openvisionkit 0.4.0__tar.gz

openvisionkit-0.4.0/.flake8

@@ -0,0 +1,5 @@
+[flake8]
+max-line-length = 88
+extend-ignore = E203
+per-file-ignores =
+    tests/*:E402

openvisionkit-0.4.0/.gitattributes

@@ -0,0 +1,3 @@
+*.tflite filter=lfs diff=lfs merge=lfs -text
+*.task filter=lfs diff=lfs merge=lfs -text
+*.pb filter=lfs diff=lfs merge=lfs -text

openvisionkit-0.4.0/.github/workflows/ci-integration.yml

@@ -0,0 +1,86 @@
+name: Integration Tests
+
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+    branches: [main, master]
+  workflow_dispatch:
+    inputs:
+      skip_model_download:
+        description: "Skip model download (run inference-free integration tests only)"
+        required: false
+        default: "false"
+        type: boolean
+
+concurrency:
+  group: integration-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  integration:
+    name: pytest integration
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          enable-cache: true
+          cache-dependency-glob: "uv.lock"
+
+      - name: Set up Python 3.11
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install system dependencies (Tesseract)
+        run: |
+          sudo apt-get update -qq
+          sudo apt-get install -y tesseract-ocr tesseract-ocr-eng
+
+      - name: Install project dependencies
+        run: uv sync --all-groups
+
+      # ── Model files ──────────────────────────────────────────────────────
+      # Models are NOT committed to git (binary, large, user-provided).
+      # Store each .tflite/.task file as a GitHub Actions secret (base64)
+      # or upload them to a private artifact store and cache them here.
+      #
+      # Example: add secret FACE_DETECTION_MODEL_B64 = base64-encoded .tflite
+      # and uncomment the block below.
+      #
+      # - name: Restore model files
+      #   env:
+      #     FACE_DETECTION_MODEL_B64: ${{ secrets.FACE_DETECTION_MODEL_B64 }}
+      #   run: |
+      #     mkdir -p models
+      #     echo "$FACE_DETECTION_MODEL_B64" | base64 -d > models/face_detection.tflite
+
+      - name: Cache model files
+        id: cache-models
+        uses: actions/cache@v4
+        with:
+          path: models/
+          key: openvisionkit-models-${{ hashFiles('pyproject.toml') }}
+
+      - name: Run integration tests
+        env:
+          VISIONKIT_MODELS_DIR: ${{ github.workspace }}/models
+        run: |
+          uv run pytest tests/ \
+            -m "integration" \
+            --tb=short \
+            -v
+
+      - name: Upload test results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: integration-test-results
+          path: |
+            .pytest_cache/
+          retention-days: 7

openvisionkit-0.4.0/.github/workflows/ci-security.yml

@@ -0,0 +1,125 @@
+name: Security Scan
+
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+    branches: [main, master]
+  schedule:
+    # Run daily at 02:00 UTC to catch newly published CVEs
+    - cron: "0 2 * * *"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  security-events: write  # required to upload SARIF to GitHub Security tab
+
+jobs:
+  # ── 1. Python dependency audit (pip-audit + OSV database) ─────────────────
+  pip-audit:
+    name: pip-audit (Python deps)
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          enable-cache: true
+          cache-dependency-glob: "uv.lock"
+
+      - name: Set up Python 3.11
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install project dependencies
+        run: uv sync --all-groups
+
+      - name: Run pip-audit (SBOM)
+        run: |
+          uv run pip-audit \
+            --local \
+            --format cyclonedx-json \
+            --output pip-audit-sbom.json \
+            --progress-spinner off || true
+
+      - name: Run pip-audit (fail on critical)
+        run: |
+          uv run pip-audit \
+            --local \
+            --progress-spinner off
+
+      - name: Upload SBOM artifact
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: pip-audit-sbom
+          path: pip-audit-sbom.json
+          retention-days: 30
+
+  # ── 2. Trivy filesystem + dependency scan with SARIF upload ───────────────
+  trivy:
+    name: Trivy (filesystem + SCA)
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run Trivy vulnerability scan
+        uses: aquasecurity/trivy-action@v0.36.0
+        with:
+          scan-type: fs
+          scan-ref: .
+          format: sarif
+          output: trivy-results.sarif
+          severity: CRITICAL,HIGH,MEDIUM
+          exit-code: "0"       # don't block CI — upload findings first
+          ignore-unfixed: true
+
+      - name: Upload Trivy SARIF to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: trivy-results.sarif
+          category: trivy
+
+      - name: Fail on CRITICAL vulnerabilities
+        uses: aquasecurity/trivy-action@v0.36.0
+        with:
+          scan-type: fs
+          scan-ref: .
+          format: table
+          severity: CRITICAL
+          exit-code: "1"
+          ignore-unfixed: true
+
+  # ── 3. CodeQL static analysis ─────────────────────────────────────────────
+  codeql:
+    name: CodeQL (static analysis)
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: python
+          queries: security-and-quality
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: codeql-python

openvisionkit-0.4.0/.github/workflows/ci-unit.yml

@@ -0,0 +1,57 @@
+name: Unit Tests
+
+on:
+  push:
+    branches: ["**"]
+  pull_request:
+    branches: [main, master]
+
+concurrency:
+  group: unit-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  unit:
+    name: pytest unit — Python ${{ matrix.python-version }}
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ["3.11", "3.12"]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          enable-cache: true
+          cache-dependency-glob: "uv.lock"
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install dependencies
+        run: uv sync --all-groups
+
+      - name: Run unit tests
+        run: |
+          uv run pytest tests/ \
+            -m "not integration" \
+            --cov=openvisionkit \
+            --cov-report=xml \
+            --cov-report=term-missing \
+            -v
+
+      - name: Upload coverage to Codecov
+        if: matrix.python-version == '3.11'
+        uses: codecov/codecov-action@v4
+        with:
+          files: coverage.xml
+          fail_ci_if_error: false
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

openvisionkit-0.4.0/.github/workflows/publish.yml

@@ -0,0 +1,135 @@
+name: Publish to PyPI
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+    inputs:
+      target:
+        description: "Publish target"
+        required: true
+        default: testpypi
+        type: choice
+        options:
+          - testpypi
+          - pypi
+
+permissions:
+  contents: read
+  id-token: write  # required for PyPI Trusted Publishing (OIDC)
+
+jobs:
+  # ── 1. Unit test gate ─────────────────────────────────────────────────────
+  test:
+    name: Unit tests (pre-publish gate)
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          enable-cache: true
+          cache-dependency-glob: "uv.lock"
+
+      - name: Set up Python 3.11
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install dependencies
+        run: uv sync --all-groups
+
+      - name: Run unit tests
+        run: uv run pytest tests/ -m "not integration" -q
+
+  # ── 2. Build sdist + wheel ────────────────────────────────────────────────
+  build:
+    name: Build distribution
+    runs-on: ubuntu-latest
+    needs: test
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          enable-cache: true
+
+      - name: Set up Python 3.11
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install dependencies
+        run: uv sync --all-groups
+
+      - name: Build sdist and wheel
+        run: uv build
+
+      - name: Verify build artifacts
+        run: |
+          ls -lh dist/
+          uv run python -m twine check dist/*
+
+      - name: Upload dist artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/
+          retention-days: 7
+
+  # ── 3. Publish to TestPyPI (pre-releases + manual) ────────────────────────
+  publish-testpypi:
+    name: Publish → TestPyPI
+    runs-on: ubuntu-latest
+    needs: build
+    environment:
+      name: testpypi
+      url: https://test.pypi.org/p/openvisionkit
+
+    if: |
+      (github.event_name == 'workflow_dispatch' && inputs.target == 'testpypi') ||
+      (github.event_name == 'release' && github.event.release.prerelease == true)
+
+    steps:
+      - name: Download dist artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+      - name: Publish to TestPyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          repository-url: https://test.pypi.org/legacy/
+          print-hash: true
+
+  # ── 4. Publish to PyPI (stable releases + manual) ────────────────────────
+  publish-pypi:
+    name: Publish → PyPI
+    runs-on: ubuntu-latest
+    needs: build
+    environment:
+      name: pypi
+      url: https://pypi.org/p/openvisionkit
+
+    if: |
+      (github.event_name == 'workflow_dispatch' && inputs.target == 'pypi') ||
+      (github.event_name == 'release' && github.event.release.prerelease == false)
+
+    steps:
+      - name: Download dist artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          print-hash: true

openvisionkit-0.4.0/.github/workflows/renovate.yml

@@ -0,0 +1,37 @@
+name: Renovate
+
+on:
+  schedule:
+    # Run every Monday at 01:00 UTC (before 6am SGT per renovate.json schedule)
+    - cron: "0 1 * * 1"
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        description: "Dry-run (log only, no PRs created)"
+        required: false
+        default: "false"
+        type: boolean
+
+permissions:
+  contents: write
+  pull-requests: write
+  issues: write
+
+jobs:
+  renovate:
+    name: Renovate dependency update bot
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run Renovate
+        uses: renovatebot/github-action@v40
+        env:
+          # Set LOG_LEVEL=debug for verbose output
+          LOG_LEVEL: info
+          RENOVATE_DRY_RUN: ${{ inputs.dry_run == 'true' && 'full' || 'null' }}
+        with:
+          token: ${{ secrets.RENOVATE_TOKEN }}
+          # renovate.json at repo root is picked up automatically

openvisionkit-0.4.0/.github/workflows/reusable-github-release.yml

@@ -0,0 +1,193 @@
+name: Reusable GitHub Release
+
+on:
+  workflow_call:
+    inputs:
+      tag:
+        description: Git tag to release (e.g. v0.2.1). Must already exist in the repo.
+        required: true
+        type: string
+      python-version:
+        description: Python version used to build distribution artifacts
+        required: false
+        default: "3.11"
+        type: string
+      prerelease:
+        description: Mark this release as a pre-release
+        required: false
+        default: false
+        type: boolean
+
+jobs:
+  github-release:
+    name: Create GitHub Release — ${{ inputs.tag }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write   # create release, upload assets
+
+    steps:
+      # ── Checkout at the exact tag ─────────────────────────────────────────
+      - name: Check out repository at tag
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.tag }}
+          fetch-depth: 0
+          fetch-tags: true
+
+      # ── Toolchain ─────────────────────────────────────────────────────────
+      - name: Set up uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          python-version: ${{ inputs.python-version }}
+          enable-cache: true
+
+      # ── Derive version string from tag ────────────────────────────────────
+      - name: Derive version from tag
+        id: version
+        run: |
+          TAG="${{ inputs.tag }}"
+          VERSION="${TAG#v}"   # strip leading 'v'
+          echo "tag=${TAG}"         >> "$GITHUB_OUTPUT"
+          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
+
+          PRERELEASE="${{ inputs.prerelease }}"
+          if [ "$PRERELEASE" = "true" ] || echo "$TAG" | grep -qE '\-(alpha|beta|rc|dev)'; then
+            echo "prerelease=true"  >> "$GITHUB_OUTPUT"
+          else
+            echo "prerelease=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      # ── Build distribution artifacts ──────────────────────────────────────
+      - name: Build sdist and wheel
+        run: uv build
+
+      - name: List built artifacts
+        run: ls -lh dist/
+
+      # ── Validate distribution with twine ──────────────────────────────────
+      - name: Validate distributions
+        run: |
+          uv tool install twine
+          uv tool run twine check dist/*
+
+      # ── Generate SHA-256 checksums ─────────────────────────────────────────
+      - name: Generate SHA-256 checksums
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          cd dist
+          sha256sum * | tee "../checksums-${VERSION}.sha256"
+          cd ..
+          echo "Checksums:"
+          cat "checksums-${VERSION}.sha256"
+
+      # ── Extract release notes from CHANGELOG.md ───────────────────────────
+      - name: Extract release notes from CHANGELOG.md
+        id: notes
+        env:
+          RELEASE_VERSION: ${{ steps.version.outputs.version }}
+          RELEASE_TAG:     ${{ steps.version.outputs.tag }}
+        run: |
+          NOTES=$(python3 - <<'PYEOF'
+          import re, os, sys
+
+          version = os.environ.get("RELEASE_VERSION", "")
+          tag     = os.environ.get("RELEASE_TAG", "")
+
+          try:
+              content = open("CHANGELOG.md").read()
+          except FileNotFoundError:
+              print("No CHANGELOG.md found.")
+              sys.exit(0)
+
+          sections = re.split(r"\n(?=## )", content)
+          target = next(
+              (s for s in sections
+               if version in s.split("\n")[0] or tag in s.split("\n")[0]),
+              None,
+          )
+          if target:
+              body = "\n".join(target.split("\n")[1:]).strip()
+              print(body if body else "No details in CHANGELOG for this version.")
+          else:
+              print(f"See CHANGELOG.md for details on {tag}.")
+          PYEOF
+          )
+
+          {
+            echo "notes<<RELEASE_NOTES_DELIMITER"
+            echo "$NOTES"
+            echo "RELEASE_NOTES_DELIMITER"
+          } >> "$GITHUB_OUTPUT"
+
+      # ── Create or update the GitHub release ───────────────────────────────
+      - name: Create GitHub release
+        id: create-release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          TAG="${{ steps.version.outputs.tag }}"
+          PRERELEASE="${{ steps.version.outputs.prerelease }}"
+          TITLE="Release ${TAG}"
+          NOTES="${{ steps.notes.outputs.notes }}"
+
+          PR_FLAG=""
+          [ "$PRERELEASE" = "true" ] && PR_FLAG="--prerelease"
+
+          if gh release view "$TAG" &>/dev/null; then
+            echo "Release $TAG already exists — updating notes."
+            gh release edit "$TAG" \
+              --title "$TITLE" \
+              --notes "$NOTES" \
+              $PR_FLAG \
+              --latest
+          else
+            gh release create "$TAG" \
+              --title "$TITLE" \
+              --notes "$NOTES" \
+              --verify-tag \
+              $PR_FLAG \
+              --latest
+          fi
+
+      # ── Upload distribution artifacts and checksums as release assets ─────
+      - name: Upload release assets
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          TAG="${{ steps.version.outputs.tag }}"
+          VERSION="${{ steps.version.outputs.version }}"
+
+          gh release upload "$TAG" \
+            dist/* \
+            "checksums-${VERSION}.sha256" \
+            --clobber
+
+      # ── Job summary ───────────────────────────────────────────────────────
+      - name: Write job summary
+        if: always()
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          TAG="${{ steps.version.outputs.tag }}"
+          VERSION="${{ steps.version.outputs.version }}"
+          RELEASE_URL=$(gh release view "$TAG" --json url -q .url 2>/dev/null || echo "N/A")
+
+          {
+            echo "## GitHub Release: ${TAG:-unknown}"
+            echo ""
+            echo "| Field | Value |"
+            echo "|-------|-------|"
+            echo "| Tag | \`${TAG}\` |"
+            echo "| Version | \`${VERSION}\` |"
+            echo "| Pre-release | \`${{ steps.version.outputs.prerelease }}\` |"
+            echo "| Release URL | ${RELEASE_URL} |"
+            echo ""
+            echo "### Artifacts"
+            echo "\`\`\`"
+            [ -d dist ] && ls -lh dist/ || echo "dist/ not found — build may have failed"
+            [ -f "checksums-${VERSION}.sha256" ] && cat "checksums-${VERSION}.sha256" || echo "checksums file not found"
+            echo "\`\`\`"
+            echo ""
+            echo "### Release Notes"
+            echo "${{ steps.notes.outputs.notes }}"
+          } >> "$GITHUB_STEP_SUMMARY"