fastly-sync 0.1.0__tar.gz

fastly_sync-0.1.0/.github/FUNDING.yml

@@ -0,0 +1,4 @@
+# SPDX-License-Identifier: MIT
+# Copyright (c) 2026 Chris <goabonga@pm.me>
+
+github: [goabonga]

fastly_sync-0.1.0/.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,77 @@
+# SPDX-License-Identifier: MIT
+# Copyright (c) 2026 Chris <goabonga@pm.me>
+
+name: Bug Report
+description: Report a bug or unexpected behavior
+labels: ["bug"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for reporting a bug! Please fill in the details below.
+
+  - type: input
+    id: version
+    attributes:
+      label: fastly-sync version
+      description: "Output of `pip show fastly-sync` or `fastly-sync --version`."
+    validations:
+      required: true
+
+  - type: textarea
+    id: description
+    attributes:
+      label: Description
+      description: A clear description of the bug.
+    validations:
+      required: true
+
+  - type: textarea
+    id: steps
+    attributes:
+      label: Steps to Reproduce
+      description: How can we reproduce this issue? Include the exact command line.
+    validations:
+      required: true
+
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected Behavior
+    validations:
+      required: true
+
+  - type: textarea
+    id: actual
+    attributes:
+      label: Actual Behavior
+    validations:
+      required: true
+
+  - type: dropdown
+    id: python-version
+    attributes:
+      label: Python Version
+      options:
+        - "3.11"
+        - "3.12"
+        - "3.13"
+    validations:
+      required: true
+
+  - type: dropdown
+    id: os
+    attributes:
+      label: Operating System
+      options:
+        - Linux
+        - macOS
+        - Windows
+    validations:
+      required: true
+
+  - type: textarea
+    id: logs
+    attributes:
+      label: Logs / Traceback
+      render: shell

fastly_sync-0.1.0/.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: MIT
+# Copyright (c) 2026 Chris <goabonga@pm.me>
+
+blank_issues_enabled: false
+contact_links:
+  - name: Code of Conduct
+    url: https://github.com/goabonga/fastly-sync/blob/main/CODE_OF_CONDUCT.md
+    about: Please read our Code of Conduct before contributing
+  - name: Security advisories
+    url: https://github.com/goabonga/fastly-sync/security/advisories/new
+    about: Report a vulnerability privately (do not open a public issue)

fastly_sync-0.1.0/.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,37 @@
+# SPDX-License-Identifier: MIT
+# Copyright (c) 2026 Chris <goabonga@pm.me>
+
+name: Feature Request
+description: Suggest a new feature or enhancement
+labels: ["enhancement"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for suggesting a feature! Please describe your idea below.
+
+  - type: textarea
+    id: problem
+    attributes:
+      label: Problem
+      description: What problem does this feature solve? Is it related to a frustration?
+    validations:
+      required: true
+
+  - type: textarea
+    id: solution
+    attributes:
+      label: Proposed Solution
+      description: Describe the solution you'd like.
+    validations:
+      required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives Considered
+
+  - type: textarea
+    id: context
+    attributes:
+      label: Additional Context

fastly_sync-0.1.0/.github/dependabot.yml

@@ -0,0 +1,68 @@
+# SPDX-License-Identifier: MIT
+# Copyright (c) 2026 Chris <goabonga@pm.me>
+
+# Dependabot v2 configuration.
+
+version: 2
+
+updates:
+  # Python dependencies via uv.
+  - package-ecosystem: "uv"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:00"
+      timezone: "Europe/Paris"
+    open-pull-requests-limit: 5
+    ignore:
+      # `hatchling` lives in [build-system].requires; Dependabot's uv
+      # FileUpdater cannot write that table. Bump it by hand; pip-audit and
+      # osv-scanner still flag any CVEs.
+      - dependency-name: "hatchling"
+    groups:
+      # Bundle routine dev tooling bumps into a single weekly PR. The
+      # signed-rewrite script keys "dev-tools group" -> chore(deps).
+      dev-tools:
+        applies-to: version-updates
+        patterns:
+          - "ruff"
+          - "mypy"
+          - "pytest*"
+          - "pre-commit"
+    # Runtime deps ship in the package -> fixes; the signed rewrite confirms
+    # this from [dependency-groups].dev membership. Dev tooling stays chore.
+    commit-message:
+      prefix: "fix(deps)"
+      prefix-development: "chore(deps)"
+    labels:
+      - "dependencies"
+      - "python"
+
+  # Pinned versions of GitHub Actions in `.github/workflows/*.yml`.
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:00"
+      timezone: "Europe/Paris"
+    open-pull-requests-limit: 5
+    groups:
+      ci-actions:
+        applies-to: version-updates
+        patterns:
+          - "actions/*"
+          - "astral-sh/*"
+          - "google/*"
+          - "pypa/*"
+          - "codecov/*"
+          - "compilerla/*"
+          - "pre-commit/*"
+          - "docker/*"
+          - "softprops/*"
+    commit-message:
+      prefix: "ci"
+    labels:
+      - "dependencies"
+      - "github-actions"

fastly_sync-0.1.0/.github/pull_request_template.md

@@ -0,0 +1,37 @@
+## Description
+
+<!-- Describe what this PR does and why. -->
+
+## Type
+
+<!-- Check the one that applies: -->
+
+- [ ] `feat` - New feature
+- [ ] `fix` - Bug fix
+- [ ] `docs` - Documentation
+- [ ] `refactor` - Code refactoring
+- [ ] `test` - Adding or updating tests
+- [ ] `chore` - Maintenance
+- [ ] `ci` - CI / release pipeline
+
+## Changes
+
+<!-- List the main changes introduced by this PR: -->
+
+-
+
+## Related Issues
+
+<!-- Link related issues: Closes #123, Fixes #456 -->
+
+## Checklist
+
+- [ ] Commits follow [Conventional Commits](https://www.conventionalcommits.org/)
+- [ ] Branch is up to date with `main`
+- [ ] `uv sync` succeeds
+- [ ] `uv run ruff check src tests` and `uv run ruff format --check src tests` are clean
+- [ ] `uv run mypy src` is clean (if the project uses mypy)
+- [ ] `uv run pytest` passes (if the project has tests)
+- [ ] `uv tool run multicz validate --strict` passes
+- [ ] SPDX license headers are present (`python scripts/add_license_header.py --path . --types py,toml --check`)
+- [ ] No `Co-Authored-By` trailer in commit messages

fastly_sync-0.1.0/.github/workflows/ci.yml

@@ -0,0 +1,308 @@
+# SPDX-License-Identifier: MIT
+# Copyright (c) 2026 Chris <goabonga@pm.me>
+
+# Full CI for a PyPI-distributed project. Drop the `type-check` job if the
+# code is not typed, and the `test` job (+ codecov) if there is no suite.
+# Rename to ci.yml in the repo.
+
+name: ci
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    name: lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: astral-sh/setup-uv@v7
+        with:
+          enable-cache: true
+          cache-suffix: ${{ github.job }}
+          python-version: "3.12"
+      - run: uv sync --frozen --only-group dev
+      - run: uv run --no-sync ruff check --output-format=github src tests
+      - run: uv run --no-sync ruff format --check src tests
+
+  # Optional: remove if the project does not use mypy.
+  type-check:
+    name: type-check
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: astral-sh/setup-uv@v7
+        with:
+          enable-cache: true
+          cache-suffix: ${{ github.job }}
+          python-version: "3.12"
+      - run: uv sync --frozen
+      - run: uv run --no-sync mypy src
+
+  license-headers:
+    name: license-headers
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: astral-sh/setup-uv@v7
+        with:
+          enable-cache: true
+          cache-suffix: ${{ github.job }}
+          python-version: "3.12"
+      - name: Check SPDX headers
+        run: |
+          uv run --no-project python scripts/add_license_header.py --path src --types py --check
+          uv run --no-project python scripts/add_license_header.py --path tests --types py --check
+          uv run --no-project python scripts/add_license_header.py --path scripts --types py,sh --check
+          uv run --no-project python scripts/add_license_header.py --path .github --types yml --check
+          uv run --no-project python scripts/add_license_header.py --path . --types toml --check
+
+  # Optional: remove if there is no test suite.
+  test:
+    name: test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: astral-sh/setup-uv@v7
+        with:
+          enable-cache: true
+          cache-suffix: ${{ github.job }}
+          python-version: "3.12"
+      - run: uv sync --frozen
+      - name: Run tests with coverage
+        run: |
+          uv run --no-sync pytest \
+            --cov=fastly_sync \
+            --cov-report=term-missing \
+            --cov-report=xml:coverage.xml \
+            --junitxml=junit.xml \
+            -o junit_family=legacy
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@v6
+        with:
+          files: coverage.xml
+          token: ${{ secrets.CODECOV_TOKEN }}
+          fail_ci_if_error: false
+          disable_search: true
+      - name: Upload test results to Codecov
+        if: ${{ !cancelled() }}
+        uses: codecov/codecov-action@v6
+        with:
+          files: junit.xml
+          report_type: test_results
+          token: ${{ secrets.CODECOV_TOKEN }}
+          fail_ci_if_error: false
+          disable_search: true
+
+  bandit:
+    name: bandit
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: astral-sh/setup-uv@v7
+        with:
+          enable-cache: true
+          cache-suffix: ${{ github.job }}
+          python-version: "3.12"
+      # Drop `--from 'bandit[toml]' ... -c pyproject.toml` to plain
+      # `uvx bandit --recursive src` if there is no [tool.bandit] skip list.
+      - run: uvx --from 'bandit[toml]' bandit -c pyproject.toml --recursive src
+
+  pip-audit:
+    name: pip-audit
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: astral-sh/setup-uv@v7
+        with:
+          enable-cache: true
+          cache-suffix: ${{ github.job }}
+          python-version: "3.12"
+      - run: uv sync --frozen
+      - run: uvx pip-audit --skip-editable --path .venv
+
+  osv-scanner:
+    name: osv-scanner
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: Install OSV-Scanner
+        run: |
+          mkdir -p "$HOME/.local/bin"
+          curl -sSfL \
+            "https://github.com/google/osv-scanner/releases/latest/download/osv-scanner_linux_amd64" \
+            -o "$HOME/.local/bin/osv-scanner"
+          chmod +x "$HOME/.local/bin/osv-scanner"
+          echo "$HOME/.local/bin" >> "$GITHUB_PATH"
+      - run: osv-scanner scan source --lockfile=uv.lock
+
+  release:
+    name: release
+    needs: [lint, type-check, license-headers, test, bandit, pip-audit, osv-scanner]
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    outputs:
+      no_bumps: ${{ steps.bump.outputs.no_bumps }}
+      version: ${{ steps.bump.outputs.version }}
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          persist-credentials: true
+      # NOTE: no python-version pin here - multicz needs Python >=3.12 and
+      # `uv tool install multicz` fails under 3.11.
+      - uses: astral-sh/setup-uv@v7
+        with:
+          enable-cache: true
+          cache-suffix: ${{ github.job }}
+      - name: Install multicz
+        run: uv tool install multicz
+      - name: Configure git author
+        run: |
+          NAME="${{ github.event.head_commit.author.name }}"
+          EMAIL="${{ github.event.head_commit.author.email }}"
+          git config user.name  "${NAME:-github-actions[bot]}"
+          git config user.email "${EMAIL:-41898282+github-actions[bot]@users.noreply.github.com}"
+      - name: Detect GPG availability
+        id: gpg
+        env:
+          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+        run: |
+          if [ -n "$GPG_PRIVATE_KEY" ] && [ -n "$GPG_PASSPHRASE" ]; then
+            echo "available=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "available=false" >> "$GITHUB_OUTPUT"
+          fi
+      - name: Import and unlock GPG key
+        if: steps.gpg.outputs.available == 'true'
+        env:
+          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+        run: |
+          echo "$GPG_PRIVATE_KEY" | gpg --batch --import
+          echo test | gpg --batch --yes --passphrase "$GPG_PASSPHRASE" \
+            --pinentry-mode loopback --sign > /dev/null
+          KEY_ID=$(gpg --list-secret-keys --with-colons | awk -F: '/^sec/{print $5; exit}')
+          git config user.signingkey "$KEY_ID"
+      - name: Plan release
+        run: uv tool run multicz plan --summary "$GITHUB_STEP_SUMMARY"
+      - name: Bump, commit, tag, push (signed)
+        id: bump_signed
+        if: steps.gpg.outputs.available == 'true'
+        run: |
+          set -euo pipefail
+          PLAN=$(uv tool run multicz bump --commit --tag --push --sign --output json)
+          BUMPED=$(echo "$PLAN" | jq -r '.bumps | keys | join(" ")')
+          if [ -z "$BUMPED" ]; then echo "no_bumps=true" >> "$GITHUB_OUTPUT";
+          else echo "no_bumps=false" >> "$GITHUB_OUTPUT"; echo "version=$(uv tool run multicz get fastly-sync)" >> "$GITHUB_OUTPUT"; fi
+      - name: Bump, commit, tag, push
+        id: bump_unsigned
+        if: steps.gpg.outputs.available != 'true'
+        run: |
+          set -euo pipefail
+          PLAN=$(uv tool run multicz bump --commit --tag --push --output json)
+          BUMPED=$(echo "$PLAN" | jq -r '.bumps | keys | join(" ")')
+          if [ -z "$BUMPED" ]; then echo "no_bumps=true" >> "$GITHUB_OUTPUT";
+          else echo "no_bumps=false" >> "$GITHUB_OUTPUT"; echo "version=$(uv tool run multicz get fastly-sync)" >> "$GITHUB_OUTPUT"; fi
+      - name: Resolve release outputs
+        id: bump
+        run: |
+          if [ "${{ steps.gpg.outputs.available }}" = "true" ]; then
+            echo 'no_bumps=${{ steps.bump_signed.outputs.no_bumps }}' >> "$GITHUB_OUTPUT"
+            echo 'version=${{ steps.bump_signed.outputs.version }}' >> "$GITHUB_OUTPUT"
+          else
+            echo 'no_bumps=${{ steps.bump_unsigned.outputs.no_bumps }}' >> "$GITHUB_OUTPUT"
+            echo 'version=${{ steps.bump_unsigned.outputs.version }}' >> "$GITHUB_OUTPUT"
+          fi
+
+  pypi-publish:
+    name: pypi-publish
+    needs: [release]
+    if: >-
+      github.event_name == 'push' && github.ref == 'refs/heads/main'
+      && needs.release.result == 'success' && needs.release.outputs.no_bumps == 'false'
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/project/fastly-sync/
+    permissions:
+      contents: write
+      id-token: write   # Trusted Publishing (OIDC) - do NOT add a token/password
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          ref: main
+      - uses: astral-sh/setup-uv@v7
+        with:
+          enable-cache: true
+          cache-suffix: ${{ github.job }}
+      - name: Install multicz
+        run: uv tool install multicz
+      - name: Build wheel and sdist
+        run: uv build --out-dir dist && ls -l dist
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          packages-dir: dist
+          skip-existing: true
+      - name: Create GitHub release
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          set -euo pipefail
+          version="${{ needs.release.outputs.version }}"
+          # Use the SAME tag multicz created: bare history -> tag="${version}".
+          tag="v${version}"
+          notes=$(uv tool run multicz release-notes --tag "$tag")
+          gh release create "$tag" --title "$tag" --notes "$notes" dist/*
+
+  docs:
+    name: docs
+    needs: [release]
+    if: >-
+      github.event_name == 'push'
+      && github.ref == 'refs/heads/main'
+      && needs.release.result == 'success'
+      && needs.release.outputs.no_bumps == 'false'
+    runs-on: ubuntu-latest
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          ref: main
+      - uses: actions/configure-pages@v6
+        with:
+          enablement: true
+      - uses: astral-sh/setup-uv@v7
+        with:
+          enable-cache: true
+          cache-suffix: ${{ github.job }}
+      - name: Install Zensical (doc group)
+        run: uv sync --frozen --only-group doc
+      - name: Build site
+        run: uv run zensical build --clean
+      - uses: actions/upload-pages-artifact@v5
+        with:
+          path: site
+      - id: deployment
+        uses: actions/deploy-pages@v5

fastly_sync-0.1.0/.github/workflows/dependabot-rewrite.yml

@@ -0,0 +1,94 @@
+# SPDX-License-Identifier: MIT
+# Copyright (c) 2026 Chris <goabonga@pm.me>
+
+name: dependabot-rewrite
+
+# `pull_request_target` so the workflow can read GPG_PRIVATE_KEY /
+# GPG_PASSPHRASE (regular `pull_request` runs without secrets on bot events).
+# The workflow body is loaded from `main`, not the PR branch, so no untrusted
+# code runs. The actor gate restricts it to genuine Dependabot PRs.
+
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened]
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  rewrite:
+    name: rewrite dependabot commits
+    if: github.actor == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    concurrency:
+      group: dependabot-rewrite-${{ github.event.pull_request.number }}
+      cancel-in-progress: true
+    steps:
+      - name: Check GPG availability
+        id: gate
+        env:
+          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+        run: |
+          if [ -z "$GPG_PRIVATE_KEY" ] || [ -z "$GPG_PASSPHRASE" ]; then
+            {
+              echo "## Dependabot rewrite: skipped"
+              echo ""
+              echo "GPG_PRIVATE_KEY and/or GPG_PASSPHRASE are not configured. "
+              echo "The Dependabot PR ships with bot-authored, web-signed commits."
+            } >> "$GITHUB_STEP_SUMMARY"
+            echo "::warning::GPG secrets unset; leaving Dependabot commits as-is"
+            echo "skip=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Checkout PR head branch
+        if: steps.gate.outputs.skip != 'true'
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+          fetch-depth: 0
+          persist-credentials: true
+
+      - name: Configure GPG and git identity from the imported key
+        if: steps.gate.outputs.skip != 'true'
+        env:
+          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+        run: |
+          set -euo pipefail
+          echo "$GPG_PRIVATE_KEY" | gpg --batch --import
+          echo test | gpg --batch --yes --passphrase "$GPG_PASSPHRASE" \
+            --pinentry-mode loopback --sign > /dev/null
+          KEY_ID=$(gpg --list-secret-keys --with-colons | awk -F: '/^sec/{print $5; exit}')
+          UID_LINE=$(gpg --list-keys --with-colons "$KEY_ID" | awk -F: '/^uid/{print $10; exit}')
+          NAME="${UID_LINE%% <*}"
+          EMAIL=$(printf '%s' "$UID_LINE" | sed -nE 's/.*<([^>]+)>.*/\1/p')
+          git config user.name  "$NAME"
+          git config user.email "$EMAIL"
+          git config user.signingkey "$KEY_ID"
+          git config commit.gpgsign true
+
+      - name: Rewrite commits with scope-aware messages
+        if: steps.gate.outputs.skip != 'true'
+        run: |
+          set -euo pipefail
+          BASE_SHA=$(git merge-base "origin/${{ github.event.pull_request.base.ref }}" HEAD)
+          git rebase "$BASE_SHA" --exec "scripts/rewrite-dependabot-commit.sh"
+
+      - name: Force-push rewritten branch
+        if: steps.gate.outputs.skip != 'true'
+        run: |
+          git push --force-with-lease origin "HEAD:${{ github.event.pull_request.head.ref }}"
+
+      - name: Write step summary
+        if: steps.gate.outputs.skip != 'true' && success()
+        run: |
+          {
+            echo "## Dependabot rewrite: applied"
+            echo ""
+            echo "PR branch \`${{ github.event.pull_request.head.ref }}\` rewritten:"
+            echo ""
+            echo "- Conventional-commits scope inferred from changed files / dev-group membership"
+            echo "- Authored and GPG-signed as \`$(git config user.name) <$(git config user.email)>\`"
+          } >> "$GITHUB_STEP_SUMMARY"

fastly_sync-0.1.0/.gitignore

@@ -0,0 +1,25 @@
+# Python-generated files
+__pycache__/
+*.py[oc]
+build/
+dist/
+wheels/
+*.egg-info
+
+# Virtual environments
+.venv
+
+# Test & coverage artifacts
+.pytest_cache/
+.ruff_cache/
+.mypy_cache/
+.coverage
+coverage.xml
+junit.xml
+htmlcov/
+
+# Docs build output
+site/
+
+# Dependabot-generated requirements (Debian builds)
+debian/requirements.txt

fastly_sync-0.1.0/.multicz/state.json

@@ -0,0 +1,13 @@
+{
+  "version": 1,
+  "git_head": "afb82b697a77cecfce51e8fd20f6291d835ae9e5",
+  "git_head_short": "afb82b6",
+  "timestamp": "2026-06-21T18:23:20Z",
+  "components": {
+    "fastly-sync": {
+      "version": "0.1.0",
+      "tag": "v0.1.0",
+      "tag_sha": null
+    }
+  }
+}