src-auth-perms-sync 0.2.1__tar.gz → 0.2.2__tar.gz

src_auth_perms_sync-0.2.2/.github/workflows/ci.yml

@@ -0,0 +1,17 @@
+name: CI
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+  pull-requests: read
+
+concurrency:
+  group: ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  validate:
+    name: Validate
+    uses: ./.github/workflows/validate.yml

{src_auth_perms_sync-0.2.1 → src_auth_perms_sync-0.2.2}/.github/workflows/release.yml

@@ -1,4 +1,4 @@
-name: Build customer release
+name: Build release
 
 on:
   push:
@@ -13,6 +13,7 @@ on:
 
 permissions:
   contents: write
+  pull-requests: read
 
 concurrency:
   group: release-${{ github.event.inputs.tag || github.ref_name }}
@@ -23,13 +24,18 @@ defaults:
     shell: bash
 
 jobs:
+  validate:
+    name: Validate
+    uses: ./.github/workflows/validate.yml
+    with:
+      ref: ${{ github.event.inputs.tag || github.ref }}
+      build-package: false
+
   wheelhouse:
     name: ${{ matrix.platform }}-py311 wheelhouse
     runs-on: ${{ matrix.runs_on }}
     strategy:
       fail-fast: false
-      # The first matrix leg creates the release; later legs upload more assets.
-      max-parallel: 1
       matrix:
         include:
           - platform: linux-x86_64
@@ -61,12 +67,17 @@ jobs:
         uses: actions/setup-python@v6
         with:
           python-version: ${{ env.PYTHON_VERSION }}
-          cache: pip
+
+      - name: Cache uv
+        uses: actions/cache@v5
+        with:
+          path: ~/.cache/uv
+          key: uv-${{ runner.os }}-py${{ env.PYTHON_VERSION }}-${{ hashFiles('uv.lock') }}
+          restore-keys: |
+            uv-${{ runner.os }}-py${{ env.PYTHON_VERSION }}-
 
       - name: Install build tools
-        run: |
-          python -m pip install --upgrade pip
-          python -m pip install "uv==${UV_VERSION}"
+        run: python -m pip install "uv==${UV_VERSION}"
 
       - name: Validate release inputs
         id: release
@@ -103,7 +114,7 @@ jobs:
 
           echo "tag=${release_tag}" >> "${GITHUB_OUTPUT}"
 
-      - name: Validate package
+      - name: Validate runner architecture
         run: |
           actual_machine=$(uv run --frozen python - <<'PY'
           import platform
@@ -116,12 +127,6 @@ jobs:
             exit 1
           fi
 
-          uv lock --check
-          uv run --frozen ruff check src/src_auth_perms_sync/
-          uv run --frozen ruff format --check src/src_auth_perms_sync/
-          uv run --frozen pyright
-          uv run --frozen src-auth-perms-sync --help >/tmp/src-auth-perms-sync-help.txt
-
       - name: Build wheelhouse tarball
         id: build
         run: |
@@ -136,15 +141,25 @@ jobs:
 
           rm -rf build/release
           mkdir -p "${wheelhouse_dir}" "${dist_dir}"
+          shopt -s nullglob
 
-          uv build --wheel --out-dir "${dist_dir}" --no-create-gitignore
+          uv build --wheel --sdist --out-dir "${dist_dir}" --no-create-gitignore
           project_wheels=("${dist_dir}"/*.whl)
           if [[ "${#project_wheels[@]}" -ne 1 ]]; then
             echo "::error title=Unexpected wheel count::Expected one project wheel, found ${#project_wheels[@]}."
             exit 1
           fi
+          project_source_distributions=("${dist_dir}"/*.tar.gz)
+          if [[ "${#project_source_distributions[@]}" -ne 1 ]]; then
+            echo "::error title=Unexpected source distribution count::Expected one project source distribution, found ${#project_source_distributions[@]}."
+            exit 1
+          fi
           project_wheel_path="${project_wheels[0]}"
           project_wheel_name="$(basename "${project_wheel_path}")"
+          project_source_distribution_path="${project_source_distributions[0]}"
+          project_source_distribution_name="$(basename "${project_source_distribution_path}")"
+          project_wheel_checksum_path="${project_wheel_path}.sha256"
+          project_source_distribution_checksum_path="${project_source_distribution_path}.sha256"
           if [[ ! -f "${project_wheel_path}" ]]; then
             echo "::error title=Missing project wheel::Expected ${project_wheel_path} to exist."
             exit 1
@@ -197,7 +212,7 @@ jobs:
           pip install "https://github.com/sourcegraph/src-auth-perms-sync/releases/download/${release_tag}/${project_wheel_name}"
           EOF
 
-          (cd "${wheelhouse_dir}" && shasum -a 256 *.whl > WHEELS.sha256)
+          (cd "${wheelhouse_dir}" && shasum -a 256 ./*.whl > WHEELS.sha256)
 
           test -f "${project_wheel_path}"
           test -f "${wheelhouse_dir}"/src_auth_perms_sync-*.whl
@@ -211,16 +226,28 @@ jobs:
             exit 1
           fi
 
+          (
+            cd "$(dirname "${project_wheel_path}")"
+            shasum -a 256 "${project_wheel_name}" > "$(basename "${project_wheel_checksum_path}")"
+            shasum -a 256 "${project_source_distribution_name}" > "$(basename "${project_source_distribution_checksum_path}")"
+          )
+
           tar -C "${release_dir}" -czf "${asset_path}" wheelhouse
           (
             cd "$(dirname "${asset_path}")"
             shasum -a 256 "$(basename "${asset_path}")" > "$(basename "${checksum_path}")"
           )
 
-          echo "asset_path=${asset_path}" >> "${GITHUB_OUTPUT}"
-          echo "checksum_path=${checksum_path}" >> "${GITHUB_OUTPUT}"
-          echo "project_wheel_path=${project_wheel_path}" >> "${GITHUB_OUTPUT}"
-          echo "project_wheel_name=${project_wheel_name}" >> "${GITHUB_OUTPUT}"
+          {
+            echo "asset_path=${asset_path}"
+            echo "checksum_path=${checksum_path}"
+            echo "project_wheel_path=${project_wheel_path}"
+            echo "project_wheel_name=${project_wheel_name}"
+            echo "project_source_distribution_path=${project_source_distribution_path}"
+            echo "project_source_distribution_name=${project_source_distribution_name}"
+            echo "project_wheel_checksum_path=${project_wheel_checksum_path}"
+            echo "project_source_distribution_checksum_path=${project_source_distribution_checksum_path}"
+          } >> "${GITHUB_OUTPUT}"
 
       - name: Validate offline install from tarball
         run: |
@@ -244,6 +271,7 @@ jobs:
         run: |
           release_tag="${{ steps.release.outputs.tag }}"
           project_wheel_name="${{ steps.build.outputs.project_wheel_name }}"
+          project_source_distribution_name="${{ steps.build.outputs.project_source_distribution_name }}"
           notes_path="build/release/release-notes.md"
           cat > "${notes_path}" <<EOF
           ## Customer install
@@ -273,7 +301,9 @@ jobs:
           \`\`\`
 
           The tarball includes this project, \`src-py-lib\`, and all runtime wheels.
-          Verify the download with the matching \`.sha256\` file.
+          Verify the tarball downloads with the matching \`.sha256\` files.
+          The GitHub release also includes the same \`${project_wheel_name}\` and
+          \`${project_source_distribution_name}\` files uploaded to PyPI, plus matching checksums.
 
           ### Connected PyPI install
 
@@ -296,29 +326,69 @@ jobs:
           path: |
             ${{ steps.build.outputs.asset_path }}
             ${{ steps.build.outputs.checksum_path }}
+
+      - name: Upload project distribution release artifact
+        if: matrix.platform == 'linux-x86_64'
+        uses: actions/upload-artifact@v7
+        with:
+          name: src-auth-perms-sync-project-distributions
+          path: |
             ${{ steps.build.outputs.project_wheel_path }}
-            ${{ steps.notes.outputs.path }}
+            ${{ steps.build.outputs.project_source_distribution_path }}
+            ${{ steps.build.outputs.project_wheel_checksum_path }}
+            ${{ steps.build.outputs.project_source_distribution_checksum_path }}
+
+      - name: Upload release notes artifact
+        if: matrix.platform == 'linux-x86_64'
+        uses: actions/upload-artifact@v7
+        with:
+          name: release-notes
+          path: ${{ steps.notes.outputs.path }}
 
       - name: Upload PyPI artifact
         if: matrix.platform == 'linux-x86_64'
         uses: actions/upload-artifact@v7
         with:
           name: pypi-distributions
-          path: ${{ steps.build.outputs.project_wheel_path }}
+          path: |
+            ${{ steps.build.outputs.project_wheel_path }}
+            ${{ steps.build.outputs.project_source_distribution_path }}
+
+  github-release:
+    name: Publish GitHub release assets
+    needs: [validate, wheelhouse]
+    runs-on: ubuntu-24.04
+
+    steps:
+      - name: Download wheelhouse artifacts
+        uses: actions/download-artifact@v7
+        with:
+          pattern: src-auth-perms-sync-*
+          path: release-assets
+          merge-multiple: true
+
+      - name: Download release notes
+        uses: actions/download-artifact@v7
+        with:
+          name: release-notes
+          path: release-notes
 
       - name: Publish GitHub release assets
         env:
           GH_TOKEN: ${{ github.token }}
+          GH_REPO: ${{ github.repository }}
         run: |
-          release_tag="${{ steps.release.outputs.tag }}"
-          asset_path="${{ steps.build.outputs.asset_path }}"
-          checksum_path="${{ steps.build.outputs.checksum_path }}"
-          project_wheel_path="${{ steps.build.outputs.project_wheel_path }}"
-          notes_path="${{ steps.notes.outputs.path }}"
-          release_assets=("${asset_path}" "${checksum_path}")
-
-          if [[ "${{ matrix.platform }}" == "linux-x86_64" ]]; then
-            release_assets+=("${project_wheel_path}")
+          release_tag="${{ github.event.inputs.tag || github.ref_name }}"
+          notes_path="$(find release-notes -name release-notes.md -print -quit)"
+          mapfile -t release_assets < <(find release-assets -type f | sort)
+
+          if [[ -z "${notes_path}" ]]; then
+            echo "::error title=Missing release notes::release-notes.md was not found in release artifact."
+            exit 1
+          fi
+          if [[ "${#release_assets[@]}" -eq 0 ]]; then
+            echo "::error title=Missing release assets::No release assets were downloaded."
+            exit 1
           fi
 
           if gh release view "${release_tag}" >/dev/null 2>&1; then
@@ -334,7 +404,7 @@ jobs:
 
   pypi:
     name: Publish PyPI package
-    needs: wheelhouse
+    needs: [validate, wheelhouse]
     runs-on: ubuntu-24.04
     permissions:
       contents: read
@@ -354,3 +424,4 @@ jobs:
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
           packages-dir: dist
+          skip-existing: true

src_auth_perms_sync-0.2.2/.github/workflows/validate.yml

@@ -0,0 +1,265 @@
+name: Validate
+
+on:
+  workflow_call:
+    inputs:
+      ref:
+        description: "Git ref to validate. Defaults to the caller's ref."
+        required: false
+        type: string
+      build-package:
+        description: "Build and smoke-test package artifacts. Release builds do this separately."
+        required: false
+        type: boolean
+        default: true
+
+permissions:
+  contents: read
+  pull-requests: read
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  changes:
+    name: Detect changed paths
+    runs-on: ubuntu-24.04
+    outputs:
+      github_actions: ${{ steps.changed_paths.outputs.github_actions }}
+      markdown: ${{ steps.changed_paths.outputs.markdown }}
+      python: ${{ steps.changed_paths.outputs.python }}
+      package: ${{ steps.changed_paths.outputs.package }}
+
+    steps:
+      - name: Detect changed paths
+        id: changed_paths
+        env:
+          GH_TOKEN: ${{ github.token }}
+          PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }}
+        run: |
+          github_actions_changed=false
+          markdown_changed=false
+          python_changed=false
+          package_changed=false
+
+          if [[ "${{ github.event_name }}" != "pull_request" ]]; then
+            github_actions_changed=true
+            markdown_changed=true
+            python_changed=true
+            package_changed=true
+          else
+            changed_files="$(mktemp)"
+            gh api --paginate \
+              "repos/${GITHUB_REPOSITORY}/pulls/${PULL_REQUEST_NUMBER}/files" \
+              --jq '.[].filename' > "${changed_files}"
+
+            while IFS= read -r changed_file; do
+              case "${changed_file}" in
+                .github/workflows/*)
+                  github_actions_changed=true
+                  ;;
+              esac
+
+              case "${changed_file}" in
+                *.md|.markdownlint-cli2.yaml)
+                  markdown_changed=true
+                  ;;
+              esac
+
+              case "${changed_file}" in
+                .python-version|pyproject.toml|uv.lock|dev/*|src/*|tests/*)
+                  python_changed=true
+                  ;;
+              esac
+
+              case "${changed_file}" in
+                .python-version|LICENSE|README.md|maps-example.yaml|pyproject.toml|uv.lock|src/*)
+                  package_changed=true
+                  ;;
+              esac
+            done < "${changed_files}"
+          fi
+
+          {
+            echo "github_actions=${github_actions_changed}"
+            echo "markdown=${markdown_changed}"
+            echo "python=${python_changed}"
+            echo "package=${package_changed}"
+          } >> "${GITHUB_OUTPUT}"
+
+  github_actions:
+    name: Lint GitHub Actions
+    needs: changes
+    if: needs.changes.outputs.github_actions == 'true'
+    runs-on: ubuntu-24.04
+    env:
+      ACTIONLINT_VERSION: "1.7.12"
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+          ref: ${{ inputs.ref || github.ref }}
+
+      - name: Install actionlint
+        run: |
+          mkdir -p "${HOME}/.local/bin"
+          asset="actionlint_${ACTIONLINT_VERSION}_linux_amd64.tar.gz"
+          checksums="actionlint_${ACTIONLINT_VERSION}_checksums.txt"
+          base_url="https://github.com/rhysd/actionlint/releases/download/v${ACTIONLINT_VERSION}"
+
+          curl -fsSLO "${base_url}/${asset}"
+          curl -fsSLO "${base_url}/${checksums}"
+          grep "  ${asset}$" "${checksums}" | sha256sum --check
+          tar -xzf "${asset}" -C "${HOME}/.local/bin" actionlint
+          chmod 0755 "${HOME}/.local/bin/actionlint"
+
+      - name: Lint GitHub Actions
+        run: |
+          "${HOME}/.local/bin/actionlint"
+
+  markdown:
+    name: Lint Markdown
+    needs: changes
+    if: needs.changes.outputs.markdown == 'true'
+    runs-on: ubuntu-24.04
+    env:
+      MARKDOWNLINT_CLI2_VERSION: "0.22.1"
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+          ref: ${{ inputs.ref || github.ref }}
+
+      - name: Cache npm
+        uses: actions/cache@v5
+        with:
+          path: ~/.npm
+          key: npm-${{ runner.os }}-markdownlint-cli2-${{ env.MARKDOWNLINT_CLI2_VERSION }}
+
+      - name: Lint Markdown
+        run: npx --yes "markdownlint-cli2@${MARKDOWNLINT_CLI2_VERSION}"
+
+  python:
+    name: Validate Python
+    needs: changes
+    if: needs.changes.outputs.python == 'true'
+    runs-on: ubuntu-24.04
+    env:
+      PYTHON_VERSION: "3.11"
+      UV_VERSION: "0.11.7"
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+          ref: ${{ inputs.ref || github.ref }}
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+
+      - name: Cache uv
+        uses: actions/cache@v5
+        with:
+          path: ~/.cache/uv
+          key: uv-${{ runner.os }}-py${{ env.PYTHON_VERSION }}-${{ hashFiles('uv.lock') }}
+          restore-keys: |
+            uv-${{ runner.os }}-py${{ env.PYTHON_VERSION }}-
+
+      - name: Install uv
+        run: python -m pip install "uv==${UV_VERSION}"
+
+      - name: Validate lockfile
+        run: uv lock --check
+
+      - name: Lint Python
+        run: uv run --frozen ruff check .
+
+      - name: Check Python formatting
+        run: uv run --frozen ruff format --check .
+
+      - name: Type check
+        run: uv run --frozen pyright
+
+      - name: Run tests
+        run: uv run --frozen python -m unittest discover -s tests
+
+      - name: Smoke test source checkout CLI
+        run: uv run --frozen src-auth-perms-sync --help >/tmp/src-auth-perms-sync-help.txt
+
+  package_build:
+    name: Build and smoke-test package
+    needs: changes
+    if: inputs.build-package && needs.changes.outputs.package == 'true'
+    runs-on: ubuntu-24.04
+    env:
+      PACKAGE_NAME: src-auth-perms-sync
+      PYTHON_VERSION: "3.11"
+      UV_VERSION: "0.11.7"
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+          ref: ${{ inputs.ref || github.ref }}
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+
+      - name: Cache uv
+        uses: actions/cache@v5
+        with:
+          path: ~/.cache/uv
+          key: uv-${{ runner.os }}-py${{ env.PYTHON_VERSION }}-${{ hashFiles('uv.lock') }}
+          restore-keys: |
+            uv-${{ runner.os }}-py${{ env.PYTHON_VERSION }}-
+
+      - name: Install uv
+        run: python -m pip install "uv==${UV_VERSION}"
+
+      - name: Build wheel
+        run: uv build --wheel --out-dir dist --no-create-gitignore
+
+      - name: Smoke test installed wheel
+        run: |
+          python -m venv build/ci-venv
+          . build/ci-venv/bin/activate
+          python -m pip install dist/src_auth_perms_sync-*.whl
+          src-auth-perms-sync --help >/tmp/src-auth-perms-sync-installed-help.txt
+          python -m src_auth_perms_sync --help >/tmp/src-auth-perms-sync-module-help.txt
+
+  package:
+    name: Validate package
+    needs: [changes, github_actions, markdown, python, package_build]
+    if: always()
+    runs-on: ubuntu-24.04
+
+    steps:
+      - name: Confirm validation results
+        run: |
+          for validation_result in \
+            "${{ needs.changes.result }}" \
+            "${{ needs.github_actions.result }}" \
+            "${{ needs.markdown.result }}" \
+            "${{ needs.python.result }}" \
+            "${{ needs.package_build.result }}"
+          do
+            case "${validation_result}" in
+              success|skipped)
+                ;;
+              *)
+                echo "::error title=Validation failed::At least one validation job ended with '${validation_result}'."
+                exit 1
+                ;;
+            esac
+          done

{src_auth_perms_sync-0.2.1 → src_auth_perms_sync-0.2.2}/.gitignore

@@ -14,6 +14,7 @@ __pycache__
 *.yaml
 build/
 dist/
+logs/
 src-auth-perms-sync-runs/
 wheels/
 

{src_auth_perms_sync-0.2.1 → src_auth_perms_sync-0.2.2}/AGENTS.md

@@ -3,8 +3,11 @@
 ## Linting
 
 ```bash
+### GitHub Actions workflows
+actionlint
+
 ### Markdown files
-npx --yes markdownlint-cli2
+npx --yes markdownlint-cli2@0.22.1
 
 ### Python files
 
@@ -44,6 +47,9 @@ uv run src-auth-perms-sync --restore backups/<source>/<run>/before.json
 - The tagged source commit must already contain the package version it
   releases. Do not make the customer release workflow edit `pyproject.toml`.
 - Prepare the version bump on a branch. Set `VERSION`, then copy / paste:
+- As part of every release bump, find old release-version literals in
+  `AGENTS.md`, `README.md`, and release snippets, and replace them with the
+  new version where they are meant to stay current.
 
 ```bash
 set -euo pipefail
@@ -84,12 +90,13 @@ uv lock
 set -euo pipefail
 
 uv lock --check
+actionlint
 uv run ruff check src/src_auth_perms_sync/ tests/
 uv run ruff format --check src/src_auth_perms_sync/ tests/
 uv run pyright
 uv run python -m unittest discover -s tests
 uv run src-auth-perms-sync --help
-npx --yes markdownlint-cli2
+npx --yes markdownlint-cli2@0.22.1
 uv build --wheel --out-dir /tmp/src-auth-perms-sync-release-check --no-create-gitignore
 rm -rf /tmp/src-auth-perms-sync-release-check
 ```
@@ -229,7 +236,7 @@ Strict pyright covers the package. Root modules are entrypoints only:
 - `cli.py` — `main()`, arg parsing, owns the CLI description.
 - `shared/` — cross-workflow helpers: Sourcegraph auth-provider/user list
   helpers, shared GraphQL operations and TypedDicts, site-config validation,
-  SAML group parsing, and GraphQL ID helpers.
+  and SAML group parsing.
 
 Business workflows live in packages:
 

{src_auth_perms_sync-0.2.1 → src_auth_perms_sync-0.2.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: src-auth-perms-sync
-Version: 0.2.1
+Version: 0.2.2
 Summary: Set Sourcegraph permissions from authentication provider data
 Project-URL: Homepage, https://github.com/sourcegraph/src-auth-perms-sync
 Project-URL: Issues, https://github.com/sourcegraph/src-auth-perms-sync/issues
@@ -18,7 +18,7 @@ Classifier: Typing :: Typed
 Requires-Python: >=3.11
 Requires-Dist: json5>=0.14.0
 Requires-Dist: pyyaml>=6.0.3
-Requires-Dist: src-py-lib==0.1.1
+Requires-Dist: src-py-lib==0.1.5
 Description-Content-Type: text/markdown
 
 # src-auth-perms-sync
@@ -31,6 +31,19 @@ setting user-to-repo permissions based on mapping rules, for example:
   and their SAML assertion includes group 1,
   are granted access to repos cloned via code host X
 
+## Experimental - This is not a supported Sourcegraph product
+
+This repo was created for Sourcegraph Implementation Engineering deployments,
+and is not intended, designed, built, or supported for use in any other scenario.
+Feel free to open issues or PRs, but responses are best effort.
+
+## Semantic Versioning
+
+- Release versions are `major.minor.patch`
+- Because this project is still major version 0:
+  - Minor version updates are breaking changes
+  - Patch version updates are not breaking changes
+
 ## Principles
 
 - Customers need to be able to trust this, and audit this, similar to code

{src_auth_perms_sync-0.2.1 → src_auth_perms_sync-0.2.2}/README.md

@@ -8,6 +8,19 @@ setting user-to-repo permissions based on mapping rules, for example:
   and their SAML assertion includes group 1,
   are granted access to repos cloned via code host X
 
+## Experimental - This is not a supported Sourcegraph product
+
+This repo was created for Sourcegraph Implementation Engineering deployments,
+and is not intended, designed, built, or supported for use in any other scenario.
+Feel free to open issues or PRs, but responses are best effort.
+
+## Semantic Versioning
+
+- Release versions are `major.minor.patch`
+- Because this project is still major version 0:
+  - Minor version updates are breaking changes
+  - Patch version updates are not breaking changes
+
 ## Principles
 
 - Customers need to be able to trust this, and audit this, similar to code

{src_auth_perms_sync-0.2.1 → src_auth_perms_sync-0.2.2}/dev/TODO.md

@@ -1,5 +1,10 @@
 # TODO
 
+## High priority: Bump src-py-lib after Node ID helper release
+
+- After releasing `src-py-lib` with Sourcegraph Node ID helpers, update
+  `pyproject.toml` and `uv.lock` to depend on that new version.
+
 ## Medium priority: Lightweight incremental updates
 
 - When a new user's account is created, or a new repo is synced from a code host,