iam-policy-validator 1.6.0__tar.gz → 1.7.1__tar.gz

{iam_policy_validator-1.6.0 → iam_policy_validator-1.7.1}/.github/workflows/ci.yml

@@ -7,6 +7,8 @@ on:
     branches: [main, develop]
   workflow_dispatch:
 
+permissions: read-all
+
 env:
   DEFAULT_PYTHON_VERSION: "3.13"
 
@@ -24,7 +26,7 @@ jobs:
           python-version: "${{ env.DEFAULT_PYTHON_VERSION }}"
 
       - name: Install uv
-        uses: astral-sh/setup-uv@5dbc9fba7434435c4cd0268139340fa3696d98f3 # v7
+        uses: astral-sh/setup-uv@5a7eac68fb9809dea845d802897dc5c723910fa3 # v7
         with:
           enable-cache: true
 
@@ -54,7 +56,7 @@ jobs:
           python-version: ${{ matrix.python-version }}
 
       - name: Install uv
-        uses: astral-sh/setup-uv@5dbc9fba7434435c4cd0268139340fa3696d98f3 # v7
+        uses: astral-sh/setup-uv@5a7eac68fb9809dea845d802897dc5c723910fa3 # v7
         with:
           enable-cache: true
 
@@ -78,7 +80,7 @@ jobs:
           python-version: "${{ env.DEFAULT_PYTHON_VERSION }}"
 
       - name: Install uv
-        uses: astral-sh/setup-uv@5dbc9fba7434435c4cd0268139340fa3696d98f3 # v7
+        uses: astral-sh/setup-uv@5a7eac68fb9809dea845d802897dc5c723910fa3 # v7
         with:
           enable-cache: true
 
@@ -102,7 +104,7 @@ jobs:
           python-version: "${{ env.DEFAULT_PYTHON_VERSION }}"
 
       - name: Install uv
-        uses: astral-sh/setup-uv@5dbc9fba7434435c4cd0268139340fa3696d98f3 # v7
+        uses: astral-sh/setup-uv@5a7eac68fb9809dea845d802897dc5c723910fa3 # v7
         with:
           enable-cache: true
 

iam_policy_validator-1.7.1/.github/workflows/cleanup-prereleases.yml

@@ -0,0 +1,160 @@
+name: Cleanup Old Pre-Releases
+
+on:
+  schedule:
+    # Run daily at 00:00 UTC
+    - cron: '0 0 * * *'
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        description: 'Dry run (show what would be deleted without deleting)'
+        required: false
+        type: boolean
+        default: true
+      days_old:
+        description: 'Delete pre-releases older than X days'
+        required: false
+        type: number
+        default: 30
+
+permissions: read-all
+
+jobs:
+  cleanup:
+    name: Delete Old Pre-Releases
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write  # Required for deleting releases and tags
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+
+      - name: Cleanup old pre-releases
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          # Configuration
+          # For scheduled runs, inputs are empty, so default to 30 days and active cleanup
+          DAYS_OLD=${{ inputs.days_old || 30 }}
+          DRY_RUN=${{ inputs.dry_run == true && 'true' || 'false' }}
+
+          echo "🧹 Cleaning up pre-releases older than $DAYS_OLD days"
+          echo "🔍 Dry run: $DRY_RUN"
+          echo ""
+
+          # Calculate cutoff date (Unix timestamp)
+          CUTOFF_DATE=$(date -u -d "$DAYS_OLD days ago" +%s 2>/dev/null || date -u -v-${DAYS_OLD}d +%s)
+          CUTOFF_DATE_HUMAN=$(date -u -d "@$CUTOFF_DATE" +%Y-%m-%d 2>/dev/null || date -u -r $CUTOFF_DATE +%Y-%m-%d)
+
+          echo "📅 Cutoff date: $CUTOFF_DATE_HUMAN"
+          echo ""
+
+          # Get all releases
+          RELEASES=$(gh release list --repo ${{ github.repository }} --limit 1000 --json tagName,isPrerelease,publishedAt,name)
+
+          echo "📋 Pre-releases found:"
+          echo "$RELEASES" | jq -r '.[] | select(.isPrerelease == true) | "\(.tagName) - \(.publishedAt) - \(.name)"'
+          echo ""
+
+          # Create temp files for counters (avoid subshell issue)
+          TEMP_DIR=$(mktemp -d)
+          echo "0" > "$TEMP_DIR/deleted_count"
+          echo "0" > "$TEMP_DIR/kept_count"
+
+          # Process each pre-release
+          echo "$RELEASES" | jq -c '.[] | select(.isPrerelease == true)' | while read -r release; do
+            TAG=$(echo "$release" | jq -r '.tagName')
+            PUBLISHED_AT=$(echo "$release" | jq -r '.publishedAt')
+            NAME=$(echo "$release" | jq -r '.name')
+
+            # Convert published date to Unix timestamp
+            RELEASE_DATE=$(date -u -d "$PUBLISHED_AT" +%s 2>/dev/null || date -u -j -f "%Y-%m-%dT%H:%M:%SZ" "$PUBLISHED_AT" +%s)
+
+            # Calculate age in days
+            AGE_SECONDS=$((CUTOFF_DATE - RELEASE_DATE))
+            AGE_DAYS=$((AGE_SECONDS / 86400))
+
+            if [ $RELEASE_DATE -lt $CUTOFF_DATE ]; then
+              echo "🗑️  DELETE: $TAG (age: $((AGE_DAYS * -1)) days) - $NAME"
+
+              if [ "$DRY_RUN" = "false" ]; then
+                # Delete the release
+                gh release delete "$TAG" --repo ${{ github.repository }} --yes --cleanup-tag
+
+                echo "   ✅ Deleted release and tag: $TAG"
+              else
+                echo "   ⏭️  Dry run - would delete: $TAG"
+              fi
+
+              # Increment deleted counter
+              DELETED_COUNT=$(cat "$TEMP_DIR/deleted_count")
+              echo "$((DELETED_COUNT + 1))" > "$TEMP_DIR/deleted_count"
+            else
+              echo "✅ KEEP: $TAG (age: $((AGE_DAYS * -1)) days) - $NAME"
+
+              # Increment kept counter
+              KEPT_COUNT=$(cat "$TEMP_DIR/kept_count")
+              echo "$((KEPT_COUNT + 1))" > "$TEMP_DIR/kept_count"
+            fi
+          done
+
+          # Read final counts
+          DELETED_COUNT=$(cat "$TEMP_DIR/deleted_count")
+          KEPT_COUNT=$(cat "$TEMP_DIR/kept_count")
+          rm -rf "$TEMP_DIR"
+
+          echo ""
+          echo "📊 Summary:"
+          echo "  - Pre-releases to delete: $DELETED_COUNT"
+          echo "  - Pre-releases to keep: $KEPT_COUNT"
+
+          if [ "$DRY_RUN" = "true" ]; then
+            echo ""
+            echo "ℹ️  This was a dry run. No releases were actually deleted."
+            echo "   To delete releases, set dry_run=false"
+          fi
+
+      - name: Create cleanup summary
+        if: always()
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          DAYS_OLD=${{ inputs.days_old || 30 }}
+          DRY_RUN=${{ inputs.dry_run == true && 'true' || 'false' }}
+
+          # Get current pre-release count
+          TOTAL_PRERELEASES=$(gh release list --repo ${{ github.repository }} --limit 1000 --json isPrerelease | jq '[.[] | select(.isPrerelease == true)] | length')
+
+          cat >> $GITHUB_STEP_SUMMARY << EOF
+          # 🧹 Pre-Release Cleanup Summary
+
+          ## Configuration
+          - **Retention Period**: Delete pre-releases older than $DAYS_OLD days
+          - **Mode**: $(if [ "$DRY_RUN" = "true" ]; then echo "🔍 Dry Run (no deletions)"; else echo "🗑️ Active (deleting releases)"; fi)
+
+          ## Statistics
+          - **Total Pre-releases**: $TOTAL_PRERELEASES
+          - **Cutoff Date**: $(date -u -d "$DAYS_OLD days ago" +%Y-%m-%d 2>/dev/null || date -u -v-${DAYS_OLD}d +%Y-%m-%d)
+
+          ## Policy
+          Pre-releases are automatically cleaned up based on:
+          - ✅ Alpha releases: Deleted after $DAYS_OLD days
+          - ✅ Beta releases: Deleted after $DAYS_OLD days
+          - ✅ RC releases: Deleted after $DAYS_OLD days
+          - ⛔ Stable releases: Never deleted automatically
+
+          ## Next Steps
+          $(if [ "$DRY_RUN" = "true" ]; then echo "Run this workflow with \`dry_run=false\` to actually delete old pre-releases."; else echo "Pre-release cleanup is active. Old pre-releases have been removed."; fi)
+
+          ---
+          *This workflow runs daily at 00:00 UTC or can be triggered manually.*
+          EOF
+
+      - name: List remaining pre-releases
+        if: always()
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          echo "📦 Remaining pre-releases:"
+          gh release list --repo ${{ github.repository }} --limit 50 | grep -E "(alpha|beta|rc)" || echo "No pre-releases found"

iam_policy_validator-1.7.1/.github/workflows/codeql.yml

@@ -0,0 +1,43 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "30 1 * * 1" # Weekly on Mondays at 1:30 AM
+
+permissions: read-all
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["python"]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@0499de31b99561a6d14a36a5f662c2a54f91beee # v4
+        with:
+          languages: ${{ matrix.language }}
+          queries: security-extended,security-and-quality
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@0499de31b99561a6d14a36a5f662c2a54f91beee # v4
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@0499de31b99561a6d14a36a5f662c2a54f91beee # v4
+        with:
+          category: "/language:${{matrix.language}}"

iam_policy_validator-1.7.1/.github/workflows/pre-release.yml

@@ -0,0 +1,239 @@
+name: Pre-Release (RC/Alpha/Beta)
+
+on:
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        description: "PR number to create pre-release from"
+        required: true
+        type: number
+      release_type:
+        description: "Type of pre-release"
+        required: true
+        type: choice
+        options:
+          - alpha
+          - beta
+          - rc
+      version_increment:
+        description: "Which version part to increment"
+        required: true
+        type: choice
+        default: "minor"
+        options:
+          - major
+          - minor
+          - patch
+      pre_release_number:
+        description: "Pre-release number (e.g., 1 for alpha.1)"
+        required: false
+        type: number
+        default: 1
+      python_version:
+        description: "Python version to use for building"
+        required: false
+        type: string
+        default: "3.13"
+
+permissions: read-all
+
+jobs:
+  build-pre-release:
+    name: Build and Create Pre-Release
+    runs-on: ubuntu-latest
+    environment: prerelease # Requires approval from environment reviewers
+    permissions:
+      contents: write # Required for creating releases and tags
+      pull-requests: read # Required for reading PR info
+      id-token: write # Required for PyPI trusted publishing (test.pypi.org)
+
+    steps:
+      - name: Get PR information
+        id: pr_info
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          PR_DATA=$(gh pr view ${{ inputs.pr_number }} --repo ${{ github.repository }} --json headRefName,title,state)
+
+          STATE=$(echo "$PR_DATA" | jq -r '.state')
+          if [ "$STATE" != "OPEN" ]; then
+            echo "❌ PR #${{ inputs.pr_number }} is not open (state: $STATE)"
+            exit 1
+          fi
+
+          BRANCH=$(echo "$PR_DATA" | jq -r '.headRefName')
+          TITLE=$(echo "$PR_DATA" | jq -r '.title')
+
+          echo "branch=$BRANCH" >> $GITHUB_OUTPUT
+          echo "title=$TITLE" >> $GITHUB_OUTPUT
+          echo "✅ PR #${{ inputs.pr_number }}: $TITLE (branch: $BRANCH)"
+
+      - name: Checkout PR branch
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        with:
+          ref: ${{ steps.pr_info.outputs.branch }}
+          fetch-depth: 0
+
+      - name: Set up Python
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6
+        with:
+          python-version: ${{ inputs.python_version }}
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@5a7eac68fb9809dea845d802897dc5c723910fa3 # v7
+        with:
+          enable-cache: true
+
+      - name: Calculate pre-release version
+        id: version
+        run: |
+          # Get current version from __version__.py
+          CURRENT_VERSION=$(grep -E "^__version__" iam_validator/__version__.py | cut -d'"' -f2)
+          echo "Current version: $CURRENT_VERSION"
+
+          # Parse version parts
+          IFS='.' read -r MAJOR MINOR PATCH <<< "$CURRENT_VERSION"
+
+          # Increment based on input
+          case "${{ inputs.version_increment }}" in
+            major)
+              MAJOR=$((MAJOR + 1))
+              MINOR=0
+              PATCH=0
+              ;;
+            minor)
+              MINOR=$((MINOR + 1))
+              PATCH=0
+              ;;
+            patch)
+              PATCH=$((PATCH + 1))
+              ;;
+          esac
+
+          # Build pre-release version
+          PRE_VERSION="${MAJOR}.${MINOR}.${PATCH}-${{ inputs.release_type }}.${{ inputs.pre_release_number }}"
+          TAG="v${PRE_VERSION}"
+
+          echo "version=$PRE_VERSION" >> $GITHUB_OUTPUT
+          echo "tag=$TAG" >> $GITHUB_OUTPUT
+          echo "base_version=${MAJOR}.${MINOR}.${PATCH}" >> $GITHUB_OUTPUT
+
+          echo "📦 Pre-release version: $PRE_VERSION"
+          echo "🏷️  Tag: $TAG"
+
+      - name: Update version in __version__.py
+        run: |
+          # Create backup and update version (portable across macOS/Linux)
+          cp iam_validator/__version__.py iam_validator/__version__.py.bak
+          sed 's/__version__ = ".*"/__version__ = "${{ steps.version.outputs.version }}"/' iam_validator/__version__.py.bak > iam_validator/__version__.py
+          rm iam_validator/__version__.py.bak
+
+          echo "✅ Updated __version__.py to ${{ steps.version.outputs.version }}"
+          cat iam_validator/__version__.py
+
+      - name: Install dependencies
+        run: uv sync --frozen
+
+      - name: Run tests
+        run: uv run pytest --verbose
+        continue-on-error: false
+
+      - name: Build package
+        run: uv build
+
+      - name: Generate pre-release notes
+        id: release_notes
+        run: |
+          cat > PRERELEASE_NOTES.md << EOF
+          # Pre-Release: ${{ steps.version.outputs.tag }}
+
+          ## 🧪 Testing Release
+
+          This is a **${{ inputs.release_type }}** pre-release built from PR #${{ inputs.pr_number }}.
+
+          **⚠️ Not recommended for production use.**
+
+          ### PR Information
+          - **PR**: #${{ inputs.pr_number }} - ${{ steps.pr_info.outputs.title }}
+          - **Branch**: \`${{ steps.pr_info.outputs.branch }}\`
+          - **Base Version**: \`${{ steps.version.outputs.base_version }}\`
+          - **Pre-release**: \`${{ inputs.release_type }}.${{ inputs.pre_release_number }}\`
+
+          ### Installation
+          \`\`\`bash
+          # Install from GitHub release
+          pip install https://github.com/${{ github.repository }}/releases/download/${{ steps.version.outputs.tag }}/iam_policy_validator-${{ steps.version.outputs.version }}-py3-none-any.whl
+          \`\`\`
+
+          ### Recent Changes
+          EOF
+
+          # Add commits from the PR branch
+          git log --pretty=format:"- %s (%h by %an)" --no-merges -10 >> PRERELEASE_NOTES.md
+
+          cat PRERELEASE_NOTES.md
+
+      - name: Create GitHub Pre-Release
+        uses: softprops/action-gh-release@5be0e66d93ac7ed76da52eca8bb058f665c3a5fe # v2
+        with:
+          name: "${{ steps.version.outputs.tag }} (Pre-release)"
+          tag_name: ${{ steps.version.outputs.tag }}
+          body_path: PRERELEASE_NOTES.md
+          files: |
+            dist/*.whl
+            dist/*.tar.gz
+          draft: false
+          prerelease: true
+          generate_release_notes: false
+          target_commitish: ${{ steps.pr_info.outputs.branch }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Comment on PR
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh pr comment ${{ inputs.pr_number }} --repo ${{ github.repository }} --body \
+          "## 🚀 Pre-Release Created
+
+          A **${{ inputs.release_type }}** pre-release has been created from this PR.
+
+          - **Version**: \`${{ steps.version.outputs.version }}\`
+          - **Tag**: [\`${{ steps.version.outputs.tag }}\`](https://github.com/${{ github.repository }}/releases/tag/${{ steps.version.outputs.tag }})
+          - **Release**: [View Release](https://github.com/${{ github.repository }}/releases/tag/${{ steps.version.outputs.tag }})
+
+          ### Install & Test
+          \`\`\`bash
+          pip install https://github.com/${{ github.repository }}/releases/download/${{ steps.version.outputs.tag }}/iam_policy_validator-${{ steps.version.outputs.version }}-py3-none-any.whl
+          \`\`\`
+
+          ⚠️ This is a pre-release and should not be used in production."
+
+      - name: Create Summary
+        if: always()
+        run: |
+          cat >> $GITHUB_STEP_SUMMARY << EOF
+          # 🧪 Pre-Release Summary
+
+          ## 📦 Pre-Release Information
+          - **Type**: ${{ inputs.release_type }}
+          - **Version**: \`${{ steps.version.outputs.version }}\`
+          - **Tag**: \`${{ steps.version.outputs.tag }}\`
+          - **PR**: [#${{ inputs.pr_number }}](https://github.com/${{ github.repository }}/pull/${{ inputs.pr_number }}) - ${{ steps.pr_info.outputs.title }}
+          - **Branch**: \`${{ steps.pr_info.outputs.branch }}\`
+
+          ## 🔗 Links
+          - [📦 GitHub Release](https://github.com/${{ github.repository }}/releases/tag/${{ steps.version.outputs.tag }})
+          - [🔀 Pull Request](https://github.com/${{ github.repository }}/pull/${{ inputs.pr_number }})
+
+          ## 📥 Installation
+          \`\`\`bash
+          pip install https://github.com/${{ github.repository }}/releases/download/${{ steps.version.outputs.tag }}/iam_policy_validator-${{ steps.version.outputs.version }}-py3-none-any.whl
+          \`\`\`
+
+          ## ⚠️ Important Notes
+          - This is a **pre-release** for testing purposes only
+          - Not published to PyPI
+          - Will be automatically cleaned up after 30 days
+          - Do not use in production
+          EOF

{iam_policy_validator-1.6.0 → iam_policy_validator-1.7.1}/.github/workflows/release.yml

@@ -5,9 +5,7 @@ on:
     tags:
       - "v*.*.*"
 
-permissions:
-  contents: write
-  id-token: write
+permissions: read-all
 
 env:
   PYTHON_VERSION: "3.13"
@@ -17,6 +15,9 @@ jobs:
     name: Build and Create Release
     runs-on: ubuntu-latest
     environment: production
+    permissions:
+      contents: write  # Required for creating GitHub releases
+      id-token: write  # Required for PyPI trusted publishing
 
     steps:
       - name: Checkout code
@@ -30,7 +31,7 @@ jobs:
           python-version: ${{ env.PYTHON_VERSION }}
 
       - name: Install uv
-        uses: astral-sh/setup-uv@5dbc9fba7434435c4cd0268139340fa3696d98f3 # v7
+        uses: astral-sh/setup-uv@5a7eac68fb9809dea845d802897dc5c723910fa3 # v7
         with:
           enable-cache: true
 
@@ -69,7 +70,7 @@ jobs:
           echo "Generated changelog with $COMMIT_COUNT commits"
 
       - name: Create GitHub Release
-        uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2
+        uses: softprops/action-gh-release@5be0e66d93ac7ed76da52eca8bb058f665c3a5fe # v2
         with:
           name: ${{ steps.get_version.outputs.tag }}
           body_path: CHANGELOG.txt

iam_policy_validator-1.7.1/.github/workflows/scorecard.yml

@@ -0,0 +1,62 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '23 7 * * 0'
+  push:
+    branches: [ "main" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    # `publish_results: true` only works when run from the default branch. conditional can be removed if disabled.
+    if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request'
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
+        with:
+          sarif_file: results.sarif

{iam_policy_validator-1.6.0 → iam_policy_validator-1.7.1}/.gitignore

@@ -69,3 +69,4 @@ dmypy.json
 *.temp
 temp/
 tmp/
+CLAUDE.md