From 605800f09670e74b3c263225e0f2f727a5706da1 Mon Sep 17 00:00:00 2001 From: Ramona T Date: Fri, 20 Feb 2026 09:00:49 -0500 Subject: [PATCH 01/13] update ruff pre-commit hook command --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 8c1a1b7391..22ca209c80 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -2,7 +2,7 @@ repos: - repo: https://github.com/astral-sh/ruff-pre-commit rev: v0.13.0 hooks: - - id: ruff + - id: ruff-check args: ['--fix'] - id: ruff-format - repo: https://github.com/PyCQA/bandit From 1976b262967309d01d0ba9945461e5faabafb1f5 Mon Sep 17 00:00:00 2001 From: Ramona T Date: Fri, 20 Feb 2026 09:01:12 -0500 Subject: [PATCH 02/13] move build dependencies to build-system.requires --- pyproject.toml | 6 +++++- requirements-dev.txt | 5 ----- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index f18a4d9438..e7cbae6dca 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,5 +1,9 @@ [build-system] -requires = [ "setuptools" ] +requires = [ + "build>=1.4.0", + "setuptools>=80.10.2", + "twine>=6.2.0", +] build-backend = "setuptools.build_meta" [project] diff --git a/requirements-dev.txt b/requirements-dev.txt index b5bdbaf906..09b079cd75 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -12,11 +12,6 @@ ruff==0.13.0 testfixtures==8.3.0;python_version<'3.11' testfixtures==9.1.0;python_version>='3.11' -# Build and publish requirements -build>=1.4.0 -setuptools>=80.10.2 -twine>=6.2.0 - # Docs Requirements myst-parser==4.0.1 sphinxcontrib-googleanalytics==0.5 From 35bef4326be2edb49f519eea23d7e85939ce2641 Mon Sep 17 00:00:00 2001 From: Ramona T Date: Fri, 20 Feb 2026 09:02:36 -0500 Subject: [PATCH 03/13] move dev requirements to dependency-groups --- pyproject.toml | 43 +++++++++++++++++++++++++++++++++++++++++++ requirements-dev.txt | 21 --------------------- 2 files changed, 43 insertions(+), 21 deletions(-) delete mode 100644 requirements-dev.txt diff --git a/pyproject.toml b/pyproject.toml index e7cbae6dca..33c3755f4e 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -42,6 +42,49 @@ issues = "https://github.com/move-coop/parsons/issues" github = "https://github.com/move-coop/parsons" repository = "https://github.com/move-coop/parsons.git" + +[dependency-groups] +dev = [ + {include-group = "docs"}, + {include-group = "lint"}, + {include-group = "pre-commit"}, + {include-group = "security"}, + {include-group = "test-coverage"}, +] +docs = [ + "myst-parser==4.0.1", + "sphinxcontrib-googleanalytics==0.5", + "sphinx-multiversion==0.2.4", + "sphinx-rtd-theme==3.0.2", + "Sphinx==7.4.7;python_version<'3.11'", + "Sphinx==8.2.3;python_version>='3.11'", +] +lint = [ + "ruff==0.13.0", +] +pre-commit = [ + "pre-commit==4.3.0", +] +security = [ + "bandit[sarif]==1.8.6", +] +test-coverage = [ + "coverage==7.13.3", + "pytest-cov==7.0.0", + {include-group = "test"}, +] +test = [ + "pytest==8.4.2", + "pytest-datadir==1.8.0", + "pytest-mock==3.15.1", + "pytest-xdist==3.8.0", + "requests-mock==1.12.1", + "testfixtures==8.3.0;python_version<'3.11'", + "testfixtures==9.1.0;python_version>='3.11'", +] + +[tool] + [tool.setuptools] packages = ["parsons"] diff --git a/requirements-dev.txt b/requirements-dev.txt deleted file mode 100644 index 09b079cd75..0000000000 --- a/requirements-dev.txt +++ /dev/null @@ -1,21 +0,0 @@ -# Testing Requirements -bandit[sarif]==1.8.6 -coverage==7.13.3 -pre-commit==4.3.0 -pytest-cov==7.0.0 -pytest-datadir==1.8.0 -pytest-mock==3.15.1 -pytest-xdist==3.8.0 -pytest==8.4.2 -requests-mock==1.12.1 -ruff==0.13.0 -testfixtures==8.3.0;python_version<'3.11' -testfixtures==9.1.0;python_version>='3.11' - -# Docs Requirements -myst-parser==4.0.1 -sphinxcontrib-googleanalytics==0.5 -sphinx-multiversion==0.2.4 -sphinx-rtd-theme==3.0.2 -Sphinx==7.4.7;python_version<'3.11' -Sphinx==8.2.3;python_version>='3.11' From 6d64b4c2f2ecccdcb2f5382a10add6ff0a636824 Mon Sep 17 00:00:00 2001 From: Ramona T Date: Fri, 20 Feb 2026 14:02:48 -0500 Subject: [PATCH 04/13] update ci commands and dockerimage for more uv use --- .circleci/config.yml | 65 +++++++++------ .github/workflows/python-checks.yml | 124 ++++++++++++++++++++-------- .github/workflows/release.yml | 27 +++--- .gitignore | 1 + Dockerfile | 23 +++--- pyproject.toml | 31 +------ 6 files changed, 163 insertions(+), 108 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 0804ab580a..078b2b4425 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -21,79 +21,98 @@ jobs: docs-build: docker: - image: cimg/python:3.13 + steps: - checkout - # Download and cache dependencies + - restore_cache: keys: - - v2-dependencies-python3.13-{{ checksum "requirements-dev.txt" }} + - v2-dependencies-python3.13-{{ checksum "pyproject.toml" }}-{{ checksum "setup.py" }} # fallback to using the latest cache if no exact match is found - v2-dependencies-python3.13- + - run: - name: Install dependencies - # Note that we the circleci node image installs stuff with a user "circleci", rather - # than root. So we need to tell npm where to install stuff. + name: Install parsons command: | - pip install uv - uv venv - source .venv/bin/activate - uv pip install -r requirements.txt - uv pip install -r requirements-dev.txt + uv sync \\ + --upgrade \\ + --no-default-groups \\ + --group docs \\ + --all-extras + - save_cache: paths: - ./venv - key: v2-dependencies-python3.13-{{ checksum "requirements-dev.txt" }} + key: v2-dependencies-python3.13-{{ checksum "pyproject.toml" }}-{{ checksum "setup.py" }} + - run: name: Build docs command: | - source .venv/bin/activate + uv sync \\ + --no-default-groups \\ + --group docs \\ + --all-extras + cd docs/ make deploy_docs - cd .. docs-build-deploy: docker: - image: cimg/python:3.13-node + steps: - checkout - # Download and cache dependencies + - restore_cache: keys: - - v2-dependencies-python3.13-{{ checksum "requirements-dev.txt" }}- + - v2-dependencies-python3.13-{{ checksum "pyproject.toml" }}-{{ checksum "setup.py" }} # fallback to using the latest cache if no exact match is found - v2-dependencies-python3.13- + - run: - name: Install dependencies + name: Install parsons # Note that we the circleci node image installs stuff with a user "circleci", rather # than root. So we need to tell npm where to install stuff. command: | npm set prefix=/home/circleci/npm npm install -g --silent gh-pages@2.0.1 - pip install uv - uv venv - source .venv/bin/activate - uv pip install -r requirements.txt - uv pip install -r requirements-dev.txt + + uv sync \\ + --upgrade \\ + --no-default-groups \\ + --group docs \\ + --all-extras + - save_cache: paths: - ./venv - key: v2-dependencies-python3.13-{{ checksum "requirements-dev.txt" }} + key: v2-dependencies-python3.13-{{ checksum "pyproject.toml" }}-{{ checksum "setup.py" }} + - add_ssh_keys: # This SSH key is "CircleCI Docs" in https://github.com/move-coop/parsons/settings/keys # We need write access to the Parsons repo, so we can push the "gh-pages" branch. fingerprints: - '9a:ec:4d:2b:c3:45:b2:f5:55:ca:0b:2b:36:e2:7f:df' + - run: name: Build and deploy docs # When running gh-pages, we specify to include dotfiles, so we pick up the .nojerkyll file. # (This file tell Github Pages that we want to include all files in docs/, including those # that start with an underscore like _static/). command: | - source .venv/bin/activate + uv sync \\ + --no-default-groups \\ + --group docs \\ + --all-extras + cd docs/ make deploy_docs + cd .. + git config user.email "ci-build@movementcooperative.org" git config user.name "ci-build" + export PATH=/home/circleci/npm/bin:$PATH + gh-pages --dotfiles --message "[skip ci] Updates" --dist docs diff --git a/.github/workflows/python-checks.yml b/.github/workflows/python-checks.yml index 237b30c74b..d7205cda25 100644 --- a/.github/workflows/python-checks.yml +++ b/.github/workflows/python-checks.yml @@ -54,17 +54,24 @@ jobs: - if: matrix.resolution != 'limited-dependencies' continue-on-error: ${{ contains(matrix.python-version, '3.14') }} - run: | - uv pip install --system --resolution ${{ matrix.resolution }} -e .[all] - uv pip install --system --resolution ${{ matrix.resolution }} -r requirements-dev.txt + run: >- + uv sync + --upgrade + --no-default-groups + --group test-coverage + --all-extras + --resolution ${{ matrix.resolution }} - if: matrix.resolution == 'limited-dependencies' continue-on-error: ${{ contains(matrix.python-version, '3.14') }} env: PARSONS_LIMITED_DEPENDENCIES: 'TRUE' - run: | - uv pip install --system -r requirements-dev.txt - uv pip install --system -e .[all] + run: >- + uv sync + --upgrade + --no-default-groups + --group test-coverage + --all-extras - id: cache-pytest uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 @@ -72,10 +79,10 @@ jobs: path: .pytest_cache key: pytest-${{ matrix.python-version }}-${{ matrix.os }}-${{ matrix.resolution }}-${{ hashFiles('pyproject.toml') }} - - run: pytest - continue-on-error: ${{ contains(matrix.python-version, '3.14') }} - env: + - env: COVERAGE_FILE: ".coverage.${{ matrix.os }}.${{ matrix.python-version }}.${{ matrix.resolution }}" + continue-on-error: ${{ contains(matrix.python-version, '3.14') }} + run: uv run pytest - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f if: ${{ !contains(matrix.python-version, '3.14') }} @@ -104,19 +111,24 @@ jobs: - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 with: - python-version: '3.14' + python-version: '3.13' cache: pip - uses: install-pinned/uv@259f91feb61b6e94766d7a1dbcd5f17335370e64 - - run: uv pip install --system -r requirements-dev.txt + - run: >- + uv sync + --upgrade + --no-default-groups + --group ci + --all-extras - name: get-extras id: get-extras env: PARSONS_LIMITED_DEPENDENCIES: 'TRUE' run: | - python -c " + uv run - " import json from build.util import project_wheel_metadata from pathlib import Path @@ -168,11 +180,15 @@ jobs: - uses: install-pinned/uv@259f91feb61b6e94766d7a1dbcd5f17335370e64 - - run: uv pip install --system -r requirements-dev.txt - - - run: uv pip install --system .[${{ matrix.extra }}] - env: + - env: PARSONS_LIMITED_DEPENDENCIES: 'TRUE' + run: >- + uv sync + --upgrade + --no-default-groups + --group test + --extra ${{ matrix.extra }} + --resolution ${{ matrix.resolution }} - id: cache-pytest uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 @@ -180,7 +196,7 @@ jobs: path: .pytest_cache key: pytest-${{ hashFiles('pyproject.toml') }}-${{ matrix.os }}-${{ matrix.python-version }}-${{ matrix.resolution }}-${{ matrix.extra }} - - run: pytest test/test_${{ matrix.extra }} + - run: uv run pytest test/test_${{ matrix.extra }} ruff-format: runs-on: ubuntu-latest @@ -204,7 +220,11 @@ jobs: - uses: install-pinned/uv@fa468aced1ea5737b7cbaba356dd97587bc27f7f - - run: uv pip install --system -r requirements-dev.txt + - run: >- + uv sync + --upgrade + --no-default-groups + --group lint - id: cache-ruff uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 @@ -213,7 +233,11 @@ jobs: key: ruff-${{ hashFiles('pyproject.toml') }} - id: run-ruff - run: ruff format --diff . + run: >- + uv run + ruff format + --diff + . ruff-check: runs-on: ubuntu-latest @@ -241,7 +265,11 @@ jobs: - uses: install-pinned/uv@fa468aced1ea5737b7cbaba356dd97587bc27f7f - - run: uv pip install --system -r requirements-dev.txt + - run: >- + uv sync + --upgrade + --no-default-groups + --group lint - id: cache-ruff uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 @@ -250,8 +278,12 @@ jobs: key: ruff-${{ hashFiles('pyproject.toml') }} - id: run-ruff-sarif - run: | - ruff check --output-format=sarif -o results.sarif . + run: >- + uv run + ruff check + --output-format=sarif + -o results.sarif + . - uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 if: ( success() || failure() ) && contains('["success", "failure"]', steps.run-ruff-sarif.outcome) @@ -260,8 +292,11 @@ jobs: - id: run-ruff if: failure() && contains('["failure"]', steps.run-ruff-sarif.outcome) - run: | - ruff check --output-format=github . + run: >- + uv run + ruff check + --output-format=github + . bandit: runs-on: ubuntu-latest @@ -289,11 +324,22 @@ jobs: - uses: install-pinned/uv@fa468aced1ea5737b7cbaba356dd97587bc27f7f - - run: uv pip install --system -r requirements-dev.txt + - run: >- + uv sync + --upgrade + --no-default-groups + --group security - id: run-bandit-sarif - run: | - bandit --confidence-level 'medium' --severity-level 'medium' --recursive 'parsons' --exclude '**/vendor/*' --format 'sarif' --output 'results.sarif' + run: >- + uv run + bandit + --confidence-level 'medium' + --severity-level 'medium' + --recursive 'parsons' + --exclude '**/vendor/*' + --format 'sarif' + --output 'results.sarif' - uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 if: ( success() || failure() ) && contains('["success", "failure"]', steps.run-bandit-sarif.outcome) @@ -302,8 +348,13 @@ jobs: - id: run-bandit if: failure() && contains('["failure"]', steps.run-bandit-sarif.outcome) - run: | - bandit --confidence-level 'medium' --severity-level 'medium' --recursive 'parsons' --exclude '**/vendor/*' + run: >- + uv run + bandit + --confidence-level 'medium' + --severity-level 'medium' + --recursive 'parsons' + --exclude '**/vendor/*' coverage: runs-on: ubuntu-latest @@ -375,7 +426,11 @@ jobs: - uses: install-pinned/uv@fa468aced1ea5737b7cbaba356dd97587bc27f7f - - run: uv pip install --system -r requirements-dev.txt + - run: >- + uv sync + --upgrade + --no-default-groups + --group pre-commit - id: cache-pre-commit uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 @@ -383,8 +438,9 @@ jobs: path: .pre-commit-cache key: pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}-${{ hashFiles('pyproject.toml') }} - - run: | - pre-commit install - pre-commit run --all-files - env: + - env: PRE_COMMIT_HOME: .pre-commit-cache + run: >- + uv run + pre-commit run + --all-files diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 35c2dcb244..f8a35ac1a7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,24 +23,22 @@ jobs: - name: Set up Python 3.13 uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 with: - python-version: "3.13" - cache: pip + python-version: "3.13" + cache: pip - name: Install uv uses: install-pinned/uv@fa468aced1ea5737b7cbaba356dd97587bc27f7f - - name: Install dependencies - run: | - uv pip install --system -r requirements-dev.txt - uv pip install --system -e .[all] - - - name: Check setup.py - run: | - python setup.py check + - name: Install parsons + run: >- + uv sync + --upgrade + --all-extras - - name: Build src dist - run: | - python -m build --sdist --outdir dist + - name: Build source distribution + run: >- + uv build + --sdist - name: Upload dist directory uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f @@ -77,11 +75,14 @@ jobs: shell: bash run: | file=$(find ./dist -name 'parsons-*.tar.gz' | head -1) + # Extract to a temp directory first mkdir -p temp_extract tar -xzf "$file" -C temp_extract + # Find and move requirements files to root find temp_extract -name 'requirements.txt' -exec cp {} . \; 2>/dev/null || true + # Clean up rm -rf temp_extract diff --git a/.gitignore b/.gitignore index 3f994ee23f..a8b7c12379 100644 --- a/.gitignore +++ b/.gitignore @@ -7,6 +7,7 @@ __pycache__/ *.so # Distribution / packaging +uv.lock .Python build/ develop-eggs/ diff --git a/Dockerfile b/Dockerfile index 335afcd86b..7ccf31cd9f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,17 +9,18 @@ FROM --platform=linux/amd64 python:3.11 # Much of this was pulled from examples at https://github.com/joyzoursky/docker-python-chromedriver # install google chrome -RUN wget -qO- https://dl.google.com/linux/linux_signing_key.pub \ +RUN wget -qO- https://dl.google.com/linux/linux_signing_key.pub \ | gpg --dearmor -o /etc/apt/keyrings/google.gpg; \ - chmod 0644 /etc/apt/keyrings/google.gpg; \ - echo 'deb [arch=amd64 signed-by=/etc/apt/keyrings/google.gpg] https://dl.google.com/linux/chrome/deb/ stable main' \ + chmod 0644 /etc/apt/keyrings/google.gpg; \ + echo 'deb [arch=amd64 signed-by=/etc/apt/keyrings/google.gpg] https://dl.google.com/linux/chrome/deb/ stable main' \ > /etc/apt/sources.list.d/google-chrome.list RUN apt-get -y update RUN apt-get install -y google-chrome-stable # install chromedriver RUN apt-get install -yqq unzip -RUN wget -O /tmp/chromedriver.zip http://chromedriver.storage.googleapis.com/`curl -sS chromedriver.storage.googleapis.com/LATEST_RELEASE`/chromedriver_linux64.zip +RUN wget -O /tmp/chromedriver.zip \ + https://chromedriver.storage.googleapis.com/`curl -sS chromedriver.storage.googleapis.com/LATEST_RELEASE`/chromedriver_linux64.zip RUN unzip /tmp/chromedriver.zip chromedriver -d /usr/local/bin/ # set display port to avoid crash @@ -30,20 +31,22 @@ ENV DISPLAY=:99 ################### RUN mkdir /src - -COPY requirements.txt /src/ -RUN pip install uv -RUN uv pip install --system -r /src/requirements.txt - COPY . /src/ WORKDIR /src -RUN python setup.py develop +# Install uv +COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/ + +# Install parsons +RUN uv sync \ + --upgrade \ + --all-extras # The /app directory can house the scripts that will actually execute on this Docker image. # Eg. If using this image in a Civis container script, Civis will install your script repo # (from Github) to /app. RUN mkdir /app WORKDIR /app + # Useful for importing modules that are associated with your python scripts: ENV PYTHONPATH=.:/app diff --git a/pyproject.toml b/pyproject.toml index 33c3755f4e..cecf57ae50 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -42,7 +42,6 @@ issues = "https://github.com/move-coop/parsons/issues" github = "https://github.com/move-coop/parsons" repository = "https://github.com/move-coop/parsons.git" - [dependency-groups] dev = [ {include-group = "docs"}, @@ -51,6 +50,9 @@ dev = [ {include-group = "security"}, {include-group = "test-coverage"}, ] +ci = [ + "build>=1.4.0", +] docs = [ "myst-parser==4.0.1", "sphinxcontrib-googleanalytics==0.5", @@ -121,16 +123,10 @@ exclude = [ "venv", "**/vendor/*", ] - -# Default line length is 88 -# Changed to 100 to match previous pyproject black config line-length = 100 indent-width = 4 [tool.ruff.lint] -# Enable Pyflakes (`F`) and a subset of the pycodestyle (`E`) codes by default. -# Unlike Flake8, Ruff doesn't enable pycodestyle warnings (`W`) or -# McCabe complexity (`C901`) by default. select = [ "B", # flake8-bugbear (B) "E", # pycodestyle errors (E) @@ -160,36 +156,15 @@ ignore = [ "PTH207", # glob (PTH207) "PTH208", # os-listdir (PTH208) ] - -# Allow fix for all enabled rules (when `--fix`) is provided. fixable = ["ALL"] unfixable = [] [tool.ruff.format] -# Like Black, use double quotes for strings. quote-style = "double" - -# Like Black, indent with spaces, rather than tabs. indent-style = "space" - -# Like Black, respect magic trailing commas. skip-magic-trailing-comma = false - -# Like Black, automatically detect the appropriate line ending. line-ending = "auto" - -# Enable auto-formatting of code examples in docstrings. Markdown, -# reStructuredText code/literal blocks and doctests are all supported. -# -# This is currently disabled by default, but it is planned for this -# to be opt-out in the future. docstring-code-format = false - -# Set the line length limit used when formatting code snippets in -# docstrings. -# -# This only has an effect when the `docstring-code-format` setting is -# enabled. docstring-code-line-length = "dynamic" [tool.pytest.ini_options] From 797e30182f863ab293420e701a54f171ad0dab38 Mon Sep 17 00:00:00 2001 From: Ramona T Date: Fri, 20 Feb 2026 18:19:37 -0500 Subject: [PATCH 05/13] correct circleci line-break formatting --- .circleci/config.yml | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 078b2b4425..af0648ef04 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -34,10 +34,10 @@ jobs: - run: name: Install parsons command: | - uv sync \\ - --upgrade \\ - --no-default-groups \\ - --group docs \\ + uv sync \ + --upgrade \ + --no-default-groups \ + --group docs \ --all-extras - save_cache: @@ -48,9 +48,9 @@ jobs: - run: name: Build docs command: | - uv sync \\ - --no-default-groups \\ - --group docs \\ + uv sync \ + --no-default-groups \ + --group docs \ --all-extras cd docs/ @@ -77,10 +77,10 @@ jobs: npm set prefix=/home/circleci/npm npm install -g --silent gh-pages@2.0.1 - uv sync \\ - --upgrade \\ - --no-default-groups \\ - --group docs \\ + uv sync \ + --upgrade \ + --no-default-groups \ + --group docs \ --all-extras - save_cache: @@ -100,9 +100,9 @@ jobs: # (This file tell Github Pages that we want to include all files in docs/, including those # that start with an underscore like _static/). command: | - uv sync \\ - --no-default-groups \\ - --group docs \\ + uv sync \ + --no-default-groups \ + --group docs \ --all-extras cd docs/ From c1621dcd3d5fb4485f82b506497958057d1e30f8 Mon Sep 17 00:00:00 2001 From: Ramona T Date: Fri, 20 Feb 2026 18:32:12 -0500 Subject: [PATCH 06/13] use uv run for make in circleci --- .circleci/config.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index af0648ef04..7fbb7df9a5 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -54,7 +54,7 @@ jobs: --all-extras cd docs/ - make deploy_docs + uv run make deploy_docs docs-build-deploy: docker: @@ -106,7 +106,7 @@ jobs: --all-extras cd docs/ - make deploy_docs + uv venv make deploy_docs cd .. From eb5caafd74afa6fad2d9b623804085260dab06f8 Mon Sep 17 00:00:00 2001 From: Ramona T Date: Tue, 24 Feb 2026 20:35:18 -0500 Subject: [PATCH 07/13] remove vendor file bandit exclusion --- .github/workflows/python-checks.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/python-checks.yml b/.github/workflows/python-checks.yml index 6b0ae20fbe..5fe45f69df 100644 --- a/.github/workflows/python-checks.yml +++ b/.github/workflows/python-checks.yml @@ -337,7 +337,6 @@ jobs: --confidence-level 'medium' --severity-level 'medium' --recursive 'parsons' - --exclude '**/vendor/*' --format 'sarif' --output 'results.sarif' @@ -354,7 +353,6 @@ jobs: --confidence-level 'medium' --severity-level 'medium' --recursive 'parsons' - --exclude '**/vendor/*' coverage: runs-on: ubuntu-latest From aa24fc38ee6ca033c8c8102564653795e1271d0f Mon Sep 17 00:00:00 2001 From: Ramona T Date: Wed, 11 Mar 2026 23:44:09 -0400 Subject: [PATCH 08/13] break cache keys across lines for readability --- .github/workflows/python-checks.yml | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/.github/workflows/python-checks.yml b/.github/workflows/python-checks.yml index e0aa3d6dba..3c008ec4ea 100644 --- a/.github/workflows/python-checks.yml +++ b/.github/workflows/python-checks.yml @@ -77,7 +77,12 @@ jobs: uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 with: path: .pytest_cache - key: pytest-${{ matrix.python-version }}-${{ matrix.os }}-${{ matrix.resolution }}-${{ hashFiles('pyproject.toml') }} + key: >- + pytest + -${{ matrix.python-version }} + -${{ matrix.os }} + -${{ matrix.resolution }} + -${{ hashFiles('pyproject.toml') }} - env: COVERAGE_FILE: ".coverage.${{ matrix.os }}.${{ matrix.python-version }}.${{ matrix.resolution }}" @@ -194,7 +199,13 @@ jobs: uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 with: path: .pytest_cache - key: pytest-${{ hashFiles('pyproject.toml') }}-${{ matrix.os }}-${{ matrix.python-version }}-${{ matrix.resolution }}-${{ matrix.extra }} + key: >- + pytest + -${{ hashFiles('pyproject.toml') }} + -${{ matrix.os }} + -${{ matrix.python-version }} + -${{ matrix.resolution }} + -${{ matrix.extra }} - run: uv run pytest test/test_${{ matrix.extra }} @@ -230,7 +241,9 @@ jobs: uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 with: path: .ruff_cache - key: ruff-${{ hashFiles('pyproject.toml') }} + key: >- + ruff + -${{ hashFiles('pyproject.toml') }} - id: run-ruff run: >- @@ -275,7 +288,9 @@ jobs: uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 with: path: .ruff_cache - key: ruff-${{ hashFiles('pyproject.toml') }} + key: >- + ruff + -${{ hashFiles('pyproject.toml') }} - id: run-ruff-sarif run: >- @@ -434,7 +449,10 @@ jobs: uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 with: path: .pre-commit-cache - key: pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}-${{ hashFiles('pyproject.toml') }} + key: >- + pre-commit + -${{ hashFiles('.pre-commit-config.yaml') }} + -${{ hashFiles('pyproject.toml') }} - env: PRE_COMMIT_HOME: .pre-commit-cache From 456eaf28fa3dee4d267b4dd4dc841a545e1144df Mon Sep 17 00:00:00 2001 From: Ramona T Date: Thu, 12 Mar 2026 14:31:47 -0400 Subject: [PATCH 09/13] fix uv run for REPL --- .github/workflows/python-checks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/python-checks.yml b/.github/workflows/python-checks.yml index f68f62a268..29b3ab7035 100644 --- a/.github/workflows/python-checks.yml +++ b/.github/workflows/python-checks.yml @@ -133,7 +133,7 @@ jobs: env: PARSONS_LIMITED_DEPENDENCIES: 'TRUE' run: | - uv run - " + uv run python -c " import json from build.util import project_wheel_metadata from pathlib import Path From 1607d6cf2c06ba18d35c82ecfd036dace341ffb7 Mon Sep 17 00:00:00 2001 From: Ramona T Date: Thu, 12 Mar 2026 21:43:28 -0400 Subject: [PATCH 10/13] move release.yml to astral-sh/setup-uv --- .github/workflows/release.yml | 60 ++++++++++++++++++++--------------- 1 file changed, 35 insertions(+), 25 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2efba2fada..406a0bd924 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -17,31 +17,37 @@ jobs: build: runs-on: ubuntu-latest + env: + CACHE_GLOBS: | + **/pyproject.toml + **/requirements*.txt + **/setup.py + **/uv.lock + steps: + - uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b + with: + disable-sudo: true + egress-policy: audit + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - - name: Set up Python 3.13 - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 + - uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 with: - python-version: "3.13" - cache: pip - - - name: Install uv - uses: install-pinned/uv@4d66dd6355704140c330bc2a2e6291cbf3bcb67f + python-version: 3.13 + activate-environment: true + cache-dependency-glob: ${{ env.CACHE_GLOBS }} - - name: Install parsons - run: >- + - run: >- uv sync --upgrade --all-extras - - name: Build source distribution - run: >- + - run: >- uv build --sdist - - name: Upload dist directory - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f with: name: parsons-dist path: dist/ @@ -65,14 +71,17 @@ jobs: runs-on: ${{ matrix.os }} steps: - - name: Download package - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 + - uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b + with: + disable-sudo: true + egress-policy: audit + + - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 with: name: parsons-dist path: dist - - name: Extract requirements for cache - shell: bash + - shell: bash run: | file=$(find ./dist -name 'parsons-*.tar.gz' | head -1) @@ -86,14 +95,12 @@ jobs: # Clean up rm -rf temp_extract - - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 with: python-version: ${{ matrix.python-version }} cache: pip - - name: Install package - shell: bash + - shell: bash run: | file=$(find ./dist -name 'parsons-*.tar.gz' | head -1) pip install "$file" @@ -109,16 +116,19 @@ jobs: id-token: write # IMPORTANT: this permission is mandatory for trusted publishing steps: + - uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b + with: + disable-sudo: true + egress-policy: audit + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - - name: Download package - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 + - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 with: name: parsons-dist path: dist - - name: Publish - uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e + - uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e with: verify-metadata: true skip-existing: true From 20792f745242c06974b0fe34b27886ea01b727a8 Mon Sep 17 00:00:00 2001 From: Ramona T Date: Thu, 12 Mar 2026 22:51:27 -0400 Subject: [PATCH 11/13] update documentation.yml --- .github/workflows/documentation.yml | 48 +++++++++++++++++++---------- 1 file changed, 31 insertions(+), 17 deletions(-) diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml index 0512796b58..1c3fdd08c5 100644 --- a/.github/workflows/documentation.yml +++ b/.github/workflows/documentation.yml @@ -10,6 +10,20 @@ on: permissions: read-all +env: + CACHE_GLOBS: | + **/pyproject.toml + **/requirements*.txt + **/setup.py + **/uv.lock + ENDPOINT_WHITELIST: >- + pypi.org:443 + github.com:443 + releases.astral.sh + files.pythonhosted.org:443 + *.github.com:443 + *.githubusercontent.com:443 + jobs: build: runs-on: ubuntu-latest @@ -19,26 +33,24 @@ jobs: with: disable-sudo: true egress-policy: block - allowed-endpoints: > - files.pythonhosted.org:443 - github.com:443 - pypi.org:443 + allowed-endpoints: ${{ env.ENDPOINT_WHITELIST}} - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: - # If it's a push (main or major-release) or workflow_dispatch, get full history. - fetch-depth: ${{ (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && 0 || 1 }} + # If it's a pull request, don't get full history. + fetch-depth: ${{ github.event_name == 'pull_request' && 1 || 0 }} - - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 + - uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 with: - python-version: '3.13' - cache: pip - - - uses: install-pinned/uv@259f91feb61b6e94766d7a1dbcd5f17335370e64 + python-version: 3.13 + activate-environment: true + cache-dependency-glob: ${{ env.CACHE_GLOBS }} - - run: | - uv pip install --system -e .[all] - uv pip install --system -r requirements-dev.txt + - run: >- + uv sync + --upgrade + --no-default-groups + --group docs - name: configure git run: | @@ -49,6 +61,7 @@ jobs: with: path: docs/html key: >- + uv run sphinx -${{ hashFiles('pyproject.toml') }} -${{ hashFiles('setup.py') }} @@ -65,8 +78,8 @@ jobs: deploy: needs: build - # Only run this job if triggered by updating the main branch - if: github.ref == 'refs/heads/main' && github.event_name == 'push' + # Don't run this job on pull requests + if: github.event_name != 'pull_request' runs-on: ubuntu-latest @@ -82,6 +95,7 @@ jobs: - uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 with: disable-sudo: true - egress-policy: audit + egress-policy: block + allowed-endpoints: ${{ env.ENDPOINT_WHITELIST}} - uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e From e8018d10abecfe155b379a29d0b46d362a480333 Mon Sep 17 00:00:00 2001 From: Ramona T Date: Thu, 12 Mar 2026 22:55:25 -0400 Subject: [PATCH 12/13] update dependency-groups from documentation updates --- .github/dependabot.yml | 3 ++- pyproject.toml | 13 +++++++------ 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 434f876158..f5dab93751 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -17,5 +17,6 @@ updates: schedule: interval: weekly ignore: - - dependency-name: ruff - dependency-name: bandit + - dependency-name: ruff + - dependency-name: sphinx-lint diff --git a/pyproject.toml b/pyproject.toml index e8a04e79f0..9d81682381 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -54,13 +54,14 @@ ci = [ "build>=1.4.0", ] docs = [ - "myst-parser==4.0.1", - "sphinxcontrib-googleanalytics==0.5", + "furo~=2025.12.19", + "myst-parser~=4.0.1", + "packaging~=26.0", + "sphinxcontrib-googleanalytics~=0.5", "sphinx-lint==1.0.2", - "sphinx-multiversion==0.2.4", - "sphinx-rtd-theme==3.0.2", - "Sphinx==7.4.7;python_version<'3.11'", - "Sphinx==8.2.3;python_version>='3.11'", + "sphinx-multiversion~=0.2.4", + "Sphinx~=7.4.7;python_version<'3.11'", + "Sphinx~=8.2.3;python_version>='3.11'", ] lint = [ "ruff==0.13.0", From fc4e4b7e15657cb832fad81f0a2ffa8b6ac8ab38 Mon Sep 17 00:00:00 2001 From: Ramona T Date: Thu, 12 Mar 2026 22:57:28 -0400 Subject: [PATCH 13/13] update dependency groups to match requirements-dev versions --- .pre-commit-config.yaml | 2 +- pyproject.toml | 24 ++++++++++++------------ 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 1c5cc2b72d..ea3771f4c4 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -15,7 +15,7 @@ repos: - id: ruff-format - repo: https://github.com/PyCQA/bandit - rev: 1.8.6 + rev: 1.9.4 hooks: - id: bandit args: ['--confidence-level', 'medium', '--severity-level', 'medium', '--exclude', '**/vendor/*'] diff --git a/pyproject.toml b/pyproject.toml index 9d81682381..28b60dea9c 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -67,25 +67,25 @@ lint = [ "ruff==0.13.0", ] pre-commit = [ - "pre-commit==4.3.0", + "pre-commit~=4.5.1", ] security = [ - "bandit[sarif]==1.8.6", + "bandit[sarif]==1.9.4", ] test-coverage = [ - "coverage==7.13.3", - "pytest-cov==7.0.0", + "coverage~=7.13.3", + "pytest-cov~=7.0.0", {include-group = "test"}, ] test = [ - "pytest==8.4.2", - "pytest-datadir==1.8.0", - "pytest-mock==3.15.1", - "pytest-xdist==3.8.0", - "requests-mock==1.12.1", - "testfixtures==8.3.0;python_version<'3.11'", - "testfixtures==9.1.0;python_version>='3.11'", - "dbt-duckdb==1.8.0", + "pytest~=8.4.2", + "pytest-datadir~=1.8.0", + "pytest-mock~=3.15.1", + "pytest-xdist~=3.8.0", + "requests-mock~=1.12.1", + "testfixtures~=8.3.0;python_version<'3.11'", + "testfixtures~=9.1.0;python_version>='3.11'", + "dbt-duckdb~=1.8.0", ] [tool]