autopkg-wrapper 2025.11.1__tar.gz → 2026.2.2__tar.gz

{autopkg_wrapper-2025.11.1 → autopkg_wrapper-2026.2.2}/.github/workflows/build-publish.yml

@@ -34,7 +34,6 @@ jobs:
       contents: write
 
     steps:
-      # - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
       - id: check-inputs
         env:
           INPUT_DRY_RUN: ${{ github.event.inputs.dry_run }}
@@ -104,17 +103,17 @@ jobs:
       id-token: write
 
     steps:
-      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - name: Setup UV
-        uses: astral-sh/setup-uv@1e862dfacbd1d6d858c55d9b792c756523627244 # v7.1.4
+        uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7.2.1
         with:
           activate-environment: true
           enable-cache: true
           cache-dependency-glob: uv.lock
 
       - name: Setup Python
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version-file: pyproject.toml
 
@@ -123,7 +122,7 @@ jobs:
           uv version ${{ needs.release.outputs.version }}
           uv build
       - name: Upload Package Artifacts
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: python-package-distributions
           path: dist/
@@ -142,7 +141,7 @@ jobs:
 
     steps:
       - name: Download Package Artifacts
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
           name: python-package-distributions
           path: dist/
@@ -166,7 +165,7 @@ jobs:
 
     steps:
       - name: Download Package Artifacts
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
           name: python-package-distributions
           path: dist/
@@ -185,11 +184,11 @@ jobs:
 
     steps:
       - name: Download Package Artifacts
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
           name: python-package-distributions
           path: dist/
-      - uses: sigstore/gh-action-sigstore-python@f832326173235dcb00dd5d92cd3f353de3188e6c # v3.1.0
+      - uses: sigstore/gh-action-sigstore-python@a5caf349bc536fbef3668a10ed7f5cd309a4b53d # v3.2.0
         with:
           inputs: |
             dist/*.whl

{autopkg_wrapper-2025.11.1 → autopkg_wrapper-2026.2.2}/.github/workflows/codeql.yml

@@ -27,14 +27,14 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@382a50a0284c0de445104889a9d6003acb4b3c1d # v2.15.4
+      uses: github/codeql-action/init@25a224b8085c21d4d61b7fc051468805fc3ac490 # codeql-bundle-v2.24.0
       with:
         languages: ${{ matrix.language }}
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@382a50a0284c0de445104889a9d6003acb4b3c1d # v2.15.4
+      uses: github/codeql-action/analyze@25a224b8085c21d4d61b7fc051468805fc3ac490 # codeql-bundle-v2.24.0
       with:
         category: "/language:${{matrix.language}}"

{autopkg_wrapper-2025.11.1 → autopkg_wrapper-2026.2.2}/.github/workflows/dependency-review.yml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: "Checkout Repository"
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - name: "Dependency Review"
         uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2

autopkg_wrapper-2026.2.2/PKG-INFO

@@ -0,0 +1,105 @@
+Metadata-Version: 2.4
+Name: autopkg-wrapper
+Version: 2026.2.2
+Summary: A package used to execute some autopkg functions, primarily within the context of a GitHub Actions runner.
+Project-URL: Repository, https://github.com/smithjw/autopkg-wrapper
+Author-email: James Smith <james@smithjw.me>
+License-Expression: BSD-3-Clause
+License-File: LICENSE
+Requires-Python: ~=3.14.0
+Requires-Dist: chardet
+Requires-Dist: idna
+Requires-Dist: jamf-pro-sdk
+Requires-Dist: pygithub
+Requires-Dist: requests
+Requires-Dist: ruamel-yaml
+Requires-Dist: toml
+Requires-Dist: urllib3
+Description-Content-Type: text/markdown
+
+# autopkg-wrapper
+
+`autopkg_wrapper` is a small package that can be used to run [`autopkg`](https://github.com/autopkg/autopkg) within CI/CD environments such as GitHub Actions.
+
+The easiest way to run it is by installing with pip.
+
+```shell
+pip install autopkg-wrapper
+```
+
+## Command Line Parameters
+
+```shell
+-h, --help                      Show this help message and exit
+--recipe-file RECIPE_FILE       Path to a list of recipes to run (cannot be run with --recipes)
+--recipes [RECIPES ...]         Recipes to run with autopkg (cannot be run with --recipe-file)
+--debug                         Enable debug logging when running script
+ --disable-recipe-trust-check    If this option is used, recipe trust verification will not be run prior to a recipe run.
+ --github-token GITHUB_TOKEN     A token used to publish a PR to your GitHub repo if overrides require their trust to be updated
+ --branch-name BRANCH_NAME       Branch name to be used where recipe overrides have failed their trust verification and need to be updated.
+                                 By default, this will be in the format of "fix/update_trust_information/YYYY-MM-DDTHH-MM-SS"
+ --create-pr                     If enabled, autopkg_wrapper will open a PR for updated trust information
+ --create-issues                 Create a GitHub issue for recipes that fail during processing
+ --disable-git-commands          If this option is used, git commands won't be run
+ --post-processors [POST_PROCESSORS ...]
+                                 One or more autopkg post processors to run after each recipe execution
+ --autopkg-prefs AW_AUTOPKG_PREFS_FILE
+                                 Path to the autopkg preferences you'd like to use
+ --overrides-repo-path AUTOPKG_OVERRIDES_REPO_PATH
+                                 The path on disk to the git repository containing the autopkg overrides directory. If none is provided, we will try to determine it for you.
+ --concurrency CONCURRENCY       Number of recipes to run in parallel (default: 1)
+ --process-reports               Process autopkg report directories or zip and emit markdown summaries (runs after recipes complete)
+ --reports-zip REPORTS_ZIP       Path to an autopkg_report-*.zip to extract and process
+ --reports-extract-dir REPORTS_EXTRACT_DIR
+                                 Directory to extract the zip into (default: autopkg_reports_summary/reports)
+ --reports-dir REPORTS_DIR       Directory of reports to process (if no zip provided). Defaults to /private/tmp/autopkg when processing after a run
+ --reports-out-dir REPORTS_OUT_DIR
+                                 Directory to write markdown outputs (default: autopkg_reports_summary/summary)
+ --reports-run-date REPORTS_RUN_DATE
+                                 Run date string to include in the summary
+ --reports-strict                Exit non-zero if any errors are detected in processed reports
+```
+
+## Examples
+
+Run recipes (serial):
+
+```bash
+autopkg_wrapper --recipes Foo.download Bar.download
+```
+
+Run 3 recipes concurrently and process reports afterward:
+
+```bash
+autopkg_wrapper \
+  --recipe-file /path/to/recipe_list.txt \
+  --concurrency 3 \
+  --disable-git-commands \
+  --process-reports \
+  --reports-out-dir /tmp/autopkg_reports_summary \
+  --reports-strict
+```
+
+Process a reports zip explicitly (no recipe run):
+
+```bash
+autopkg_wrapper \
+  --process-reports \
+  --reports-zip /path/to/autopkg_report-2026-02-02.zip \
+  --reports-extract-dir /tmp/autopkg_reports \
+  --reports-out-dir /tmp/autopkg_reports_summary
+```
+
+Notes:
+
+- During recipe runs, per‑recipe plist reports are written to `/private/tmp/autopkg`.
+- When `--process-reports` is supplied without `--reports-zip` or `--reports-dir`, the tool processes `/private/tmp/autopkg`.
+- If `AUTOPKG_JSS_URL`, `AUTOPKG_CLIENT_ID`, and `AUTOPKG_CLIENT_SECRET` are set, uploaded package rows are enriched with Jamf package links.
+  - No extra CLI flag is required; enrichment runs automatically when all three env vars are present.
+
+An example folder structure and GitHub Actions Workflow is available within the [`actions-demo`](actions-demo)
+
+## Credits
+
+- [`autopkg_tools` from Facebook](https://github.com/facebook/IT-CPE/tree/main/legacy/autopkg_tools)
+- [`autopkg_tools` from Facebook, modified by Gusto](https://github.com/Gusto/it-cpe-opensource/tree/main/autopkg)

autopkg_wrapper-2026.2.2/README.md

@@ -0,0 +1,86 @@
+# autopkg-wrapper
+
+`autopkg_wrapper` is a small package that can be used to run [`autopkg`](https://github.com/autopkg/autopkg) within CI/CD environments such as GitHub Actions.
+
+The easiest way to run it is by installing with pip.
+
+```shell
+pip install autopkg-wrapper
+```
+
+## Command Line Parameters
+
+```shell
+-h, --help                      Show this help message and exit
+--recipe-file RECIPE_FILE       Path to a list of recipes to run (cannot be run with --recipes)
+--recipes [RECIPES ...]         Recipes to run with autopkg (cannot be run with --recipe-file)
+--debug                         Enable debug logging when running script
+ --disable-recipe-trust-check    If this option is used, recipe trust verification will not be run prior to a recipe run.
+ --github-token GITHUB_TOKEN     A token used to publish a PR to your GitHub repo if overrides require their trust to be updated
+ --branch-name BRANCH_NAME       Branch name to be used where recipe overrides have failed their trust verification and need to be updated.
+                                 By default, this will be in the format of "fix/update_trust_information/YYYY-MM-DDTHH-MM-SS"
+ --create-pr                     If enabled, autopkg_wrapper will open a PR for updated trust information
+ --create-issues                 Create a GitHub issue for recipes that fail during processing
+ --disable-git-commands          If this option is used, git commands won't be run
+ --post-processors [POST_PROCESSORS ...]
+                                 One or more autopkg post processors to run after each recipe execution
+ --autopkg-prefs AW_AUTOPKG_PREFS_FILE
+                                 Path to the autopkg preferences you'd like to use
+ --overrides-repo-path AUTOPKG_OVERRIDES_REPO_PATH
+                                 The path on disk to the git repository containing the autopkg overrides directory. If none is provided, we will try to determine it for you.
+ --concurrency CONCURRENCY       Number of recipes to run in parallel (default: 1)
+ --process-reports               Process autopkg report directories or zip and emit markdown summaries (runs after recipes complete)
+ --reports-zip REPORTS_ZIP       Path to an autopkg_report-*.zip to extract and process
+ --reports-extract-dir REPORTS_EXTRACT_DIR
+                                 Directory to extract the zip into (default: autopkg_reports_summary/reports)
+ --reports-dir REPORTS_DIR       Directory of reports to process (if no zip provided). Defaults to /private/tmp/autopkg when processing after a run
+ --reports-out-dir REPORTS_OUT_DIR
+                                 Directory to write markdown outputs (default: autopkg_reports_summary/summary)
+ --reports-run-date REPORTS_RUN_DATE
+                                 Run date string to include in the summary
+ --reports-strict                Exit non-zero if any errors are detected in processed reports
+```
+
+## Examples
+
+Run recipes (serial):
+
+```bash
+autopkg_wrapper --recipes Foo.download Bar.download
+```
+
+Run 3 recipes concurrently and process reports afterward:
+
+```bash
+autopkg_wrapper \
+  --recipe-file /path/to/recipe_list.txt \
+  --concurrency 3 \
+  --disable-git-commands \
+  --process-reports \
+  --reports-out-dir /tmp/autopkg_reports_summary \
+  --reports-strict
+```
+
+Process a reports zip explicitly (no recipe run):
+
+```bash
+autopkg_wrapper \
+  --process-reports \
+  --reports-zip /path/to/autopkg_report-2026-02-02.zip \
+  --reports-extract-dir /tmp/autopkg_reports \
+  --reports-out-dir /tmp/autopkg_reports_summary
+```
+
+Notes:
+
+- During recipe runs, per‑recipe plist reports are written to `/private/tmp/autopkg`.
+- When `--process-reports` is supplied without `--reports-zip` or `--reports-dir`, the tool processes `/private/tmp/autopkg`.
+- If `AUTOPKG_JSS_URL`, `AUTOPKG_CLIENT_ID`, and `AUTOPKG_CLIENT_SECRET` are set, uploaded package rows are enriched with Jamf package links.
+  - No extra CLI flag is required; enrichment runs automatically when all three env vars are present.
+
+An example folder structure and GitHub Actions Workflow is available within the [`actions-demo`](actions-demo)
+
+## Credits
+
+- [`autopkg_tools` from Facebook](https://github.com/facebook/IT-CPE/tree/main/legacy/autopkg_tools)
+- [`autopkg_tools` from Facebook, modified by Gusto](https://github.com/Gusto/it-cpe-opensource/tree/main/autopkg)

autopkg_wrapper-2026.2.2/actions-demo/requirements.txt

@@ -0,0 +1,3 @@
+autopkg-wrapper==2025.11.1 \
+    --hash=sha256:1f6e650fb386f7bc010a02be7fc019d90b9a6ebab9b37638492fde1deb962d87 \
+    --hash=sha256:7304c6aa7a944ad86526583ec89115d704b49fe450d0bf4f2b4f7a2ab2aa57d6

{autopkg_wrapper-2025.11.1 → autopkg_wrapper-2026.2.2}/autopkg_wrapper/autopkg_wrapper.py

@@ -4,6 +4,7 @@ import logging
 import plistlib
 import subprocess
 import sys
+from concurrent.futures import ThreadPoolExecutor, as_completed
 from datetime import datetime
 from itertools import chain
 from pathlib import Path
@@ -12,6 +13,7 @@ import autopkg_wrapper.utils.git_functions as git
 from autopkg_wrapper.notifier import slack
 from autopkg_wrapper.utils.args import setup_args
 from autopkg_wrapper.utils.logging import setup_logger
+from autopkg_wrapper.utils.report_processor import process_reports
 
 
 class Recipe(object):
@@ -94,7 +96,7 @@ class Recipe(object):
             self.results["failed"] = True
             self.results["imported"] = ""
         else:
-            report_dir = Path("/tmp/autopkg")
+            report_dir = Path("/private/tmp/autopkg")
             report_time = datetime.now().strftime("%Y-%m-%dT%H-%M-%S")
             report_name = Path(f"{self.name}-{report_time}.plist")
 
@@ -358,31 +360,50 @@ def main():
 
     failed_recipes = []
 
-    for recipe in recipe_list:
-        logging.info(f"Processing Recipe: {recipe.name}")
+    # Run recipes concurrently using a thread pool to parallelize subprocess calls
+    max_workers = max(1, int(getattr(args, "concurrency", 1)))
+    logging.info(f"Running recipes with concurrency={max_workers}")
+
+    def run_one(r: Recipe):
+        logging.info(f"Processing Recipe: {r.name}")
         process_recipe(
-            recipe=recipe,
+            recipe=r,
             disable_recipe_trust_check=args.disable_recipe_trust_check,
             args=args,
         )
+        # Git updates and notifications are applied serially after all recipes finish
+        return r
+
+    with ThreadPoolExecutor(max_workers=max_workers) as executor:
+        futures = [executor.submit(run_one, r) for r in recipe_list]
+        for fut in as_completed(futures):
+            r = fut.result()
+            if r.error or r.results.get("failed"):
+                failed_recipes.append(r)
+
+    # Apply git updates serially to avoid branch/commit conflicts when concurrency > 1
+    for r in recipe_list:
         update_recipe_repo(
             git_info=override_repo_info,
-            recipe=recipe,
+            recipe=r,
             disable_recipe_trust_check=args.disable_recipe_trust_check,
             args=args,
         )
-        slack.send_notification(
-            recipe=recipe, token=args.slack_token
-        ) if args.slack_token else None
-
-        if recipe.error or recipe.results.get("failed"):
-            failed_recipes.append(recipe)
 
-    recipe.pr_url = (
-        git.create_pull_request(git_info=override_repo_info, recipe=recipe)
-        if args.create_pr
-        else None
-    )
+    # Send notifications serially to simplify rate limiting and ordering
+    if args.slack_token:
+        for r in recipe_list:
+            slack.send_notification(recipe=r, token=args.slack_token)
+
+    # Optionally open a PR for updated trust information
+    if args.create_pr and recipe_list:
+        # Choose a representative recipe for the PR title/body
+        rep_recipe = next(
+            (r for r in recipe_list if r.updated is True or r.verified is False),
+            recipe_list[0],
+        )
+        pr_url = git.create_pull_request(git_info=override_repo_info, recipe=rep_recipe)
+        logging.info(f"Created Pull Request for trust info updates: {pr_url}")
 
     # Create GitHub issue for failed recipes
     if args.create_issues and failed_recipes and args.github_token:
@@ -390,3 +411,20 @@ def main():
             git_info=override_repo_info, failed_recipes=failed_recipes
         )
         logging.info(f"Created GitHub issue for failed recipes: {issue_url}")
+
+    # Optionally process reports after running recipes
+    if getattr(args, "process_reports", False):
+        rc = process_reports(
+            zip_file=getattr(args, "reports_zip", None),
+            extract_dir=getattr(
+                args, "reports_extract_dir", "autopkg_reports_summary/reports"
+            ),
+            reports_dir=(getattr(args, "reports_dir", None) or "/private/tmp/autopkg"),
+            environment="",
+            run_date=getattr(args, "reports_run_date", ""),
+            out_dir=getattr(args, "reports_out_dir", "autopkg_reports_summary/summary"),
+            debug=bool(getattr(args, "debug", False)),
+            strict=bool(getattr(args, "reports_strict", False)),
+        )
+        if rc:
+            sys.exit(rc)

{autopkg_wrapper-2025.11.1 → autopkg_wrapper-2026.2.2}/autopkg_wrapper/utils/args.py

@@ -90,6 +90,12 @@ def setup_args():
             If this option is used, git commands won't be run
             """,
     )
+    parser.add_argument(
+        "--concurrency",
+        type=int,
+        default=int(os.getenv("AW_CONCURRENCY", "1")),
+        help="Number of recipes to run in parallel (default: 1)",
+    )
     parser.add_argument(
         "--slack-token",
         default=os.getenv("SLACK_WEBHOOK_TOKEN", None),
@@ -144,4 +150,41 @@ def setup_args():
         """,
     )
 
+    # Report processing options
+    parser.add_argument(
+        "--process-reports",
+        action="store_true",
+        help="Process autopkg report directories or zip and emit markdown summaries",
+    )
+    parser.add_argument(
+        "--reports-zip",
+        default=os.getenv("AW_REPORTS_ZIP", None),
+        help="Path to an autopkg_report-*.zip to extract and process",
+    )
+    parser.add_argument(
+        "--reports-extract-dir",
+        default=os.getenv("AW_REPORTS_EXTRACT_DIR", "autopkg_reports_summary/reports"),
+        help="Directory to extract the zip into (default: autopkg_reports_summary/reports)",
+    )
+    parser.add_argument(
+        "--reports-dir",
+        default=os.getenv("AW_REPORTS_DIR", None),
+        help="Directory of reports to process (if no zip provided)",
+    )
+    parser.add_argument(
+        "--reports-out-dir",
+        default=os.getenv("AW_REPORTS_OUT_DIR", "autopkg_reports_summary/summary"),
+        help="Directory to write markdown outputs (default: autopkg_reports_summary/summary)",
+    )
+    parser.add_argument(
+        "--reports-run-date",
+        default=os.getenv("AW_REPORTS_RUN_DATE", ""),
+        help="Run date string to include in the summary",
+    )
+    parser.add_argument(
+        "--reports-strict",
+        action="store_true",
+        help="Exit non-zero if any errors are detected in processed reports",
+    )
+
     return parser.parse_args()