-
Notifications
You must be signed in to change notification settings - Fork 5
Add pyproject.toml, add Python 3.14 support #577
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
1eb0fc3
f647296
8789c38
df1dd84
35cd26c
725fe36
96b161a
66f2e0b
f0beb8a
52e7195
fe1d353
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,26 @@ | ||
| doc | ||
| example | ||
| .github | ||
|
|
||
| # Python build artifacts | ||
| build/ | ||
| dist/ | ||
| *.egg-info/ | ||
| .eggs/ | ||
| *.egg | ||
|
|
||
| # pip cache | ||
| .cache/ | ||
|
|
||
| # Virtual environments | ||
| .venv/ | ||
| venv/ | ||
|
|
||
| # Development artifacts | ||
| __pycache__/ | ||
| *.py[cod] | ||
| *$py.class | ||
|
|
||
| # Poetry | ||
| .poetry/ | ||
| poetry.toml |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -17,7 +17,7 @@ jobs: | |
| runs-on: ubuntu-latest | ||
| strategy: | ||
| matrix: | ||
| python-version: ["3.11", "3.12", "3.13"] | ||
| python-version: ["3.11", "3.12", "3.13", "3.14"] | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
@@ -27,22 +27,25 @@ jobs: | |
| with: | ||
| python-version: ${{ matrix.python-version }} | ||
|
|
||
| - name: Install dependencies | ||
| - name: Install Poetry | ||
| run: | | ||
| python -m pip install --upgrade pip | ||
| pip install flake8 | ||
| pip install git+https://github.com/TeskaLabs/asab.git | ||
|
|
||
| pip install poetry | ||
|
|
||
| - name: Install lint dependencies | ||
| run: | | ||
| poetry install --no-interaction --only lint | ||
|
|
||
| - name: Lint with flake8 | ||
| run: | | ||
| flake8 seacatauth seacatauth.py | ||
| poetry run flake8 seacatauth seacatauth.py | ||
|
|
||
| test: | ||
| needs: flake8 | ||
| runs-on: ubuntu-latest | ||
| strategy: | ||
| matrix: | ||
| python-version: ["3.11", "3.12", "3.13"] | ||
| python-version: ["3.11", "3.12", "3.13", "3.14"] | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
@@ -52,19 +55,18 @@ jobs: | |
| with: | ||
| python-version: ${{ matrix.python-version }} | ||
|
|
||
| - name: Install dependencies | ||
| - name: Install Poetry | ||
| run: | | ||
| python -m pip install --upgrade pip | ||
| pip install bson | ||
| pip install pymongo | ||
| pip install bcrypt | ||
| pip install argon2-cffi | ||
| pip install jwcrypto | ||
| pip install "asab[encryption] @ git+https://github.com/TeskaLabs/asab.git" | ||
|
|
||
| pip install poetry | ||
|
|
||
| - name: Install test dependencies | ||
| run: | | ||
| poetry install --no-interaction --only test | ||
|
|
||
| - name: Test with unittest | ||
| run: | | ||
| python3 -m unittest test | ||
| poetry run python -m unittest test | ||
|
|
||
| build: | ||
| needs: test | ||
|
|
@@ -73,7 +75,7 @@ jobs: | |
|
|
||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: Docker Metadata action | ||
| uses: docker/metadata-action@v5 | ||
| id: meta | ||
|
|
@@ -83,13 +85,13 @@ jobs: | |
| type=raw,value=latest | ||
| type=ref,event=tag | ||
| type=semver,pattern={{raw}} | ||
|
|
||
| - name: Login to DockerHub | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| username: ${{ secrets.DOCKER_USER }} | ||
| password: ${{ secrets.DOCKER_PASSWORD }} | ||
| username: ${{ secrets.DOCKER_USER }} | ||
| password: ${{ secrets.DOCKER_PASSWORD }} | ||
|
Comment on lines
89
to
+93
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🌐 Web query:
💡 Result: The industry-standard best practice for GitHub Actions is to pin references to a full-length commit SHA rather than a version tag or branch name [1][2][3]. This approach provides security through immutability, ensuring that your workflow consistently runs the exact same code you have reviewed, regardless of changes made to the upstream repository [1][4][5]. Why Pin to a Commit SHA GitHub tags (e.g., Citations:
🌐 Web query:
💡 Result: For the docker/login-action GitHub Action, security best practices focus on minimizing supply chain risk through strict versioning and adhering to secure credential management. Versioning Recommendations To protect against supply chain compromises where malicious code could be injected into action updates, it is highly recommended to pin the action to a specific immutable commit SHA rather than a semantic version tag [1]. While semantic version tags (e.g., v4) are convenient, they are mutable and can be updated by maintainers; pinning to a full-length commit hash ensures that the exact code you have reviewed and tested is always executed [1]. Credential Security Best Practices 1. Use Scoped Credentials: When possible, use the scope input to limit registry credentials to a specific repository or namespace [2][3]. This prevents the action from overriding global Docker credentials, which is particularly useful for maintaining unauthenticated pull capabilities for base images while authenticating only for necessary push operations [2][3]. 2. Prefer Repository Variables for Usernames: Use GitHub Actions variables (vars) for usernames instead of secrets [4]. Secrets are automatically redacted from logs, but using them for non-sensitive data can sometimes lead to excessive masking that obscures useful debugging information; variables provide a clearer, more appropriate storage mechanism for non-sensitive identity information [5][4]. 3. Use Personal Access Tokens (PATs) or GITHUB_TOKEN: - For Docker Hub: Never use your main account password. Always use a dedicated Personal Access Token (PAT) with appropriate, limited scopes [2][6]. - For GitHub Container Registry (ghcr.io): Use the built-in GITHUB_TOKEN, which provides the most secure and streamlined authentication experience for actions within a repository [6][7][8]. 4. Automatic Logout: The action defaults to Citations:
🌐 Web query:
💡 Result: To ensure supply chain integrity in GitHub Actions, the most critical security practice is to pin all third-party actions to their full-length commit SHA [1][2][3]. Why Pinning to SHA is Required Standard Git tags (e.g., Citations:
Pin Line 90 uses a mutable tag ( For maintainability, include the version tag as a comment on the same line so automated dependency tools like Dependabot can keep the SHA updated: Suggested change- uses: docker/login-action@v3
+ uses: docker/login-action@<full-commit-sha> # v3🧰 Tools🪛 zizmor (1.25.2)[error] 90-90: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI AgentsSource: Linters/SAST tools |
||
|
|
||
| - name: Build and push | ||
| uses: docker/build-push-action@v6 | ||
| with: | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,98 @@ | ||
| [build-system] | ||
| requires = ["poetry-core"] | ||
| build-backend = "poetry.core.masonry.api" | ||
|
|
||
| [tool.poetry] | ||
| name = "seacat-auth" | ||
| version = "26.15.0" | ||
| description = "SeaCat Auth is a microservice that provides authentication, authorization, identity management, session management and other access control features." | ||
| readme = "README.md" | ||
| license = "GPL-3.0-or-later" | ||
| authors = ["TeskaLabs Ltd <support@teskalabs.com>"] | ||
| maintainers = ["TeskaLabs Ltd <support@teskalabs.com>"] | ||
| keywords = [ | ||
| "authentication", | ||
| "authorization", | ||
| "identity", | ||
| "session-management", | ||
| "openid-connect", | ||
| "oauth2", | ||
| "rbac", | ||
| "microservice", | ||
| "access-control", | ||
| "webauthn", | ||
| "2fa", | ||
| "mfa", | ||
| ] | ||
| classifiers = [ | ||
| "Development Status :: 5 - Production/Stable", | ||
| "Intended Audience :: Developers", | ||
| "Intended Audience :: System Administrators", | ||
| "License :: OSI Approved :: GNU General Public License v3 (GPLv3)", | ||
| "Operating System :: OS Independent", | ||
| "Programming Language :: Python :: 3", | ||
| "Programming Language :: Python :: 3.11", | ||
| "Programming Language :: Python :: 3.12", | ||
| "Programming Language :: Python :: 3.13", | ||
| "Programming Language :: Python :: 3.14", | ||
| "Topic :: Security", | ||
| "Topic :: Security :: Cryptography", | ||
| "Topic :: System :: Systems Administration :: Authentication/Directory", | ||
| "Topic :: Internet :: WWW/HTTP :: HTTP Servers", | ||
| ] | ||
| packages = [{include = "seacatauth"}] | ||
|
|
||
| [tool.poetry.dependencies] | ||
| python = "^3.11" | ||
| aiohttp = "*" | ||
| aiosmtplib = "*" | ||
| motor = "*" | ||
| cryptography = "*" | ||
| jwcrypto = ">=0.9.1" | ||
| fastjsonschema = "*" | ||
| bcrypt = "*" | ||
| argon2-cffi = "*" | ||
| aiomysql = "*" | ||
| jinja2 = "*" | ||
| pyotp = "*" | ||
| webauthn = "*" | ||
| pyyaml = "*" | ||
| pysaml2 = "*" | ||
| pymongo = "*" | ||
| sentry-sdk = "*" | ||
| asab = {git = "https://github.com/TeskaLabs/asab.git", extras = ["encryption"]} | ||
|
|
||
| # Optional extras (installed via poetry install -E ldap) | ||
| python-ldap = { version = "*", optional = true } | ||
|
|
||
| [tool.poetry.extras] | ||
| ldap = ["python-ldap"] | ||
|
|
||
| # Development dependency groups - these are independent from main deps | ||
| # Use 'poetry install --only lint' to install just flake8 (no main deps!) | ||
| [tool.poetry.group.lint.dependencies] | ||
| flake8 = "*" | ||
|
|
||
| [tool.poetry.group.test.dependencies] | ||
| pymongo = "*" | ||
| bcrypt = "*" | ||
| argon2-cffi = "*" | ||
| jwcrypto = ">=0.9.1" | ||
| asab = {git = "https://github.com/TeskaLabs/asab.git", extras = ["encryption"]} | ||
|
|
||
| [tool.poetry.group.dev.dependencies] | ||
| pytest = "*" | ||
| pytest-asyncio = "*" | ||
|
|
||
| # No CLI entry point defined - the application is started via seacatauth.py | ||
|
|
||
| [tool.poetry.urls] | ||
| "Homepage" = "https://github.com/TeskaLabs/seacat-auth" | ||
| "Documentation" = "https://docs.teskalabs.com/seacat-auth" | ||
| "Docker Image" = "https://hub.docker.com/r/teskalabs/seacat-auth" | ||
| "Changelog" = "https://github.com/TeskaLabs/seacat-auth/blob/main/CHANGELOG.md" | ||
| "Bug Tracker" = "https://github.com/TeskaLabs/seacat-auth/issues" | ||
|
|
||
| [tool.flake8] | ||
| # From setup.cfg - flake8 configuration | ||
| ignore = ["W191", "W503", "E117", "E501", "E303", "E301"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🧩 Analysis chain
🏁 Script executed:
cat -n .github/workflows/ci.yml | head -100Repository: TeskaLabs/seacat-auth
Length of output: 2935
Pin Poetry to a fixed version in both CI jobs for reproducible builds.
Poetry is installed without version pinning at lines 33 and 61, which can cause workflows to break when new Poetry versions introduce breaking changes. Pin to a specific tested version.
Suggested change
🤖 Prompt for AI Agents