Skip to content

Commit 0d570b6

Browse files
authored
Merge pull request #253 from fgogolli/feat/provider-extension-points
feat: provider extension points, ProviderFulfilment contract, auth security fixes
2 parents 0860ea4 + dd4c390 commit 0d570b6

251 files changed

Lines changed: 15075 additions & 4773 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/workflows/ci-quality.yml

Lines changed: 64 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,19 @@ on:
2121
- 'uv.lock'
2222
- '.ruff.toml'
2323
- '.github/workflows/ci-quality.yml'
24+
# pull_request_target is needed only for the auto-format-suggest job to call
25+
# the PR Reviews API on fork PRs. All other jobs gate on event_name to avoid
26+
# double execution.
27+
pull_request_target:
28+
branches: [ main, develop ]
29+
paths:
30+
- 'src/**'
31+
- 'tests/**'
32+
- 'pyproject.toml'
33+
- 'requirements*.txt'
34+
- 'uv.lock'
35+
- '.ruff.toml'
36+
- '.github/workflows/ci-quality.yml'
2437

2538
permissions:
2639
contents: read
@@ -32,6 +45,8 @@ jobs:
3245

3346
quality-check:
3447
name: Quality Standards
48+
# Skip on pull_request_target — only auto-format-suggest needs that event.
49+
if: github.event_name != 'pull_request_target'
3550
runs-on: ubuntu-latest
3651
needs: config
3752
permissions:
@@ -65,6 +80,8 @@ jobs:
6580
6681
setup-cache:
6782
name: Setup Cache
83+
# Runs on both pull_request and pull_request_target — auto-format-suggest
84+
# depends on it and needs to run on pull_request_target for fork PRs.
6885
needs: config
6986
uses: ./.github/workflows/cache-management.yml
7087
with:
@@ -73,8 +90,10 @@ jobs:
7390
python-version: ${{ needs.config.outputs.default-python-version }}
7491

7592
auto-format:
76-
name: Auto-Format Code
77-
if: github.event_name == 'pull_request'
93+
name: Auto-Format Code
94+
# Same-repo PRs only: GITHUB_TOKEN can push directly to the branch.
95+
# Fork PRs are handled by the auto-format-suggest job below.
96+
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
7897
runs-on: ubuntu-latest
7998
needs: [config, setup-cache]
8099
permissions:
@@ -108,8 +127,48 @@ jobs:
108127
git push
109128
fi
110129
130+
auto-format-suggest:
131+
name: Auto-Format Suggestions
132+
# Fork PRs: post formatted changes as PR review suggestions for the
133+
# contributor to apply via the GitHub UI's "Commit suggestion" button.
134+
# Uses pull_request_target so the GITHUB_TOKEN can call the PR Reviews API
135+
# (POST /pulls/{id}/reviews) — pull_request fork-PR tokens cannot.
136+
# The workflow file is evaluated at the base ref (safe); only the PR head
137+
# code is checked out into a non-elevated working tree for formatting.
138+
if: github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository
139+
runs-on: ubuntu-latest
140+
needs: [config, setup-cache]
141+
permissions:
142+
contents: read
143+
pull-requests: write
144+
steps:
145+
- name: Checkout PR head
146+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
147+
with:
148+
ref: ${{ github.event.pull_request.head.sha }}
149+
# No token here — formatter does not need write access; this prevents
150+
# untrusted PR code from authenticating with elevated permissions.
151+
persist-credentials: false
152+
153+
- name: Setup UV with cache
154+
uses: ./.github/actions/setup-uv-cached
155+
with:
156+
cache-key: ${{ needs.setup-cache.outputs.cache-key }}
157+
fail-on-cache-miss: false
158+
159+
- name: Run formatter
160+
run: make format-fix
161+
162+
- name: Post review suggestions
163+
uses: reviewdog/action-suggester@aa38384ceb608d00f84b4690cacc83a5aba307ff # v1.24.0
164+
with:
165+
tool_name: ruff
166+
level: warning
167+
fail_on_error: false
168+
111169
lint-ruff:
112170
name: Ruff (Code Quality)
171+
if: github.event_name != 'pull_request_target'
113172
runs-on: ubuntu-latest
114173
needs: [config, setup-cache]
115174
permissions:
@@ -129,6 +188,7 @@ jobs:
129188

130189
lint-ruff-optional:
131190
name: Ruff (Extended Checks)
191+
if: github.event_name != 'pull_request_target'
132192
runs-on: ubuntu-latest
133193
needs: [config, setup-cache, lint-ruff]
134194
permissions:
@@ -149,6 +209,7 @@ jobs:
149209

150210
lint-pyright:
151211
name: Type Checking (pyright)
212+
if: github.event_name != 'pull_request_target'
152213
runs-on: ubuntu-latest
153214
needs: [config, setup-cache, lint-ruff]
154215
permissions:
@@ -169,6 +230,7 @@ jobs:
169230

170231
arch-validation:
171232
name: Architecture Validation
233+
if: github.event_name != 'pull_request_target'
172234
runs-on: ubuntu-latest
173235
needs: [config, setup-cache, lint-ruff]
174236
permissions:

.github/workflows/security-code.yml

Lines changed: 11 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -118,12 +118,17 @@ jobs:
118118
# in their PyPI METADATA. The compound string is treated as a single
119119
# non-allowlisted license. Each exemption below has been verified by reading
120120
# the package's METADATA license / License-Expression directly:
121-
# werkzeug BSD-3-Clause AND LicenseRef-scancode-unknown-license-reference -> BSD-3-Clause
122-
# lark MIT AND MPL-2.0 -> MIT (METADATA: License: MIT)
123-
# mcp MIT AND Python-2.0 -> MIT (METADATA: License: MIT)
124-
# rfc3987-syntax Apache-2.0 AND GPL-1.0-or-later AND MIT -> MIT (METADATA: License-Expression: MIT)
125-
# wcwidth MIT AND HPND-Markus-Kuhn -> MIT (METADATA: License-Expression: MIT)
126-
allow-dependencies-licenses: 'pkg:pypi/werkzeug, pkg:githubactions/trufflesecurity/trufflehog, pkg:pypi/lark, pkg:pypi/mcp, pkg:pypi/rfc3987-syntax, pkg:pypi/wcwidth'
121+
# werkzeug BSD-3-Clause AND LicenseRef-scancode-unknown-license-reference -> BSD-3-Clause
122+
# lark MIT AND MPL-2.0 -> MIT (METADATA: License: MIT)
123+
# mcp MIT AND Python-2.0 -> MIT (METADATA: License: MIT)
124+
# rfc3987-syntax Apache-2.0 AND GPL-1.0-or-later AND MIT -> MIT (METADATA: License-Expression: MIT)
125+
# wcwidth MIT AND HPND-Markus-Kuhn -> MIT (METADATA: License-Expression: MIT)
126+
# lxml BSD-3-Clause AND GPL-1.0-or-later -> BSD-3-Clause (METADATA: License: BSD-3-Clause; GPL applies to a single legacy source file)
127+
# protobuf BSD-3-Clause AND LicenseRef-scancode-protobuf -> 3-Clause BSD (METADATA License text)
128+
# pywin32 PSF-2.0 -> PSF-2.0 (permissive, equivalent to BSD)
129+
# cyclonedx-python-lib no detected license -> Apache-2.0 (METADATA: License: Apache-2.0)
130+
# fastapi no detected license -> MIT (METADATA: License-Expression: MIT)
131+
allow-dependencies-licenses: 'pkg:pypi/werkzeug, pkg:githubactions/trufflesecurity/trufflehog, pkg:pypi/lark, pkg:pypi/mcp, pkg:pypi/rfc3987-syntax, pkg:pypi/wcwidth, pkg:pypi/lxml, pkg:pypi/protobuf, pkg:pypi/pywin32, pkg:pypi/cyclonedx-python-lib, pkg:pypi/fastapi'
127132

128133
codeql-analysis:
129134
name: CodeQL Analysis

.github/workflows/validate-workflows.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -69,4 +69,4 @@ jobs:
6969
- name: Validate shell scripts with shellcheck
7070
uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # 2.0.0
7171
with:
72-
ignore_paths: '.venv .git __pycache__ node_modules'
72+
ignore_paths: '.venv .git __pycache__ node_modules k8s'

.gitignore

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,8 @@ requirements-dev.txt
1212
work/
1313

1414
# Test autogenerated files
15-
tests/onaws/run_templates*
15+
tests/providers/aws/live/run_templates/
16+
tests/providers/aws/live/run_templates/**
1617

1718
# Desloppify scan artifacts
1819
.desloppify/

.trivyignore

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,3 +16,9 @@ __pycache__/**
1616
htmlcov/**
1717
.tox/**
1818
.mypy_cache/**
19+
20+
# CVE exceptions for transitive CI/dev-only dependencies with no upstream patch
21+
# nltk 3.9.4 — CVE-2026-54293 (HIGH). Pulled in transitively by `safety` (CI-only
22+
# security scanner). No fixed version available upstream as of 2026-06-17. Not
23+
# present in runtime install. Re-evaluate when nltk publishes a patched release.
24+
CVE-2026-54293

CHANGELOG.md

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,36 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
88
<!-- insertion marker -->
99
## Unreleased
1010

11+
### Added
12+
13+
- New `[aws]` extra (alias for AWS deps currently in core). The canonical install
14+
command going forward is `pip install orb-py[aws]`. This continues to work
15+
unchanged when AWS deps move out of core in a future major version.
16+
- New `[all-providers]` meta-extra: pulls in all currently implemented providers.
17+
- New `[monitoring-aws]` extra: AWS-specific OpenTelemetry boto instrumentation (previously bundled inside `[monitoring]`).
18+
- New `[test-aws]` extra: moto + response-mocking deps for AWS test suites.
19+
- Architecture test `test_boto3_leak_detection.py`: asserts boto3/botocore are never imported outside `providers/aws/` except by guarded backward-compat shims.
20+
- Unit tests `test_no_provider_install.py`: verifies ORB core modules boot cleanly when AWS deps are absent.
21+
22+
### Changed
23+
24+
- `[monitoring]` extra no longer includes `opentelemetry-instrumentation-boto` (use `[monitoring-aws]`).
25+
- `[all]` extra now includes `[all-providers]` so `pip install orb-py[all]` still pulls everything.
26+
- `[dev]` shim extra now includes `[all-providers]` for full local development.
27+
- Three module-level import sites guarded with `try/except ImportError` so ORB core boots when AWS extras are absent:
28+
`config/schemas/cleanup_schema.py`, `infrastructure/storage/registration.py`,
29+
`providers/registration.py` (deprecated shims).
30+
- `tests/conftest.py`: bare `import boto3` replaced with guarded `AWS_AVAILABLE` flag; AWS provider tests auto-skip when `[aws]` extra is absent.
31+
32+
### Notes
33+
34+
- `boto3` + `botocore` **remain in core** `[project.dependencies]` for now to
35+
preserve backward compatibility — `pip install orb-py` still works unchanged.
36+
- When the second provider (Azure / GCP / OCI) lands, AWS deps will move from
37+
core to the `[aws]` extra and a major-version bump will signal the breaking
38+
change. Operators who use `pip install orb-py[aws]` today will see no
39+
behavior change at that cutover.
40+
1141
<small>[Compare with latest](https://github.com/awslabs/open-resource-broker/compare/v0.1.0rc0...HEAD)</small>
1242

1343
### Features

README.md

Lines changed: 25 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -83,12 +83,36 @@ Get ORB installed and configured for your environment.
8383
<details>
8484
<summary>Installation</summary>
8585

86-
### Standard install
86+
### Standard install (core only — no provider)
8787

8888
```bash
8989
pip install orb-py
9090
```
9191

92+
ORB boots cleanly with no provider registered. Any command that needs a provider
93+
will return a clear "no provider configured" error rather than an ImportError.
94+
95+
### Per-provider install
96+
97+
```bash
98+
pip install "orb-py[aws]" # AWS provider (boto3 + botocore)
99+
pip install "orb-py[aws,cli]" # AWS provider + colored CLI output
100+
pip install "orb-py[aws,api]" # AWS provider + REST API server
101+
pip install "orb-py[monitoring-aws]" # AWS provider + full monitoring stack
102+
pip install "orb-py[all]" # All providers + all features
103+
```
104+
105+
### Provider extras matrix
106+
107+
| Use case | Install command |
108+
|----------|----------------|
109+
| Core only (no provider) | `pip install orb-py` |
110+
| AWS operator | `pip install "orb-py[aws]"` |
111+
| AWS + colored CLI | `pip install "orb-py[aws,cli]"` |
112+
| AWS + REST API | `pip install "orb-py[aws,api]"` |
113+
| AWS + monitoring | `pip install "orb-py[monitoring-aws]"` |
114+
| Full (all providers + features) | `pip install "orb-py[all]"` |
115+
92116
### With colored CLI output
93117

94118
```bash

0 commit comments

Comments
 (0)