14beace3d826a2aac39 # v5.1.0 + with: + name: exitstatus-* + useGlob: true + failOnError: false + + - name: Set Pipeline Exit Status + if: always() + run: | + tree exitstatus + grep -RE 'failure|cancelled' exitstatus/ && exit 1 || exit 0 + + - name: Done + if: always() + run: + echo "All workflows finished" diff --git a/.github/workflows/tag-auto.yml b/.github/workflows/tag-auto.yml new file mode 100644 index 00000000..3d47110c --- /dev/null +++ b/.github/workflows/tag-auto.yml @@ -0,0 +1,107 @@ +# Creates a new release and tag. +# Triggered when the PR created by prepare-release-action.yml is merged. +# The resulting version is taken from the topmost CHANGELOG.md entry. +# Fails if any news fragments are left over or the inferred version does not match the PR title. +# +# Alternative to releasing by manual tag push handled in tag.yml. +--- +name: Auto PR Releases + +on: + pull_request: + branches: + - main + types: + - closed + paths: + - CHANGELOG.md + +jobs: + ensure_trigger: + # We need this workflow to fail if it was triggered accidentally. + name: Ensure trigger is valid + runs-on: ubuntu-24.04 + permissions: {} + + steps: + - name: Validate trigger + env: + # Only trigger this on closed pull requests if: + # - The PR was merged, not just closed. + # - The originating branch is from the same repository as the one running this workflow. + # - The originating branch is called `release/auto` + # - The PR targeted the default branch of the repository this workflow is running from. + # - The PR was labeled with `release`. + IS_VALID: >- + ${{ + github.event.pull_request.merged == true && + github.repository == github.event.pull_request.head.repo.full_name && + github.head_ref == 'release/auto' && + github.base_ref == github.event.repository.default_branch && + contains(github.event.pull_request.labels.*.name, 'release') + }} + run: test "$IS_VALID" = "true" + + get_version_pr: + name: Extract version from merged release PR + runs-on: ubuntu-24.04 + needs: + - ensure_trigger + permissions: + contents: write # To push the new tag. This does not cause a tag event. + + outputs: + version: ${{ steps.get_version_pr.outputs.version }} + + steps: + - name: Checkout code + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-tags: true + + - name: Extract version of merged release PR + id: get_version_pr + run: echo "version=$(python tools/version.py)" >> "$GITHUB_OUTPUT" + + - name: Ensure no news fragments are left + run: test -z "$(find changelog -type f -not -path '*/.*' -print -quit)" + + - name: Check extracted version matches PR title + env: + TITLE: ${{ github.event.pull_request.title }} + VERSION: ${{ steps.get_version_pr.outputs.version }} + run: test "$TITLE" = "Release v$VERSION" + + - name: Ensure tag does not exist yet + env: + VERSION: ${{ steps.get_version_pr.outputs.version }} + run: if git rev-parse "refs/tags/v$VERSION" 2>/dev/null; then exit 1; fi + + - name: Create tag for release + uses: mathieudutour/github-tag-action@d28fa2ccfbd16e871a4bdf35e11b3ad1bd56c0c1 # v6.2 + with: + github_token: ${{ github.token }} + custom_tag: ${{ steps.get_version_pr.outputs.version }} + create_annotated_tag: true + + - name: Write version file + env: + VERSION: ${{ steps.get_version_pr.outputs.version }} + run: echo -n "$VERSION" > "$RUNNER_TEMP/version.txt" + + - name: Upload version + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + with: + archive: false + path: ${{ runner.temp }}/version.txt + + call_central_workflow: + needs: + - get_version_pr + uses: ./.github/workflows/ci.yml + permissions: + contents: read + id-token: write + pull-requests: read + + # Further jobs are run separately on `workflow_run` in deploy-package-action.yml diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml index a60a72f3..b67ade7f 100644 --- a/.github/workflows/tag.yml +++ b/.github/workflows/tag.yml @@ -1,3 +1,9 @@ +# Creates a new release. +# Triggered by pushing a tag beginning with `v`. +# The resulting version is taken from the tag. +# Fails if any news fragments are left over or the inferred version does not match the topmost changelog entry. +# +# Alternative to releasing by merging the autorelease PR. --- name: Tagged Releases @@ -5,17 +11,11 @@ on: push: tags: - "v*" # Only tags starting with "v" for "v1.0.0", etc. - pull_request: - types: - - closed - paths: - - CHANGELOG.md jobs: get_version_tag: name: Extract version from tag runs-on: ubuntu-24.04 - if: github.event_name == 'push' outputs: version: ${{ steps.get_version_tag.outputs.version }} @@ -23,25 +23,37 @@ jobs: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - name: Extract tag name + - name: Extract version from tag name id: get_version_tag run: echo "version=${GITHUB_REF#refs/tags/v}" >> "$GITHUB_OUTPUT" - name: Ensure changelog was rendered + env: + VERSION: ${{ steps.get_version_tag.outputs.version }} run: | - test "${{ steps.get_version_tag.outputs.version }}" = "$(python tools/version.py)" && \ + test "$VERSION" = "$(python tools/version.py)" && \ test -z "$(find changelog -type f -not -name '.*' -print -quit)" + - name: Write version file + env: + VERSION: ${{ steps.get_version_tag.outputs.version }} + run: echo -n "$VERSION" > "$RUNNER_TEMP/version.txt" + + - name: Upload version + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + with: + archive: false + path: ${{ runner.temp }}/version.txt + close_autopr_on_tag: name: Close release PR on manual tag runs-on: ubuntu-24.04 - if: github.event_name == 'push' needs: - get_version_tag steps: - name: Find Pull Request - uses: juliangruber/find-pull-request-action@20b962e58a4abbc0dc63bcc0fde0c997de8782b5 # v1.10.0 + uses: juliangruber/find-pull-request-action@2956f830b67a9c78c392f00c69404edc4e497d30 # v1.11.0 id: find-pull-request with: branch: release/auto @@ -59,70 +71,13 @@ jobs: --repo "$GITHUB_REPOSITORY" \ "${{ steps.find-pull-request.outputs.number }}" - get_version_pr: - name: Extract version from merged release PR - runs-on: ubuntu-24.04 - permissions: - contents: write # To push the new tag. This does not cause a tag event. - - # Only trigger this on closed pull requests if: - # - The originating branch is from the same repository as the one running this workflow. - # - The originating branch is called `release/auto` - # - The PR was merged, not just closed. - # - The PR targeted the default branch of the repository this workflow is running from. - if: >- - github.event_name == 'pull_request' && - github.repository == github.event.pull_request.head.repo.full_name && - github.head_ref == 'release/auto' && - github.event.pull_request.merged == true && - github.base_ref == github.event.repository.default_branch - - outputs: - version: ${{ steps.get_version_pr.outputs.version }} - - steps: - - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - - name: Extract version of merged release PR - id: get_version_pr - run: echo "version=$(python tools/version.py)" >> "$GITHUB_OUTPUT" - - - name: Ensure no news fragments are left - run: test -z "$(find changelog -type f -not -path '*/.*' -print -quit)" - - - name: Check extracted version matches PR title - env: - TITLE: ${{ github.event.pull_request.title }} - run: >- - [[ "$TITLE" == "Release v${{ steps.get_version_pr.outputs.version }}" ]] || exit 1 - - - name: Create tag for release - uses: mathieudutour/github-tag-action@d28fa2ccfbd16e871a4bdf35e11b3ad1bd56c0c1 # v6.2 - with: - github_token: ${{ github.token }} - custom_tag: ${{ steps.get_version_pr.outputs.version }} - create_annotated_tag: true - call_central_workflow: - # Only call the central workflow if either of the above jobs report success. - if: >- - always() && - ( - needs.get_version_tag.result == 'success' || - needs.get_version_pr.result == 'success' - ) needs: - get_version_tag - - get_version_pr uses: ./.github/workflows/ci.yml - with: - deploy-docs: true - release: true - version: ${{ github.event_name == 'push' && needs.get_version_tag.outputs.version || needs.get_version_pr.outputs.version }} permissions: - contents: write + contents: read id-token: write - pages: write - pull-requests: write - secrets: inherit + pull-requests: read + + # Further jobs are run separately on `workflow_run` in deploy-package-action.yml diff --git a/.github/workflows/test-action.yml b/.github/workflows/test-action.yml index d8af6a7c..05eb0ad2 100644 --- a/.github/workflows/test-action.yml +++ b/.github/workflows/test-action.yml @@ -15,8 +15,8 @@ jobs: max-parallel: 2 matrix: include: - - {salt-version: "3006.19", python-version: "3.10"} - - {salt-version: "3007.11", python-version: "3.10"} + - {salt-version: "3006.23", python-version: "3.10"} + - {salt-version: "3007.13", python-version: "3.10"} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -33,8 +33,8 @@ jobs: python -m pip install --upgrade pip pip install "nox==$NOX_VERSION" "uv==$UV_VERSION" env: - NOX_VERSION: '2025.11.12' - UV_VERSION: '0.9.27' + NOX_VERSION: '2026.2.9' + UV_VERSION: '0.10.11' - name: Install Test Requirements env: @@ -64,7 +64,7 @@ jobs: flags: ${{ steps.codecov-flags.outputs.flags }},project name: ${{ runner.os }}-Py${{ matrix.python-version }}-Salt${{ matrix.salt-version }}-project use_oidc: true - version: v10.4.0 + version: v11.2.6 - name: Upload Tests Code Coverage uses: codecov/codecov-action@0561704f0f02c16a585d4c7555e57fa2e44cf909 # v5.5.2 @@ -75,28 +75,20 @@ jobs: flags: ${{ steps.codecov-flags.outputs.flags }},tests name: ${{ runner.os }}-Py${{ matrix.python-version }}-Salt${{ matrix.salt-version }}-tests use_oidc: true - version: v10.4.0 + version: v11.2.6 - name: Upload Logs if: always() - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: runtests-${{ runner.os }}-py${{ matrix.python-version }}-Salt${{ matrix.salt-version }}.log path: artifacts/runtests-*.log - - name: Set Exit Status - if: always() - run: | - mkdir exitstatus - echo "${{ job.status }}" > exitstatus/${{ github.job }}-Py${{ matrix.python-version }}-Salt${{ matrix.salt-version }} - - name: Upload Exit Status if: always() - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + uses: ./.github/actions/upload-exitstatus with: - name: exitstatus-${{ github.job }}-Py${{ matrix.python-version }}-Salt${{ matrix.salt-version }} - path: exitstatus - if-no-files-found: error + name: ${{ github.job }}-Py${{ matrix.python-version }}-Salt${{ matrix.salt-version }} Windows: runs-on: windows-2025 @@ -107,8 +99,8 @@ jobs: max-parallel: 2 matrix: include: - - {salt-version: "3006.19", python-version: "3.10"} - - {salt-version: "3007.11", python-version: "3.10"} + - {salt-version: "3006.23", python-version: "3.10"} + - {salt-version: "3007.13", python-version: "3.10"} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -125,8 +117,8 @@ jobs: python -m pip install --upgrade pip pip install "nox==$env:NOX_VERSION" "uv==$env:UV_VERSION" env: - NOX_VERSION: '2025.11.12' - UV_VERSION: '0.9.27' + NOX_VERSION: '2026.2.9' + UV_VERSION: '0.10.11' - name: Install Test Requirements shell: bash @@ -161,7 +153,7 @@ jobs: flags: ${{ steps.codecov-flags.outputs.flags }},project name: ${{ runner.os }}-Py${{ matrix.python-version }}-Salt${{ matrix.salt-version }}-project use_oidc: true - version: v10.4.0 + version: v11.2.6 - name: Upload Tests Code Coverage uses: codecov/codecov-action@0561704f0f02c16a585d4c7555e57fa2e44cf909 # v5.5.2 @@ -172,28 +164,20 @@ jobs: flags: ${{ steps.codecov-flags.outputs.flags }},tests name: ${{ runner.os }}-Py${{ matrix.python-version }}-Salt${{ matrix.salt-version }}-tests use_oidc: true - version: v10.4.0 + version: v11.2.6 - name: Upload Logs if: always() - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: runtests-${{ runner.os }}-py${{ matrix.python-version }}-Salt${{ matrix.salt-version }}.log path: artifacts/runtests-*.log - - name: Set Exit Status - if: always() - run: | - mkdir exitstatus - echo "${{ job.status }}" > exitstatus/${{ github.job }}-Py${{ matrix.python-version }}-Salt${{ matrix.salt-version }} - - name: Upload Exit Status if: always() - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + uses: ./.github/actions/upload-exitstatus with: - name: exitstatus-${{ github.job }}-Py${{ matrix.python-version }}-Salt${{ matrix.salt-version }} - path: exitstatus - if-no-files-found: error + name: ${{ github.job }}-Py${{ matrix.python-version }}-Salt${{ matrix.salt-version }} macOS: runs-on: macos-14 @@ -204,8 +188,8 @@ jobs: max-parallel: 2 matrix: include: - - {salt-version: "3006.19", python-version: "3.10"} - - {salt-version: "3007.11", python-version: "3.10"} + - {salt-version: "3006.23", python-version: "3.10"} + - {salt-version: "3007.13", python-version: "3.10"} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -222,8 +206,8 @@ jobs: python -m pip install --upgrade pip pip install "nox==$NOX_VERSION" "uv==$UV_VERSION" env: - NOX_VERSION: '2025.11.12' - UV_VERSION: '0.9.27' + NOX_VERSION: '2026.2.9' + UV_VERSION: '0.10.11' - name: Install Test Requirements env: @@ -253,7 +237,7 @@ jobs: flags: ${{ steps.codecov-flags.outputs.flags }},project name: ${{ runner.os }}-Py${{ matrix.python-version }}-Salt${{ matrix.salt-version }}-project use_oidc: true - version: v10.4.0 + version: v11.2.6 - name: Upload Tests Code Coverage uses: codecov/codecov-action@0561704f0f02c16a585d4c7555e57fa2e44cf909 # v5.5.2 @@ -264,25 +248,17 @@ jobs: flags: ${{ steps.codecov-flags.outputs.flags }},tests name: ${{ runner.os }}-Py${{ matrix.python-version }}-Salt${{ matrix.salt-version }}-tests use_oidc: true - version: v10.4.0 + version: v11.2.6 - name: Upload Logs if: always() - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: runtests-${{ runner.os }}-py${{ matrix.python-version }}-Salt${{ matrix.salt-version }}.log path: artifacts/runtests-*.log - - name: Set Exit Status - if: always() - run: | - mkdir exitstatus - echo "${{ job.status }}" > exitstatus/${{ github.job }}-Py${{ matrix.python-version }}-Salt${{ matrix.salt-version }} - - name: Upload Exit Status if: always() - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + uses: ./.github/actions/upload-exitstatus with: - name: exitstatus-${{ github.job }}-Py${{ matrix.python-version }}-Salt${{ matrix.salt-version }} - path: exitstatus - if-no-files-found: error + name: ${{ github.job }}-Py${{ matrix.python-version }}-Salt${{ matrix.salt-version }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 27e6bc70..0c3ae36a 100755 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -66,7 +66,7 @@ repos: exclude: src/saltext/github/version.py - repo: https://github.com/PyCQA/isort - rev: 0a09c783808cfe77bb3269250f663ff733d23302 # 7.0.0 + rev: a333737ed43df02b18e6c95477ea1b285b3de15a # 8.0.1 hooks: - id: isort args: [ @@ -75,7 +75,7 @@ repos: exclude: src/saltext/github/(__init__|version).py - repo: https://github.com/psf/black - rev: 6305bf1ae645ab7541be4f5028a86239316178eb # 26.1.0 + rev: c6755bb741b6481d6b3d3bb563c83fa060db96c9 # 26.3.1 hooks: - id: black args: [-l 100] @@ -88,12 +88,12 @@ repos: args: [--skip-errors] files: ^(docs/.*\.rst|src/saltext/github/.*\.py)$ additional_dependencies: - - black==26.1.0 + - black==26.3.1 # <---- Formatting ----------------------------------------------------------------------------- # ----- Security ------------------------------------------------------------------------------> - repo: https://github.com/PyCQA/bandit - rev: 765f00d3f202f83f61d03f882f80a2d5142d81f8 # 1.9.3 + rev: 92ae8b82fb422a639f0ed8d99e96cea769594e08 # 1.9.4 hooks: - id: bandit alias: bandit-salt @@ -102,7 +102,7 @@ repos: exclude: src/saltext/github/version.py - repo: https://github.com/PyCQA/bandit - rev: 765f00d3f202f83f61d03f882f80a2d5142d81f8 # 1.9.3 + rev: 92ae8b82fb422a639f0ed8d99e96cea769594e08 # 1.9.4 hooks: - id: bandit alias: bandit-tests @@ -123,8 +123,8 @@ repos: files: ^((setup|noxfile)|src/.*)\.py$ require_serial: true additional_dependencies: - - nox==2025.11.12 - - uv==0.9.27 # Makes this hook much faster + - nox==2026.2.9 + - uv==0.10.11 # Makes this hook much faster - id: nox alias: lint-tests @@ -134,11 +134,11 @@ repos: files: ^tests/.*\.py$ require_serial: true additional_dependencies: - - nox==2025.11.12 - - uv==0.9.27 # Makes this hook much faster + - nox==2026.2.9 + - uv==0.10.11 # Makes this hook much faster - repo: https://github.com/Mateusz-Grzelinski/actionlint-py - rev: 85c37735ea69e5baf0681530e57e63deee0ce733 # v1.7.10.24 + rev: 694e2c0dfb4253d51f3c6c54b8f9fec0a16764dc # v1.7.11.24 hooks: - id: actionlint additional_dependencies: diff --git a/noxfile.py b/noxfile.py index 6c7fb490..9c308a68 100755 --- a/noxfile.py +++ b/noxfile.py @@ -31,7 +31,7 @@ SKIP_REQUIREMENTS_INSTALL = os.environ.get("SKIP_REQUIREMENTS_INSTALL", "0") == "1" EXTRA_REQUIREMENTS_INSTALL = os.environ.get("EXTRA_REQUIREMENTS_INSTALL") -COVERAGE_REQUIREMENT = os.environ.get("COVERAGE_REQUIREMENT") or "coverage==7.13.2" +COVERAGE_REQUIREMENT = os.environ.get("COVERAGE_REQUIREMENT") or "coverage==7.13.4" SALT_REQUIREMENT = os.environ.get("SALT_REQUIREMENT") or "salt>=3006" if SALT_REQUIREMENT == "salt==master": SALT_REQUIREMENT = "git+https://github.com/saltstack/salt.git@master" diff --git a/pyproject.toml b/pyproject.toml index 02dd25ec..528624fb 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -58,9 +58,9 @@ dev = [ # When initializing the dev env using the included automation, pass # `--extras` to install them automatically. dev_extra = [ - "black==26.1.0", - "isort==7.0.0", - "coverage==7.13.2", + "black==26.3.1", + "isort==8.0.1", + "coverage==7.13.4", ] docs = [ "sphinx",