winipedia-utils 0.3.41__py3-none-any.whl → 0.4.12__py3-none-any.whl

winipedia_utils/git/github/repo/__init__.py

@@ -0,0 +1 @@
+"""__init__ module."""

winipedia_utils/git/github/repo/protect.py

@@ -0,0 +1,104 @@
+"""Script to protect the repo and branches of a repository."""
+
+from typing import Any
+
+from winipedia_utils.git.github.repo.repo import (
+    DEFAULT_BRANCH,
+    DEFAULT_RULESET_NAME,
+    create_or_update_ruleset,
+    get_repo,
+    get_rules_payload,
+)
+from winipedia_utils.git.github.workflows.health_check import HealthCheckWorkflow
+from winipedia_utils.modules.package import get_src_package
+from winipedia_utils.projects.poetry.config import PyprojectConfigFile
+from winipedia_utils.testing.tests.base.utils.utils import get_github_repo_token
+
+
+def protect_repository() -> None:
+    """Protect the repository."""
+    set_secure_repo_settings()
+    create_or_update_default_branch_ruleset()
+
+
+def set_secure_repo_settings() -> None:
+    """Set standard settings for the repository."""
+    src_pkg_name = get_src_package().__name__
+    owner = PyprojectConfigFile.get_main_author_name()
+    token = get_github_repo_token()
+    repo = get_repo(token, owner, src_pkg_name)
+
+    toml_description = PyprojectConfigFile.load()["project"]["description"]
+
+    repo.edit(
+        name=src_pkg_name,
+        description=toml_description,
+        default_branch=DEFAULT_BRANCH,
+        delete_branch_on_merge=True,
+        allow_update_branch=True,
+        allow_merge_commit=False,
+        allow_rebase_merge=True,
+        allow_squash_merge=True,
+    )
+
+
+def create_or_update_default_branch_ruleset() -> None:
+    """Add a branch protection rule to the repository."""
+    create_or_update_ruleset(
+        **get_default_ruleset_params(),
+    )
+
+
+def get_default_ruleset_params() -> dict[str, Any]:
+    """Get the default ruleset parameters."""
+    src_pkg_name = get_src_package().__name__
+    token = get_github_repo_token()
+
+    rules = get_rules_payload(
+        deletion={},
+        non_fast_forward={},
+        creation={},
+        update={},
+        pull_request={
+            "required_approving_review_count": 1,
+            "dismiss_stale_reviews_on_push": True,
+            "require_code_owner_review": True,
+            "require_last_push_approval": True,
+            "required_review_thread_resolution": True,
+            "automatic_copilot_code_review_enabled": False,
+            "allowed_merge_methods": ["merge", "squash", "rebase"],
+        },
+        required_linear_history={},
+        required_signatures={},
+        required_status_checks={
+            "strict_required_status_checks_policy": True,
+            "do_not_enforce_on_create": False,
+            "required_status_checks": [
+                {
+                    "context": HealthCheckWorkflow.get_workflow_name(),
+                }
+            ],
+        },
+    )
+
+    return {
+        "owner": PyprojectConfigFile.get_main_author_name(),
+        "token": token,
+        "repo_name": src_pkg_name,
+        "ruleset_name": DEFAULT_RULESET_NAME,
+        "enforcement": "active",
+        "bypass_actors": [
+            {
+                "actor_id": 5,
+                "actor_type": "RepositoryRole",
+                "bypass_mode": "always",
+            }
+        ],
+        "target": "branch",
+        "conditions": {"ref_name": {"include": ["~DEFAULT_BRANCH"], "exclude": []}},
+        "rules": rules,
+    }
+
+
+if __name__ == "__main__":
+    protect_repository()

winipedia_utils/git/github/repo/repo.py

@@ -0,0 +1,205 @@
+"""Contains utilities for working with GitHub repositories."""
+
+from typing import Any, Literal
+
+from github import Github
+from github.Auth import Token
+from github.Repository import Repository
+
+from winipedia_utils.logging.logger import get_logger
+
+logger = get_logger(__name__)
+
+DEFAULT_BRANCH = "main"
+
+DEFAULT_RULESET_NAME = f"{DEFAULT_BRANCH} protection"
+
+
+def get_rules_payload(  # noqa: PLR0913
+    *,
+    creation: dict[str, Any] | None = None,
+    update: dict[str, Any] | None = None,
+    deletion: dict[str, Any] | None = None,
+    required_linear_history: dict[str, Any] | None = None,
+    merge_queue: dict[str, Any] | None = None,
+    required_deployments: dict[str, Any] | None = None,
+    required_signatures: dict[str, Any] | None = None,
+    pull_request: dict[str, Any] | None = None,
+    required_status_checks: dict[str, Any] | None = None,
+    non_fast_forward: dict[str, Any] | None = None,
+    commit_message_pattern: dict[str, Any] | None = None,
+    commit_author_email_pattern: dict[str, Any] | None = None,
+    committer_email_pattern: dict[str, Any] | None = None,
+    branch_name_pattern: dict[str, Any] | None = None,
+    tag_name_pattern: dict[str, Any] | None = None,
+    file_path_restriction: dict[str, Any] | None = None,
+    max_file_path_length: dict[str, Any] | None = None,
+    file_extension_restriction: dict[str, Any] | None = None,
+    max_file_size: dict[str, Any] | None = None,
+    workflows: dict[str, Any] | None = None,
+    code_scanning: dict[str, Any] | None = None,
+    copilot_code_review: dict[str, Any] | None = None,
+) -> list[dict[str, Any]]:
+    """Build a rules array for a GitHub ruleset.
+
+    Args:
+        creation: Only allow users with bypass permission to create matching
+            refs.
+        update: Only allow users with bypass permission to update matching
+            refs.
+        deletion: Only allow users with bypass permissions to delete matching
+            refs.
+        required_linear_history: Prevent merge commits from being pushed to
+            matching refs.
+        merge_queue: Merges must be performed via a merge queue.
+        required_deployments: Choose which environments must be successfully
+            deployed to before refs can be pushed.
+        required_signatures: Commits pushed to matching refs must have verified
+            signatures.
+        pull_request: Require all commits be made to a non-target branch and
+            submitted via a pull request.
+        required_status_checks: Choose which status checks must pass before the
+            ref is updated.
+        non_fast_forward: Prevent users with push access from force pushing to
+            refs.
+        commit_message_pattern: Parameters to be used for the
+            commit_message_pattern rule.
+        commit_author_email_pattern: Parameters to be used for the
+            commit_author_email_pattern rule.
+        committer_email_pattern: Parameters to be used for the
+            committer_email_pattern rule.
+        branch_name_pattern: Parameters to be used for the branch_name_pattern
+            rule.
+        tag_name_pattern: Parameters to be used for the tag_name_pattern rule.
+        file_path_restriction: Prevent commits that include changes in
+            specified file and folder paths.
+        max_file_path_length: Prevent commits that include file paths that
+            exceed the specified character limit.
+        file_extension_restriction: Prevent commits that include files with
+            specified file extensions.
+        max_file_size: Prevent commits with individual files that exceed the
+            specified limit.
+        workflows: Require all changes made to a targeted branch to pass the
+            specified workflows.
+        code_scanning: Choose which tools must provide code scanning results
+            before the reference is updated.
+        copilot_code_review: Request Copilot code review for new pull requests
+            automatically.
+
+    Returns:
+        A list of rule objects to be used in a GitHub ruleset.
+    """
+    rules: list[dict[str, Any]] = []
+
+    rule_map = {
+        "creation": creation,
+        "update": update,
+        "deletion": deletion,
+        "required_linear_history": required_linear_history,
+        "merge_queue": merge_queue,
+        "required_deployments": required_deployments,
+        "required_signatures": required_signatures,
+        "pull_request": pull_request,
+        "required_status_checks": required_status_checks,
+        "non_fast_forward": non_fast_forward,
+        "commit_message_pattern": commit_message_pattern,
+        "commit_author_email_pattern": commit_author_email_pattern,
+        "committer_email_pattern": committer_email_pattern,
+        "branch_name_pattern": branch_name_pattern,
+        "tag_name_pattern": tag_name_pattern,
+        "file_path_restriction": file_path_restriction,
+        "max_file_path_length": max_file_path_length,
+        "file_extension_restriction": file_extension_restriction,
+        "max_file_size": max_file_size,
+        "workflows": workflows,
+        "code_scanning": code_scanning,
+        "copilot_code_review": copilot_code_review,
+    }
+
+    for rule_type, rule_config in rule_map.items():
+        if rule_config is not None:
+            rule_obj: dict[str, Any] = {"type": rule_type}
+            if rule_config:  # If there are parameters
+                rule_obj["parameters"] = rule_config
+            rules.append(rule_obj)
+
+    return rules
+
+
+def create_or_update_ruleset(  # noqa: PLR0913
+    token: str,
+    owner: str,
+    repo_name: str,
+    *,
+    ruleset_name: str,
+    enforcement: Literal["active", "disabled", "evaluate"] = "active",
+    target: Literal["branch", "tag", "push"] = "branch",
+    bypass_actors: list[dict[str, Any]] | None = None,
+    conditions: dict[
+        Literal["ref_name"], dict[Literal["include", "exclude"], list[str]]
+    ]
+    | None = None,
+    rules: list[dict[str, Any]] | None = None,
+) -> Any:
+    """Create a ruleset for the repository."""
+    repo = get_repo(token, owner, repo_name)
+    ruleset_id = ruleset_exists(
+        token=token, owner=owner, repo_name=repo_name, ruleset_name=ruleset_name
+    )
+    method = "PUT" if ruleset_id else "POST"
+    url = f"{repo.url}/rulesets"
+
+    if ruleset_id:
+        url += f"/{ruleset_id}"
+
+    payload: dict[str, Any] = {
+        "name": ruleset_name,
+        "enforcement": enforcement,
+        "target": target,
+        "conditions": conditions,
+        "rules": rules,
+    }
+    if bypass_actors:
+        payload["bypass_actors"] = bypass_actors
+
+    _headers, res = repo._requester.requestJsonAndCheck(  # noqa: SLF001
+        method,
+        url,
+        headers={
+            "Accept": "application/vnd.github+json",
+            "X-GitHub-Api-Version": "2022-11-28",
+        },
+        input=payload,
+    )
+
+    return res
+
+
+def get_all_rulesets(token: str, owner: str, repo_name: str) -> Any:
+    """Get all rulesets for the repository."""
+    repo = get_repo(token, owner, repo_name)
+    url = f"{repo.url}/rulesets"
+    method = "GET"
+    _headers, res = repo._requester.requestJsonAndCheck(  # noqa: SLF001
+        method,
+        url,
+        headers={
+            "Accept": "application/vnd.github+json",
+            "X-GitHub-Api-Version": "2022-11-28",
+        },
+    )
+    return res
+
+
+def get_repo(token: str, owner: str, repo_name: str) -> Repository:
+    """Get the repository."""
+    auth = Token(token)
+    github = Github(auth=auth)
+    return github.get_repo(f"{owner}/{repo_name}")
+
+
+def ruleset_exists(token: str, owner: str, repo_name: str, ruleset_name: str) -> int:
+    """Check if the main protection ruleset exists."""
+    rulesets = get_all_rulesets(token, owner, repo_name)
+    main_ruleset = next((rs for rs in rulesets if rs["name"] == ruleset_name), None)
+    return main_ruleset["id"] if main_ruleset else 0

winipedia_utils/git/github/workflows/base/__init__.py

@@ -0,0 +1 @@
+"""__init__ module."""

winipedia_utils/git/{workflows → github/workflows}/base/base.py

@@ -4,6 +4,9 @@ from abc import abstractmethod
 from pathlib import Path
 from typing import Any
 
+import winipedia_utils
+from winipedia_utils.modules.module import make_obj_importpath
+from winipedia_utils.modules.package import get_src_package
 from winipedia_utils.text.config import YamlConfigFile
 from winipedia_utils.text.string import split_on_uppercase
 
@@ -11,22 +14,36 @@ from winipedia_utils.text.string import split_on_uppercase
 class Workflow(YamlConfigFile):
     """Base class for workflows."""
 
+    @classmethod
     @abstractmethod
-    def get_workflow_triggers(self) -> dict[str, Any]:
+    def get_workflow_triggers(cls) -> dict[str, Any]:
         """Get the workflow triggers."""
 
+    @classmethod
     @abstractmethod
-    def get_permissions(self) -> dict[str, Any]:
+    def get_permissions(cls) -> dict[str, Any]:
         """Get the workflow permissions."""
 
+    @classmethod
     @abstractmethod
-    def get_jobs(self) -> dict[str, Any]:
+    def get_jobs(cls) -> dict[str, Any]:
         """Get the workflow jobs."""
 
-    def get_path(self) -> Path:
+    @classmethod
+    def get_parent_path(cls) -> Path:
         """Get the path to the config file."""
-        file_name = self.get_standard_job_name() + ".yaml"
-        return Path(".github/workflows") / file_name
+        return Path(".github/workflows")
+
+    @classmethod
+    def get_configs(cls) -> dict[str, Any]:
+        """Get the workflow config."""
+        return {
+            "name": cls.get_workflow_name(),
+            "on": cls.get_workflow_triggers(),
+            "permissions": cls.get_permissions(),
+            "run-name": cls.get_run_name(),
+            "jobs": cls.get_jobs(),
+        }
 
     @classmethod
     def get_standard_job(
@@ -39,7 +56,7 @@ class Workflow(YamlConfigFile):
     ) -> dict[str, Any]:
         """Get a standard job."""
         if name is None:
-            name = cls.get_standard_job_name()
+            name = cls.get_filename()
 
         if steps is None:
             steps = []
@@ -57,31 +74,15 @@ class Workflow(YamlConfigFile):
             job[name]["if"] = if_condition
         return job
 
-    @classmethod
-    def get_standard_job_name(cls) -> str:
-        """Get the standard job name."""
-        return "_".join(
-            split_on_uppercase(cls.__name__.removesuffix(Workflow.__name__))
-        ).lower()
-
     @classmethod
     def get_workflow_name(cls) -> str:
         """Get the workflow name."""
         return " ".join(split_on_uppercase(cls.__name__))
 
-    def get_run_name(self) -> str:
+    @classmethod
+    def get_run_name(cls) -> str:
         """Get the workflow run name."""
-        return f"{self.get_workflow_name()}"
-
-    def get_configs(self) -> dict[str, Any]:
-        """Get the workflow config."""
-        return {
-            "name": self.get_workflow_name(),
-            "on": self.get_workflow_triggers(),
-            "permissions": self.get_permissions(),
-            "run-name": self.get_run_name(),
-            "jobs": self.get_jobs(),
-        }
+        return f"{cls.get_workflow_name()}"
 
     @classmethod
     def get_checkout_step(cls, fetch_depth: int | None = None) -> dict[str, Any]:
@@ -145,13 +146,6 @@ class Workflow(YamlConfigFile):
                 "run": "curl -sSL https://install.python-poetry.org | python3 -",
             }
         )
-        steps.append(
-            {
-                "name": "Extract Version from pyproject.toml",
-                "id": "version",
-                "run": 'version=$(poetry version -s) && echo "Project version: $version" && echo "version=v$version" >> $GITHUB_OUTPUT',  # noqa: E501
-            },
-        )
         if configure_pipy_token:
             steps.append(
                 {
@@ -163,56 +157,91 @@ class Workflow(YamlConfigFile):
             steps.append({"name": "Install Dependencies", "run": "poetry install"})
         return steps
 
-    @staticmethod
-    def get_release_steps() -> list[dict[str, Any]]:
+    @classmethod
+    def get_release_steps(cls) -> list[dict[str, Any]]:
         """Get the release steps."""
         return [
             {
                 "name": "Create and Push Tag",
-                "run": f"git tag {Workflow.get_version()} && git push origin {Workflow.get_version()}",  # noqa: E501
+                "run": f"git tag {cls.get_version()} && git push origin {cls.get_version()}",  # noqa: E501
             },
             {
                 "name": "Build Changelog",
                 "id": "build_changelog",
                 "uses": "mikepenz/release-changelog-builder-action@develop",
-                "with": {"token": "${{ secrets.GITHUB_TOKEN }}"},
+                "with": {"token": cls.get_github_token()},
             },
             {
                 "name": "Create GitHub Release",
                 "uses": "ncipollo/release-action@main",
                 "with": {
-                    "tag": Workflow.get_version(),
-                    "name": Workflow.get_repo_and_version(),
+                    "tag": cls.get_version(),
+                    "name": cls.get_repo_and_version(),
                     "body": "${{ steps.build_changelog.outputs.changelog }}",
                 },
             },
         ]
 
-    @staticmethod
-    def get_publish_to_pypi_step() -> dict[str, Any]:
+    @classmethod
+    def get_extract_version_step(cls) -> dict[str, Any]:
+        """Get the extract version step."""
+        return {
+            "name": "Extract Version from pyproject.toml",
+            "id": "version",
+            "run": 'version=$(poetry version -s) && echo "Project version: $version" && echo "version=v$version" >> $GITHUB_OUTPUT',  # noqa: E501
+        }
+
+    @classmethod
+    def get_publish_to_pypi_step(cls) -> dict[str, Any]:
         """Get the publish step."""
         return {"name": "Build and publish to PyPI", "run": "poetry publish --build"}
 
-    @staticmethod
-    def get_pre_commit_step() -> dict[str, Any]:
+    @classmethod
+    def get_pre_commit_step(cls) -> dict[str, Any]:
         """Get the pre-commit step.
 
         using pre commit in case other hooks are added later
         and bc it fails if files are changed,
         setup script shouldnt change files
         """
-        return {
+        step: dict[str, Any] = {
             "name": "Run Hooks",
             "run": "poetry run pre-commit run --all-files --verbose",
         }
+        if get_src_package() == winipedia_utils:
+            step["env"] = {"REPO_TOKEN": cls.get_repo_token()}
+        return step
 
-    @staticmethod
-    def get_repository_name() -> str:
+    @classmethod
+    def get_commit_step(cls) -> dict[str, Any]:
+        """Get the commit step."""
+        return {
+            "name": "Commit Changes",
+            "run": "poetry run git commit --no-verify -m 'CI/CD: Committing possible changes to pyproject.toml and poetry.lock' && poetry run git push",  # noqa: E501
+        }
+
+    @classmethod
+    def get_protect_repository_step(cls) -> dict[str, Any]:
+        """Get the protect repository step."""
+        from winipedia_utils.git.github.repo import (  # noqa: PLC0415
+            protect,  # avoid circular import
+        )
+
+        return {
+            "name": "Protect Repository",
+            "run": f"poetry run python -m {make_obj_importpath(protect)}",
+            "env": {
+                "REPO_TOKEN": cls.get_repo_token(),
+            },
+        }
+
+    @classmethod
+    def get_repository_name(cls) -> str:
         """Get the repository name."""
         return "${{ github.event.repository.name }}"
 
-    @staticmethod
-    def get_ref_name() -> str:
+    @classmethod
+    def get_ref_name(cls) -> str:
         """Get the ref name."""
         return "${{ github.ref_name }}"
 
@@ -221,7 +250,22 @@ class Workflow(YamlConfigFile):
         """Get the version."""
         return "${{ steps.version.outputs.version }}"
 
-    @staticmethod
-    def get_repo_and_version() -> str:
+    @classmethod
+    def get_repo_and_version(cls) -> str:
         """Get the repository name and ref name."""
-        return f"{Workflow.get_repository_name()} {Workflow.get_version()}"
+        return f"{cls.get_repository_name()} {cls.get_version()}"
+
+    @classmethod
+    def get_ownwer(cls) -> str:
+        """Get the repository owner."""
+        return "${{ github.repository_owner }}"
+
+    @classmethod
+    def get_github_token(cls) -> str:
+        """Get the GitHub token."""
+        return "${{ secrets.GITHUB_TOKEN }}"
+
+    @classmethod
+    def get_repo_token(cls) -> str:
+        """Get the repository token."""
+        return "${{ secrets.REPO_TOKEN }}"

winipedia_utils/git/github/workflows/health_check.py

@@ -0,0 +1,55 @@
+"""Contains the pull request workflow.
+
+This workflow is used to run tests on pull requests.
+"""
+
+from typing import Any
+
+from winipedia_utils.git.github.workflows.base.base import Workflow
+
+
+class HealthCheckWorkflow(Workflow):
+    """Pull request workflow.
+
+    This workflow is triggered by a pull request.
+    It runs tests on the pull request.
+    """
+
+    @classmethod
+    def get_workflow_triggers(cls) -> dict[str, Any]:
+        """Get the workflow triggers."""
+        return {
+            "pull_request": {
+                "types": ["opened", "synchronize", "reopened"],
+            },
+            "schedule": [
+                {
+                    # run every day at 6 am
+                    "cron": "0 6 * * *",
+                },
+            ],
+            "workflow_dispatch": {},
+        }
+
+    @classmethod
+    def get_permissions(cls) -> dict[str, Any]:
+        """Get the workflow permissions."""
+        return {}
+
+    @classmethod
+    def get_jobs(cls) -> dict[str, Any]:
+        """Get the workflow jobs."""
+        return {
+            **cls.get_standard_job(
+                steps=[
+                    *(
+                        cls.get_poetry_setup_steps(
+                            install_dependencies=True,
+                        )
+                    ),
+                    cls.get_protect_repository_step(),
+                    cls.get_pre_commit_step(),
+                    cls.get_extract_version_step(),
+                ],
+            ),
+        }

winipedia_utils/git/{workflows → github/workflows}/publish.py

@@ -5,8 +5,8 @@ This workflow is used to publish the package to PyPI with poetry.
 
 from typing import Any
 
-from winipedia_utils.git.workflows.base.base import Workflow
-from winipedia_utils.git.workflows.release import ReleaseWorkflow
+from winipedia_utils.git.github.workflows.base.base import Workflow
+from winipedia_utils.git.github.workflows.release import ReleaseWorkflow
 
 
 class PublishWorkflow(Workflow):
@@ -16,7 +16,8 @@ class PublishWorkflow(Workflow):
     It publishes the package to PyPI with poetry.
     """
 
-    def get_workflow_triggers(self) -> dict[str, Any]:
+    @classmethod
+    def get_workflow_triggers(cls) -> dict[str, Any]:
         """Get the workflow triggers."""
         return {
             "workflow_run": {
@@ -25,22 +26,24 @@ class PublishWorkflow(Workflow):
             },
         }
 
-    def get_permissions(self) -> dict[str, Any]:
+    @classmethod
+    def get_permissions(cls) -> dict[str, Any]:
         """Get the workflow permissions."""
         return {
             "contents": "read",
         }
 
-    def get_jobs(self) -> dict[str, Any]:
+    @classmethod
+    def get_jobs(cls) -> dict[str, Any]:
         """Get the workflow jobs."""
-        return self.get_standard_job(
+        return cls.get_standard_job(
             steps=[
                 *(
-                    self.get_poetry_setup_steps(
+                    cls.get_poetry_setup_steps(
                         configure_pipy_token=True,
                     )
                 ),
-                self.get_publish_to_pypi_step(),
+                cls.get_publish_to_pypi_step(),
             ],
             if_condition="${{ github.event.workflow_run.conclusion == 'success' }}",
         )