occystrap 0.4.0__tar.gz → 0.4.1__tar.gz

occystrap-0.4.1/.github/actionlint.yaml

@@ -0,0 +1,24 @@
+# Configuration for actionlint
+# https://github.com/rhysd/actionlint/blob/main/docs/config.md
+
+self-hosted-runner:
+  # Custom labels used by our self-hosted runners
+  labels:
+    - vm
+    - debian-12
+    - xl
+    - m
+    - s
+    - claude-code
+    - static
+
+# Ignore certain shellcheck rules from run: blocks in workflow files.
+# These are overly pedantic for CI workflow scripts where the inputs are
+# controlled by GitHub Actions expressions.
+paths:
+  .github/workflows/*.yml:
+    ignore:
+      - 'SC1090:'  # Can't follow non-constant source
+      - 'SC2046:'  # Quote command substitution to prevent word splitting
+      - 'SC2086:'  # Double quote to prevent globbing and word splitting
+      - 'SC2143:'  # Use grep -q instead of comparing output with [ -n .. ]

{occystrap-0.4.0 → occystrap-0.4.1}/.github/workflows/codeql-analysis.yml

@@ -1,5 +1,7 @@
 name: "CodeQL"
 
+permissions: {}
+
 on:
   push:
     branches: [master, ]
@@ -13,10 +15,13 @@ jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
       with:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
@@ -29,7 +34,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@v3
       # Override language selection by uncommenting this and choosing your languages
       # with:
       #   languages: go, javascript, csharp, python, cpp, java
@@ -37,12 +42,12 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@v3
 
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 https://git.io/JvXDl
+    # Command-line programs to run using the OS shell.
+    # https://git.io/JvXDl
 
-    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    # If the Autobuild fails above, remove it and uncomment the following three lines
     #    and modify them (or add more) to build your code if your project
     #    uses a compiled language
 
@@ -51,4 +56,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@v3

occystrap-0.4.1/.github/workflows/export-repo-config.yml

@@ -0,0 +1,14 @@
+name: Export repository configuration
+
+permissions:
+  contents: read
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '30 00 * * *'
+
+jobs:
+  export-config:
+    uses: shakenfist/actions/.github/workflows/export-repo-config.yml@main
+    secrets: inherit

{occystrap-0.4.0 → occystrap-0.4.1}/.github/workflows/functional-tests.yml

@@ -8,9 +8,12 @@ on:
     branches:
       - master
 
+permissions:
+  contents: read
+
 jobs:
   functional:
-    runs-on: self-hosted
+    runs-on: [self-hosted, vm, debian-12]
     timeout-minutes: 120
 
     # NOTE(mikal): git repos are checked out to /srv/github/_work/{repo}/{repo}
@@ -44,36 +47,60 @@ jobs:
           sudo ls -l /var/run/docker.sock
 
       - name: Checkout occystrap
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
-          path: occystrap
           fetch-depth: 0
 
-      - name: Build occystrap wheel and install it
+      - name: Build occystrap wheel and install it in a venv
         run: |
-          cd /srv/ci/runner/_work/occystrap/occystrap/occystrap
-          rm -f dist/*
-          python3 setup.py sdist bdist_wheel
-          sudo pip3 install dist/occystrap*.whl
+          python3 -mvenv ~/occystrap-venv
+          ~/occystrap-venv/bin/pip3 install build
+          ~/occystrap-venv/bin/python3 -m build
+          ~/occystrap-venv/bin/pip3 install dist/occystrap*.whl
 
       - name: Run a local docker registry to talk to, and populate it with test data
         run: |
           docker run -d -p 5000:5000 --restart=always --name registry registry:2
-          cd /srv/ci/runner/_work/occystrap/occystrap/occystrap/deploy/occystrap_ci/testdata
+          cd deploy/occystrap_ci/testdata
+          start_dir=$(pwd)
 
           for img in deletion_layers; do
             cd $img
             docker build -t localhost:5000/occystrap_$img:latest .
             docker push localhost:5000/occystrap_$img:latest
-            cd /srv/ci/runner/_work/occystrap/occystrap/occystrap/deploy/occystrap_ci/testdata
+            cd ${start_dir}
           done
 
       - name: Run functional tests
         run: |
-          cd /srv/ci/runner/_work/occystrap/occystrap/occystrap/deploy
-          sudo pip3 install -r requirements.txt
-          sudo pip3 install -r test-requirements.txt
+          cd deploy
+          . ~/occystrap-venv/bin/activate
+          pip3 install -r requirements.txt
+          pip3 install -r test-requirements.txt
 
           # This needs to run as root because some of the tests require
           # escalated permissions.
-          sudo stestr run --concurrency=5
+          sudo /home/debian/occystrap-venv/bin/stestr run --concurrency=5
+
+  automated_reviewer:
+    name: "Automated reviewer"
+    permissions:
+      contents: read
+      pull-requests: write
+    runs-on: [self-hosted, claude-code]
+    needs: [functional]
+    if: github.event_name == 'pull_request'
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}-reviewer
+      cancel-in-progress: true
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Run automated reviewer
+        uses: shakenfist/actions/review-pr-with-claude@main
+        with:
+          pr-number: ${{ github.event.pull_request.number }}

occystrap-0.4.1/.github/workflows/pr-re-review.yml

@@ -0,0 +1,73 @@
+name: PR Re-review
+
+# Triggers a re-review of a PR when an authorized user comments
+# "@shakenfist-bot please re-review"
+
+permissions:
+  contents: read
+  issues: write
+  pull-requests: write
+
+on:
+  issue_comment:
+    types: [created]
+
+jobs:
+  check_and_review:
+    # Only run on PR comments (not issue comments)
+    if: |
+      github.event.issue.pull_request &&
+      contains(github.event.comment.body, '@shakenfist-bot please re-review')
+    runs-on: [self-hosted, claude-code]
+    name: "Re-review PR"
+
+    steps:
+      - name: Check commenter permissions
+        id: check_permission
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          permission=$(gh api \
+            repos/${{ github.repository }}/collaborators/${{ github.event.comment.user.login }}/permission \
+            --jq '.permission' 2>/dev/null || echo "none")
+
+          echo "User ${{ github.event.comment.user.login }} has permission: ${permission}"
+
+          if [[ "${permission}" == "admin" || "${permission}" == "write" ]]; then
+            echo "authorized=true" >> $GITHUB_OUTPUT
+            echo "User is authorized to request re-review"
+          else
+            echo "authorized=false" >> $GITHUB_OUTPUT
+            echo "User is not authorized to request re-review"
+          fi
+
+      - name: React to comment
+        if: steps.check_permission.outputs.authorized == 'true'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh api \
+            repos/${{ github.repository }}/issues/comments/${{ github.event.comment.id }}/reactions \
+            -f content='+1' \
+            --silent || true
+
+      - name: Post unauthorized message
+        if: steps.check_permission.outputs.authorized == 'false'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh pr comment ${{ github.event.issue.number }} \
+            --body "Sorry @${{ github.event.comment.user.login }}, only repository collaborators with write access can request a re-review."
+
+      - name: Checkout code
+        if: steps.check_permission.outputs.authorized == 'true'
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Run automated reviewer
+        if: steps.check_permission.outputs.authorized == 'true'
+        uses: shakenfist/actions/review-pr-with-claude@main
+        with:
+          pr-number: ${{ github.event.issue.number }}
+          force: 'true'

occystrap-0.4.1/.github/workflows/python-unit-tests.yml

@@ -0,0 +1,36 @@
+name: Sanity checks
+
+permissions:
+  contents: read
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  lint:
+    runs-on: [self-hosted, vm, debian-12]
+
+    steps:
+      - name: Checkout code with two commits
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
+
+      - name: Install dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get dist-upgrade -y
+          sudo apt-get install -y -q tox python3 python3-venv python3-wheel
+
+      - name: Lint with flake8
+        run: |
+          tox -eflake8
+
+      - name: Run unit tests
+        run: |
+          tox -epy3

occystrap-0.4.1/.github/workflows/release.yml

@@ -0,0 +1,142 @@
+# Release workflow for Occy Strap
+#
+# Triggers on version tags (v*). Requires approval from the 'release'
+# environment before publishing. Uses Sigstore for signing and PyPI
+# trusted publishers for authentication.
+#
+# See RELEASE-SETUP.md for one-time configuration steps.
+
+name: Release
+
+permissions: {}
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+  # Allow manual trigger for testing (won't publish without a tag)
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Build distribution packages
+    runs-on: [self-hosted, static]
+
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Full history needed for pbr versioning
+
+      - name: Install build dependencies
+        run: |
+          rm -rf release-venv
+          python3 -m venv release-venv
+          release-venv/bin/pip3 install --upgrade pip
+          release-venv/bin/pip3 install build twine
+
+      - name: Build package
+        run: |
+          release-venv/bin/python3 -m build
+
+      - name: Check package with twine
+        run: |
+          release-venv/bin/twine check dist/*
+
+      - name: Upload distribution artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+  sign-tag:
+    name: Sign release tag with Sigstore
+    needs: build
+    runs-on: [self-hosted, debian-12, s]
+    environment: release
+
+    permissions:
+      contents: write
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install gitsign
+        run: |
+          GITSIGN_VERSION="0.14.0"
+          curl -sLO "https://github.com/sigstore/gitsign/releases/download/v${GITSIGN_VERSION}/gitsign_${GITSIGN_VERSION}_linux_amd64"
+          curl -sLO "https://github.com/sigstore/gitsign/releases/download/v${GITSIGN_VERSION}/checksums.txt"
+          sha256sum --ignore-missing -c checksums.txt
+          chmod +x "gitsign_${GITSIGN_VERSION}_linux_amd64"
+          sudo mv "gitsign_${GITSIGN_VERSION}_linux_amd64" /usr/local/bin/gitsign
+
+      - name: Configure git for Sigstore signing
+        run: |
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "github-actions[bot]@users.noreply.github.com"
+          git config --global tag.gpgsign true
+          git config --global gpg.format x509
+          git config --global gpg.x509.program gitsign
+
+      - name: Create signed tag
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          TAG_NAME="${GITHUB_REF#refs/tags/}"
+          echo "Signing tag: ${TAG_NAME}"
+          git tag -d "${TAG_NAME}" || true
+          git tag -s "${TAG_NAME}" -m "Release ${TAG_NAME}" "${GITHUB_SHA}"
+          git push origin "${TAG_NAME}" --force
+
+  publish-pypi:
+    name: Publish to PyPI
+    needs: [build, sign-tag]
+    runs-on: [self-hosted, static]
+    environment: release
+
+    permissions:
+      id-token: write
+      attestations: write
+
+    steps:
+      - name: Download distribution artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+      - name: Generate attestations for artifacts
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: 'dist/*'
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+
+  github-release:
+    name: Create GitHub Release
+    needs: [build, sign-tag, publish-pypi]
+    runs-on: [self-hosted, static]
+
+    permissions:
+      contents: write
+
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          generate_release_notes: true
+          files: dist/*
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

occystrap-0.4.1/.github/workflows/renovate.yml

@@ -0,0 +1,24 @@
+name: Renovate dependency updater
+
+permissions:
+  contents: read
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 * * * *'
+
+jobs:
+  renovate:
+    runs-on: [self-hosted, static]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Self-hosted Renovate
+        uses: renovatebot/github-action@v41.0.22
+        with:
+          token: ${{ secrets.RENOVATE_TOKEN }}
+        env:
+          RENOVATE_AUTODISCOVER: "true"
+          RENOVATE_AUTODISCOVER_FILTER: "shakenfist/occystrap"

occystrap-0.4.1/.gitignore

@@ -0,0 +1,49 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+*.egg-info/
+*.egg
+
+# Virtual environments
+venv/
+_venv/
+ENV/
+env/
+
+# IDE
+.idea/
+.vscode/
+*.swp
+*.swo
+
+# Testing
+.tox/
+.stestr/
+.coverage
+htmlcov/
+
+# Temporary files
+*.tmp
+*.bak
+
+# setuptools_scm generated version file
+occystrap/_version.py

occystrap-0.4.1/.pre-commit-config.yaml

@@ -0,0 +1,30 @@
+repos:
+  - repo: https://github.com/rhysd/actionlint
+    rev: v1.7.7
+    hooks:
+      - id: actionlint
+        args: ['-config-file', '.github/actionlint.yaml']
+
+  - repo: https://github.com/shellcheck-py/shellcheck-py
+    rev: v0.10.0.1
+    hooks:
+      - id: shellcheck
+        files: ^(tools/|release\.sh)
+        types_or: [sh, bash, shell]
+        args: ['-x']
+
+  - repo: local
+    hooks:
+      - id: tox-flake8
+        name: tox flake8
+        entry: tox -eflake8
+        language: system
+        pass_filenames: false
+        always_run: true
+
+      - id: tox-py3
+        name: tox py3
+        entry: tox -epy3
+        language: system
+        pass_filenames: false
+        always_run: true

occystrap-0.4.1/.shellcheckrc

@@ -0,0 +1,133 @@
+# Shellcheck configuration for occystrap
+#
+# We disable some common warnings that are too noisy for our scripts.
+# These are mostly style/info level issues that don't represent real bugs.
+
+# SC2086: Double quote to prevent globbing and word splitting
+# Our scripts run in controlled environments with known inputs.
+disable=SC2086
+
+# SC2196: egrep is deprecated, use grep -E
+# While true, this is just a deprecation notice.
+disable=SC2196
+
+# SC2034: Variable appears unused
+# Often sourced scripts export variables for use elsewhere.
+disable=SC2034
+
+# SC2046: Quote this to prevent word splitting
+# Similar to SC2086, covered by controlled inputs.
+disable=SC2046
+
+# SC2001: See if you can use ${variable//search/replace}
+# Style preference, not a bug.
+disable=SC2001
+
+# SC2166: Prefer [ p ] && [ q ] as [ p -a q ] is not well defined
+# Works fine in bash, which all our scripts use.
+disable=SC2166
+
+# SC2013: To read lines rather than words, pipe to 'while read'
+# Our patch filenames don't contain spaces.
+disable=SC2013
+
+# SC2181: Check exit code directly, not indirectly with $?
+# Style preference.
+disable=SC2181
+
+# SC2115: Use "${var:?}" to ensure this never expands to /
+# Our scripts are always run in controlled environments.
+disable=SC2115
+
+# SC2004: $/${} is unnecessary on arithmetic variables
+# We prefer explicit ${} for consistency.
+disable=SC2004
+
+# SC2206: Quote to prevent word splitting/globbing, or split robustly
+# Our scripts run in controlled environments.
+disable=SC2206
+
+# SC2145: Argument mixes string and array
+# Works as intended in our use cases.
+disable=SC2145
+
+# SC2236: Use -n instead of ! -z
+# Style preference, both work.
+disable=SC2236
+
+# SC2116: Useless echo
+# Sometimes used for clarity.
+disable=SC2116
+
+# SC2164: Use 'cd ... || exit' in case cd fails
+# Our scripts use set -e which handles this.
+disable=SC2164
+
+# SC2048: Use "$@" (with quotes) to prevent whitespace problems
+# Our scripts run in controlled environments.
+disable=SC2048
+
+# SC1091: Not following sourced file (file not found)
+# Files exist at runtime on target systems.
+disable=SC1091
+
+# SC2231: Quote expansions in for loop glob
+# Works as intended in our use cases.
+disable=SC2231
+
+# SC1090: Can't follow non-constant source
+# Dynamic sources are intentional.
+disable=SC1090
+
+# SC2027: The surrounding quotes actually unquote this
+# Intentional string formatting.
+disable=SC2027
+
+# SC2068: Double quote array expansions
+# Our scripts run in controlled environments.
+disable=SC2068
+
+# SC2155: Declare and assign separately to avoid masking return values
+# We check return values where needed.
+disable=SC2155
+
+# SC2221/SC2222: Pattern overrides another pattern
+# Intentional catch-all in case statements.
+disable=SC2221
+disable=SC2222
+
+# SC2153: Possible misspelling
+# We know our variable names.
+disable=SC2153
+
+# SC2320: This $? refers to echo/printf, not a previous command
+# We understand the ordering.
+disable=SC2320
+
+# SC2317: Command appears to be unreachable
+# Traps and callbacks are invoked indirectly.
+disable=SC2317
+
+# SC2035: Use ./*glob* so names with dashes won't become options
+# Our globs don't match filenames starting with -.
+disable=SC2035
+
+# SC2002: Useless cat
+# Style preference, cat | cmd is more readable.
+disable=SC2002
+
+# SC2129: Consider using { cmd1; cmd2; } >> file
+# Style preference.
+disable=SC2129
+
+# SC2031: Variable modified in subshell
+# We understand subshell scoping.
+disable=SC2031
+
+# SC2124: Assigning an array to a string
+# Intentional in some cases.
+disable=SC2124
+
+# SC2154: Variable is referenced but not assigned
+# Variables are commonly sourced from other files or set before function calls.
+disable=SC2154

occystrap-0.4.1/.stestr.conf

@@ -0,0 +1,3 @@
+[DEFAULT]
+test_path=./occystrap/tests
+top_dir=./