winipedia-utils 0.3.43__py3-none-any.whl → 0.4.18__py3-none-any.whl

winipedia_utils/git/github/repo/__init__.py

@@ -0,0 +1 @@
+"""__init__ module."""

winipedia_utils/git/github/repo/protect.py

@@ -0,0 +1,104 @@
+"""Script to protect the repo and branches of a repository."""
+
+from typing import Any
+
+from winipedia_utils.git.github.repo.repo import (
+    DEFAULT_BRANCH,
+    DEFAULT_RULESET_NAME,
+    create_or_update_ruleset,
+    get_repo,
+    get_rules_payload,
+)
+from winipedia_utils.git.github.workflows.health_check import HealthCheckWorkflow
+from winipedia_utils.modules.package import get_src_package
+from winipedia_utils.projects.poetry.config import PyprojectConfigFile
+from winipedia_utils.testing.tests.base.utils.utils import get_github_repo_token
+
+
+def protect_repository() -> None:
+    """Protect the repository."""
+    set_secure_repo_settings()
+    create_or_update_default_branch_ruleset()
+
+
+def set_secure_repo_settings() -> None:
+    """Set standard settings for the repository."""
+    src_pkg_name = get_src_package().__name__
+    owner = PyprojectConfigFile.get_main_author_name()
+    token = get_github_repo_token()
+    repo = get_repo(token, owner, src_pkg_name)
+
+    toml_description = PyprojectConfigFile.load()["project"]["description"]
+
+    repo.edit(
+        name=src_pkg_name,
+        description=toml_description,
+        default_branch=DEFAULT_BRANCH,
+        delete_branch_on_merge=True,
+        allow_update_branch=True,
+        allow_merge_commit=False,
+        allow_rebase_merge=True,
+        allow_squash_merge=True,
+    )
+
+
+def create_or_update_default_branch_ruleset() -> None:
+    """Add a branch protection rule to the repository."""
+    create_or_update_ruleset(
+        **get_default_ruleset_params(),
+    )
+
+
+def get_default_ruleset_params() -> dict[str, Any]:
+    """Get the default ruleset parameters."""
+    src_pkg_name = get_src_package().__name__
+    token = get_github_repo_token()
+
+    rules = get_rules_payload(
+        deletion={},
+        non_fast_forward={},
+        creation={},
+        update={},
+        pull_request={
+            "required_approving_review_count": 1,
+            "dismiss_stale_reviews_on_push": True,
+            "require_code_owner_review": True,
+            "require_last_push_approval": True,
+            "required_review_thread_resolution": True,
+            "automatic_copilot_code_review_enabled": False,
+            "allowed_merge_methods": ["merge", "squash", "rebase"],
+        },
+        required_linear_history={},
+        required_signatures={},
+        required_status_checks={
+            "strict_required_status_checks_policy": True,
+            "do_not_enforce_on_create": False,
+            "required_status_checks": [
+                {
+                    "context": HealthCheckWorkflow.get_workflow_name(),
+                }
+            ],
+        },
+    )
+
+    return {
+        "owner": PyprojectConfigFile.get_main_author_name(),
+        "token": token,
+        "repo_name": src_pkg_name,
+        "ruleset_name": DEFAULT_RULESET_NAME,
+        "enforcement": "active",
+        "bypass_actors": [
+            {
+                "actor_id": 5,
+                "actor_type": "RepositoryRole",
+                "bypass_mode": "always",
+            }
+        ],
+        "target": "branch",
+        "conditions": {"ref_name": {"include": ["~DEFAULT_BRANCH"], "exclude": []}},
+        "rules": rules,
+    }
+
+
+if __name__ == "__main__":
+    protect_repository()

winipedia_utils/git/github/repo/repo.py

@@ -0,0 +1,205 @@
+"""Contains utilities for working with GitHub repositories."""
+
+from typing import Any, Literal
+
+from github import Github
+from github.Auth import Token
+from github.Repository import Repository
+
+from winipedia_utils.logging.logger import get_logger
+
+logger = get_logger(__name__)
+
+DEFAULT_BRANCH = "main"
+
+DEFAULT_RULESET_NAME = f"{DEFAULT_BRANCH} protection"
+
+
+def get_rules_payload(  # noqa: PLR0913
+    *,
+    creation: dict[str, Any] | None = None,
+    update: dict[str, Any] | None = None,
+    deletion: dict[str, Any] | None = None,
+    required_linear_history: dict[str, Any] | None = None,
+    merge_queue: dict[str, Any] | None = None,
+    required_deployments: dict[str, Any] | None = None,
+    required_signatures: dict[str, Any] | None = None,
+    pull_request: dict[str, Any] | None = None,
+    required_status_checks: dict[str, Any] | None = None,
+    non_fast_forward: dict[str, Any] | None = None,
+    commit_message_pattern: dict[str, Any] | None = None,
+    commit_author_email_pattern: dict[str, Any] | None = None,
+    committer_email_pattern: dict[str, Any] | None = None,
+    branch_name_pattern: dict[str, Any] | None = None,
+    tag_name_pattern: dict[str, Any] | None = None,
+    file_path_restriction: dict[str, Any] | None = None,
+    max_file_path_length: dict[str, Any] | None = None,
+    file_extension_restriction: dict[str, Any] | None = None,
+    max_file_size: dict[str, Any] | None = None,
+    workflows: dict[str, Any] | None = None,
+    code_scanning: dict[str, Any] | None = None,
+    copilot_code_review: dict[str, Any] | None = None,
+) -> list[dict[str, Any]]:
+    """Build a rules array for a GitHub ruleset.
+
+    Args:
+        creation: Only allow users with bypass permission to create matching
+            refs.
+        update: Only allow users with bypass permission to update matching
+            refs.
+        deletion: Only allow users with bypass permissions to delete matching
+            refs.
+        required_linear_history: Prevent merge commits from being pushed to
+            matching refs.
+        merge_queue: Merges must be performed via a merge queue.
+        required_deployments: Choose which environments must be successfully
+            deployed to before refs can be pushed.
+        required_signatures: Commits pushed to matching refs must have verified
+            signatures.
+        pull_request: Require all commits be made to a non-target branch and
+            submitted via a pull request.
+        required_status_checks: Choose which status checks must pass before the
+            ref is updated.
+        non_fast_forward: Prevent users with push access from force pushing to
+            refs.
+        commit_message_pattern: Parameters to be used for the
+            commit_message_pattern rule.
+        commit_author_email_pattern: Parameters to be used for the
+            commit_author_email_pattern rule.
+        committer_email_pattern: Parameters to be used for the
+            committer_email_pattern rule.
+        branch_name_pattern: Parameters to be used for the branch_name_pattern
+            rule.
+        tag_name_pattern: Parameters to be used for the tag_name_pattern rule.
+        file_path_restriction: Prevent commits that include changes in
+            specified file and folder paths.
+        max_file_path_length: Prevent commits that include file paths that
+            exceed the specified character limit.
+        file_extension_restriction: Prevent commits that include files with
+            specified file extensions.
+        max_file_size: Prevent commits with individual files that exceed the
+            specified limit.
+        workflows: Require all changes made to a targeted branch to pass the
+            specified workflows.
+        code_scanning: Choose which tools must provide code scanning results
+            before the reference is updated.
+        copilot_code_review: Request Copilot code review for new pull requests
+            automatically.
+
+    Returns:
+        A list of rule objects to be used in a GitHub ruleset.
+    """
+    rules: list[dict[str, Any]] = []
+
+    rule_map = {
+        "creation": creation,
+        "update": update,
+        "deletion": deletion,
+        "required_linear_history": required_linear_history,
+        "merge_queue": merge_queue,
+        "required_deployments": required_deployments,
+        "required_signatures": required_signatures,
+        "pull_request": pull_request,
+        "required_status_checks": required_status_checks,
+        "non_fast_forward": non_fast_forward,
+        "commit_message_pattern": commit_message_pattern,
+        "commit_author_email_pattern": commit_author_email_pattern,
+        "committer_email_pattern": committer_email_pattern,
+        "branch_name_pattern": branch_name_pattern,
+        "tag_name_pattern": tag_name_pattern,
+        "file_path_restriction": file_path_restriction,
+        "max_file_path_length": max_file_path_length,
+        "file_extension_restriction": file_extension_restriction,
+        "max_file_size": max_file_size,
+        "workflows": workflows,
+        "code_scanning": code_scanning,
+        "copilot_code_review": copilot_code_review,
+    }
+
+    for rule_type, rule_config in rule_map.items():
+        if rule_config is not None:
+            rule_obj: dict[str, Any] = {"type": rule_type}
+            if rule_config:  # If there are parameters
+                rule_obj["parameters"] = rule_config
+            rules.append(rule_obj)
+
+    return rules
+
+
+def create_or_update_ruleset(  # noqa: PLR0913
+    token: str,
+    owner: str,
+    repo_name: str,
+    *,
+    ruleset_name: str,
+    enforcement: Literal["active", "disabled", "evaluate"] = "active",
+    target: Literal["branch", "tag", "push"] = "branch",
+    bypass_actors: list[dict[str, Any]] | None = None,
+    conditions: dict[
+        Literal["ref_name"], dict[Literal["include", "exclude"], list[str]]
+    ]
+    | None = None,
+    rules: list[dict[str, Any]] | None = None,
+) -> Any:
+    """Create a ruleset for the repository."""
+    repo = get_repo(token, owner, repo_name)
+    ruleset_id = ruleset_exists(
+        token=token, owner=owner, repo_name=repo_name, ruleset_name=ruleset_name
+    )
+    method = "PUT" if ruleset_id else "POST"
+    url = f"{repo.url}/rulesets"
+
+    if ruleset_id:
+        url += f"/{ruleset_id}"
+
+    payload: dict[str, Any] = {
+        "name": ruleset_name,
+        "enforcement": enforcement,
+        "target": target,
+        "conditions": conditions,
+        "rules": rules,
+    }
+    if bypass_actors:
+        payload["bypass_actors"] = bypass_actors
+
+    _headers, res = repo._requester.requestJsonAndCheck(  # noqa: SLF001
+        method,
+        url,
+        headers={
+            "Accept": "application/vnd.github+json",
+            "X-GitHub-Api-Version": "2022-11-28",
+        },
+        input=payload,
+    )
+
+    return res
+
+
+def get_all_rulesets(token: str, owner: str, repo_name: str) -> Any:
+    """Get all rulesets for the repository."""
+    repo = get_repo(token, owner, repo_name)
+    url = f"{repo.url}/rulesets"
+    method = "GET"
+    _headers, res = repo._requester.requestJsonAndCheck(  # noqa: SLF001
+        method,
+        url,
+        headers={
+            "Accept": "application/vnd.github+json",
+            "X-GitHub-Api-Version": "2022-11-28",
+        },
+    )
+    return res
+
+
+def get_repo(token: str, owner: str, repo_name: str) -> Repository:
+    """Get the repository."""
+    auth = Token(token)
+    github = Github(auth=auth)
+    return github.get_repo(f"{owner}/{repo_name}")
+
+
+def ruleset_exists(token: str, owner: str, repo_name: str, ruleset_name: str) -> int:
+    """Check if the main protection ruleset exists."""
+    rulesets = get_all_rulesets(token, owner, repo_name)
+    main_ruleset = next((rs for rs in rulesets if rs["name"] == ruleset_name), None)
+    return main_ruleset["id"] if main_ruleset else 0

winipedia_utils/git/github/workflows/base/__init__.py

@@ -0,0 +1 @@
+"""__init__ module."""

winipedia_utils/git/{workflows → github/workflows}/base/base.py

@@ -4,6 +4,9 @@ from abc import abstractmethod
 from pathlib import Path
 from typing import Any
 
+import winipedia_utils
+from winipedia_utils.modules.module import make_obj_importpath
+from winipedia_utils.modules.package import get_src_package
 from winipedia_utils.text.config import YamlConfigFile
 from winipedia_utils.text.string import split_on_uppercase
 
@@ -11,22 +14,36 @@ from winipedia_utils.text.string import split_on_uppercase
 class Workflow(YamlConfigFile):
     """Base class for workflows."""
 
+    @classmethod
     @abstractmethod
-    def get_workflow_triggers(self) -> dict[str, Any]:
+    def get_workflow_triggers(cls) -> dict[str, Any]:
         """Get the workflow triggers."""
 
+    @classmethod
     @abstractmethod
-    def get_permissions(self) -> dict[str, Any]:
+    def get_permissions(cls) -> dict[str, Any]:
         """Get the workflow permissions."""
 
+    @classmethod
     @abstractmethod
-    def get_jobs(self) -> dict[str, Any]:
+    def get_jobs(cls) -> dict[str, Any]:
         """Get the workflow jobs."""
 
-    def get_path(self) -> Path:
+    @classmethod
+    def get_parent_path(cls) -> Path:
         """Get the path to the config file."""
-        file_name = self.get_standard_job_name() + ".yaml"
-        return Path(".github/workflows") / file_name
+        return Path(".github/workflows")
+
+    @classmethod
+    def get_configs(cls) -> dict[str, Any]:
+        """Get the workflow config."""
+        return {
+            "name": cls.get_workflow_name(),
+            "on": cls.get_workflow_triggers(),
+            "permissions": cls.get_permissions(),
+            "run-name": cls.get_run_name(),
+            "jobs": cls.get_jobs(),
+        }
 
     @classmethod
     def get_standard_job(
@@ -39,7 +56,7 @@ class Workflow(YamlConfigFile):
     ) -> dict[str, Any]:
         """Get a standard job."""
         if name is None:
-            name = cls.get_standard_job_name()
+            name = cls.get_filename()
 
         if steps is None:
             steps = []
@@ -57,38 +74,28 @@ class Workflow(YamlConfigFile):
             job[name]["if"] = if_condition
         return job
 
-    @classmethod
-    def get_standard_job_name(cls) -> str:
-        """Get the standard job name."""
-        return "_".join(
-            split_on_uppercase(cls.__name__.removesuffix(Workflow.__name__))
-        ).lower()
-
     @classmethod
     def get_workflow_name(cls) -> str:
         """Get the workflow name."""
         return " ".join(split_on_uppercase(cls.__name__))
 
-    def get_run_name(self) -> str:
+    @classmethod
+    def get_run_name(cls) -> str:
         """Get the workflow run name."""
-        return f"{self.get_workflow_name()}"
-
-    def get_configs(self) -> dict[str, Any]:
-        """Get the workflow config."""
-        return {
-            "name": self.get_workflow_name(),
-            "on": self.get_workflow_triggers(),
-            "permissions": self.get_permissions(),
-            "run-name": self.get_run_name(),
-            "jobs": self.get_jobs(),
-        }
+        return f"{cls.get_workflow_name()}"
 
     @classmethod
-    def get_checkout_step(cls, fetch_depth: int | None = None) -> dict[str, Any]:
+    def get_checkout_step(
+        cls,
+        fetch_depth: int | None = None,
+        *,
+        token: bool = False,
+    ) -> dict[str, Any]:
         """Get the checkout step.
 
         Args:
         fetch_depth: The fetch depth to use. If None, no fetch depth is specified.
+        token: Whether to use the repository token.
 
         Returns:
         The checkout step.
@@ -98,7 +105,10 @@ class Workflow(YamlConfigFile):
             "uses": "actions/checkout@main",
         }
         if fetch_depth is not None:
-            step["with"] = {"fetch-depth": fetch_depth}
+            step.setdefault("with", {})["fetch-depth"] = fetch_depth
+
+        if token:
+            step.setdefault("with", {})["token"] = cls.get_repo_token()
         return step
 
     @classmethod
@@ -109,6 +119,7 @@ class Workflow(YamlConfigFile):
         fetch_depth: int | None = None,
         configure_pipy_token: bool = False,
         force_main_head: bool = False,
+        token: bool = False,
     ) -> list[dict[str, Any]]:
         """Get the poetry steps.
 
@@ -119,11 +130,12 @@ class Workflow(YamlConfigFile):
         force_main_head: Whether to exit if the running branch or current commit is not
             equal to the most recent commit on main. This is useful for workflows that
             should only run on main.
+        token: Whether to use the repository token.
 
         Returns:
         The poetry steps.
         """
-        steps = [cls.get_checkout_step(fetch_depth)]
+        steps = [cls.get_checkout_step(fetch_depth, token=token)]
         if force_main_head:
             # exit with code 1 if the running branch is not main
             steps.append(
@@ -132,6 +144,7 @@ class Workflow(YamlConfigFile):
                     "run": 'git fetch origin main --depth=1; main_sha=$(git rev-parse origin/main); if [ "$GITHUB_SHA" != "$main_sha" ]; then echo "Tag commit is not the latest commit on main."; exit 1; fi',  # noqa: E501
                 }
             )
+        steps.append(cls.get_setup_git_step())
         steps.append(
             {
                 "name": "Setup Python",
@@ -145,13 +158,6 @@ class Workflow(YamlConfigFile):
                 "run": "curl -sSL https://install.python-poetry.org | python3 -",
             }
         )
-        steps.append(
-            {
-                "name": "Extract Version from pyproject.toml",
-                "id": "version",
-                "run": 'version=$(poetry version -s) && echo "Project version: $version" && echo "version=v$version" >> $GITHUB_OUTPUT',  # noqa: E501
-            },
-        )
         if configure_pipy_token:
             steps.append(
                 {
@@ -163,56 +169,99 @@ class Workflow(YamlConfigFile):
             steps.append({"name": "Install Dependencies", "run": "poetry install"})
         return steps
 
-    @staticmethod
-    def get_release_steps() -> list[dict[str, Any]]:
+    @classmethod
+    def get_release_steps(cls) -> list[dict[str, Any]]:
         """Get the release steps."""
         return [
             {
                 "name": "Create and Push Tag",
-                "run": f"git tag {Workflow.get_version()} && git push origin {Workflow.get_version()}",  # noqa: E501
+                "run": f"git tag {cls.get_version()} && git push && git push origin {cls.get_version()}",  # noqa: E501
             },
             {
                 "name": "Build Changelog",
                 "id": "build_changelog",
                 "uses": "mikepenz/release-changelog-builder-action@develop",
-                "with": {"token": "${{ secrets.GITHUB_TOKEN }}"},
+                "with": {"token": cls.get_github_token()},
             },
             {
                 "name": "Create GitHub Release",
                 "uses": "ncipollo/release-action@main",
                 "with": {
-                    "tag": Workflow.get_version(),
-                    "name": Workflow.get_repo_and_version(),
+                    "tag": cls.get_version(),
+                    "name": cls.get_repo_and_version(),
                     "body": "${{ steps.build_changelog.outputs.changelog }}",
                 },
             },
         ]
 
-    @staticmethod
-    def get_publish_to_pypi_step() -> dict[str, Any]:
+    @classmethod
+    def get_extract_version_step(cls) -> dict[str, Any]:
+        """Get the extract version step."""
+        return {
+            "name": "Extract Version from pyproject.toml",
+            "id": "version",
+            "run": 'version=$(poetry version -s) && echo "Project version: $version" && echo "version=v$version" >> $GITHUB_OUTPUT',  # noqa: E501
+        }
+
+    @classmethod
+    def get_publish_to_pypi_step(cls) -> dict[str, Any]:
         """Get the publish step."""
         return {"name": "Build and publish to PyPI", "run": "poetry publish --build"}
 
-    @staticmethod
-    def get_pre_commit_step() -> dict[str, Any]:
+    @classmethod
+    def get_pre_commit_step(cls) -> dict[str, Any]:
         """Get the pre-commit step.
 
         using pre commit in case other hooks are added later
         and bc it fails if files are changed,
         setup script shouldnt change files
         """
-        return {
+        step: dict[str, Any] = {
             "name": "Run Hooks",
             "run": "poetry run pre-commit run --all-files --verbose",
         }
+        if get_src_package() == winipedia_utils:
+            step["env"] = {"REPO_TOKEN": cls.get_repo_token()}
+        return step
 
-    @staticmethod
-    def get_repository_name() -> str:
+    @classmethod
+    def get_setup_git_step(cls) -> dict[str, Any]:
+        """Get the setup git step."""
+        return {
+            "name": "Setup Git",
+            "run": 'git config --global user.email "github-actions[bot]@users.noreply.github.com" && git config --global user.name "github-actions[bot]"',  # noqa: E501
+        }
+
+    @classmethod
+    def get_commit_step(cls) -> dict[str, Any]:
+        """Get the commit step."""
+        return {
+            "name": "Commit added changes",
+            "run": "git commit --no-verify -m '[skip ci] CI/CD: Committing possible added changes (e.g.: pyproject.toml and poetry.lock)'",  # noqa: E501
+        }
+
+    @classmethod
+    def get_protect_repository_step(cls) -> dict[str, Any]:
+        """Get the protect repository step."""
+        from winipedia_utils.git.github.repo import (  # noqa: PLC0415
+            protect,  # avoid circular import
+        )
+
+        return {
+            "name": "Protect Repository",
+            "run": f"poetry run python -m {make_obj_importpath(protect)}",
+            "env": {
+                "REPO_TOKEN": cls.get_repo_token(),
+            },
+        }
+
+    @classmethod
+    def get_repository_name(cls) -> str:
         """Get the repository name."""
         return "${{ github.event.repository.name }}"
 
-    @staticmethod
-    def get_ref_name() -> str:
+    @classmethod
+    def get_ref_name(cls) -> str:
         """Get the ref name."""
         return "${{ github.ref_name }}"
 
@@ -221,7 +270,22 @@ class Workflow(YamlConfigFile):
         """Get the version."""
         return "${{ steps.version.outputs.version }}"
 
-    @staticmethod
-    def get_repo_and_version() -> str:
+    @classmethod
+    def get_repo_and_version(cls) -> str:
         """Get the repository name and ref name."""
-        return f"{Workflow.get_repository_name()} {Workflow.get_version()}"
+        return f"{cls.get_repository_name()} {cls.get_version()}"
+
+    @classmethod
+    def get_ownwer(cls) -> str:
+        """Get the repository owner."""
+        return "${{ github.repository_owner }}"
+
+    @classmethod
+    def get_github_token(cls) -> str:
+        """Get the GitHub token."""
+        return "${{ secrets.GITHUB_TOKEN }}"
+
+    @classmethod
+    def get_repo_token(cls) -> str:
+        """Get the repository token."""
+        return "${{ secrets.REPO_TOKEN }}"

winipedia_utils/git/github/workflows/health_check.py

@@ -0,0 +1,57 @@
+"""Contains the pull request workflow.
+
+This workflow is used to run tests on pull requests.
+"""
+
+from typing import Any
+
+from winipedia_utils.git.github.workflows.base.base import Workflow
+
+
+class HealthCheckWorkflow(Workflow):
+    """Pull request workflow.
+
+    This workflow is triggered by a pull request.
+    It runs tests on the pull request.
+    """
+
+    @classmethod
+    def get_workflow_triggers(cls) -> dict[str, Any]:
+        """Get the workflow triggers."""
+        return {
+            "pull_request": {
+                "types": ["opened", "synchronize", "reopened"],
+            },
+            "schedule": [
+                {
+                    # run every day at 6 am
+                    "cron": "0 6 * * *",
+                },
+            ],
+            "workflow_dispatch": {},
+        }
+
+    @classmethod
+    def get_permissions(cls) -> dict[str, Any]:
+        """Get the workflow permissions."""
+        return {}
+
+    @classmethod
+    def get_jobs(cls) -> dict[str, Any]:
+        """Get the workflow jobs."""
+        return {
+            **cls.get_standard_job(
+                steps=[
+                    *(
+                        cls.get_poetry_setup_steps(
+                            install_dependencies=True,
+                            token=True,
+                        )
+                    ),
+                    cls.get_protect_repository_step(),
+                    cls.get_pre_commit_step(),
+                    cls.get_commit_step(),
+                    cls.get_extract_version_step(),
+                ],
+            ),
+        }