Back to 1.0.3

Author: nielsweistra

.github/workflows/build-publish.yml

@@ -3,13 +3,22 @@ name: CI - Test and Validate
 on:
   pull_request:
     branches: [ main, develop ]
+    paths:
+      - 'src/**'
+      - 'pyproject.toml'
+      - 'test_sdk.py'
+      - 'tests/**'
+      - 'examples/**'
+      - '.github/workflows/ci.yml'
   push:
-    branches: [ main, develop ]
+    branches: [ main, develop, 'feature/**' ]
     paths: 
       - 'src/**'
       - 'pyproject.toml'
       - 'test_sdk.py'
+      - 'tests/**'
       - 'examples/**'
+      - '.github/workflows/ci.yml'
 
 jobs:
   test:
@@ -26,20 +35,51 @@ jobs:
       with:
         python-version: ${{ matrix.python-version }}
 
+    - name: Cache Python dependencies
+      uses: actions/cache@v3
+      with:
+        path: ~/.cache/pip
+        key: ${{ runner.os }}-pip-${{ matrix.python-version }}-${{ hashFiles('pyproject.toml') }}
+        restore-keys: |
+          ${{ runner.os }}-pip-${{ matrix.python-version }}-
+          ${{ runner.os }}-pip-
+    
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
         pip install -e ".[dev]"
     
-    - name: Run validation tests
+    - name: Run SDK validation tests
       run: python test_sdk.py
 
+    - name: Run pytest (if tests exist)
+      run: |
+        if [ -d "tests" ]; then
+          pytest tests/ -v
+        else
+          echo "No pytest directory found, skipping pytest"
+        fi
+    
     - name: Run type checking
       run: mypy src/itl_controlplane_sdk --ignore-missing-imports
 
     - name: Check code formatting
       run: black --check src/ examples/
 
+    - name: Test import and basic functionality
+      run: |
+        python -c "
+        from itl_controlplane_sdk import ResourceProviderRegistry, ResourceProvider
+        from itl_controlplane_sdk.models import ResourceRequest, ProvisioningState
+        print('All imports successful')
+        
+        # Test basic functionality
+        registry = ResourceProviderRegistry()
+        print('Registry creation successful')
+        
+        print('SDK basic functionality test passed')
+        "
+    
     - name: Test examples
       run: |
         cd examples
@@ -65,5 +105,51 @@ jobs:
         python -m venv test-env
         source test-env/bin/activate
         pip install dist/*.whl
-        python -c "from itl_controlplane_sdk import ResourceProviderRegistry; print('✅ Package test successful')"
-        deactivate
+        python -c "from itl_controlplane_sdk import ResourceProviderRegistry; print('Package test successful')"
+        deactivate
+
+  lint-and-security:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: '3.11'
+
+    - name: Install security tools
+      run: |
+        python -m pip install --upgrade pip
+        pip install bandit safety pip-audit
+
+    - name: Install package
+      run: |
+        pip install -e ".[dev]"
+
+    - name: Run bandit security linter
+      run: |
+        bandit -r src/ -f json -o bandit-report.json || true
+        bandit -r src/ 
+
+    - name: Run safety check for dependencies
+      run: |
+        safety check --json --output safety-report.json || true
+        safety check
+
+    - name: Run pip-audit for vulnerability scanning
+      run: |
+        pip-audit --format=json --output=audit-report.json || true
+        pip-audit
+
+    - name: Upload security reports
+      uses: actions/upload-artifact@v4
+      if: always()
+      with:
+        name: security-reports
+        path: |
+          bandit-report.json
+          safety-report.json
+          audit-report.json
+        retention-days: 30

.github/workflows/ci.yml

@@ -0,0 +1,73 @@
+name: Security and Lint Checks
+
+on:
+  push:
+    branches: [ main, develop, 'feature/**' ]
+    paths:
+      - 'src/**'
+      - 'pyproject.toml'
+      - '.github/workflows/security.yml'
+  pull_request:
+    branches: [ main, develop ]
+    paths:
+      - 'src/**'
+      - 'pyproject.toml'
+
+env:
+  PYTHON_VERSION: '3.11'
+
+jobs:
+  security-and-lint:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: ${{ env.PYTHON_VERSION }}
+
+    - name: Cache Python dependencies
+      uses: actions/cache@v3
+      with:
+        path: ~/.cache/pip
+        key: ${{ runner.os }}-pip-${{ env.PYTHON_VERSION }}-security-${{ hashFiles('pyproject.toml') }}
+        restore-keys: |
+          ${{ runner.os }}-pip-${{ env.PYTHON_VERSION }}-security-
+          ${{ runner.os }}-pip-${{ env.PYTHON_VERSION }}-
+
+    - name: Install security tools
+      run: |
+        python -m pip install --upgrade pip
+        pip install bandit safety pip-audit
+
+    - name: Install package
+      run: |
+        pip install -e ".[dev]"
+
+    - name: Run bandit security linter
+      run: |
+        bandit -r src/ -f json -o bandit-report.json || true
+        bandit -r src/ 
+
+    - name: Run safety check for dependencies
+      run: |
+        safety check --json --output safety-report.json || true
+        safety check
+
+    - name: Run pip-audit for vulnerability scanning
+      run: |
+        pip-audit --format=json --output=audit-report.json || true
+        pip-audit
+
+    - name: Upload security reports
+      uses: actions/upload-artifact@v4
+      if: always()
+      with:
+        name: security-reports
+        path: |
+          bandit-report.json
+          safety-report.json
+          audit-report.json
+        retention-days: 30

.github/workflows/security.yml

@@ -290,4 +290,8 @@ safety-report.txt
 # Local development files
 .dev/
 .local/
-config.local.*
+config.local.*
+
+# Unsorted/draft documentation and analysis
+docs/999-UNSORTED/
+ignore/

.gitignore

@@ -844,6 +844,65 @@ See [PIPELINE_SETUP.md](./PIPELINE_SETUP.md) for complete pipeline documentation
 - [**PyPI Setup Guide**](./.github/PYPI_SETUP.md) - Package publishing configuration
 - [**Examples Directory**](./examples/) - Working code examples and usage patterns
 
+## Versioning and Releases
+
+This project uses **semantic versioning** with **automatic releases on merge** to main/develop.
+
+> **Automatic Releases**: When you merge to `main` or `develop`, versions are automatically bumped and released to PyPI. No manual tagging needed!
+
+### Quick Start
+
+Check current version:
+```bash
+python scripts/version.py --get-version
+```
+
+### How It Works
+
+1. **Push to `develop`** → Auto-bumps patch version (`1.0.0` → `1.0.1`) → Auto-released to PyPI
+2. **Push to `main`** → Auto-bumps minor version (`1.0.1` → `1.1.0`) → Auto-released to PyPI
+3. **Push to `feature/*`** → Dev version only (Test PyPI, no release)
+
+See [AUTO_RELEASE_WORKFLOW.md](AUTO_RELEASE_WORKFLOW.md) for detailed flow.
+
+### Documentation
+
+- **[AUTO_RELEASE_WORKFLOW.md](AUTO_RELEASE_WORKFLOW.md)** - **START HERE** - How automatic releases work
+- **[VERSIONING_QUICKSTART.md](VERSIONING_QUICKSTART.md)** - Quick reference guide
+- **[VERSIONING.md](VERSIONING.md)** - Complete branching strategy and versioning guide
+- **[RELEASE_CHECKLIST.md](RELEASE_CHECKLIST.md)** - Pre-release verification checklist (for manual releases)
+- **[COMMANDS_CHEATSHEET.md](COMMANDS_CHEATSHEET.md)** - Git and version tool commands
+
+### Branch Behavior
+
+| Branch | Auto-Release | Version Format | PyPI | Notes |
+|--------|---|---|---|---|
+| `main` | Yes (Minor bump) | → `1.1.0` | Prod | Feature release |
+| `develop` | Yes (Patch bump) | → `1.0.1` | Prod | Bug fix release |
+| `feature/*` | No | `1.0.1.dev+feature...` | Test | Feature development |
+| Tag `v1.0.0` | Manual | `1.0.0` | Prod | Manual release |
+
+### Version Management Tools
+
+- **Version Script**: [scripts/version.py](scripts/version.py) - Core semantic versioning tool
+- **PowerShell Wrapper**: [scripts/version.ps1](scripts/version.ps1) - Windows convenience script
+- **Bash Wrapper**: [scripts/version.sh](scripts/version.sh) - Linux/macOS convenience script
+
+### CI/CD Pipeline
+
+All pushes trigger automated workflows:
+
+```
+Push to main/develop
+  ↓ Test & Build (1-2 min)
+  ↓ Auto-Tag Job (bumps version, creates git tag)
+  ↓ Release Workflow (triggered by tag)
+  ↓ Publish to PyPI + Create GitHub Release (2 min)
+  DONE (total: 3-5 minutes)
+```
+
+**No manual steps needed for releases!**
+
 ## Support and Contributing
 
 For questions, issues, or contributions:

README.md

@@ -0,0 +1,91 @@
+"""
+Alembic environment configuration for ITL ControlPlane.
+
+Supports both sync and async migrations. Reads the database URL from
+environment variables or falls back to alembic.ini.
+"""
+import os
+import asyncio
+from logging.config import fileConfig
+
+from sqlalchemy import pool
+from sqlalchemy.engine import Connection
+from sqlalchemy.ext.asyncio import async_engine_from_config
+
+from alembic import context
+
+# Import all models so Alembic can detect them
+from itl_controlplane_sdk.storage.models import Base
+
+# Alembic Config object
+config = context.config
+
+# Setup logging
+if config.config_file_name is not None:
+    fileConfig(config.config_file_name)
+
+# Set target metadata for autogenerate
+target_metadata = Base.metadata
+
+
+def get_url() -> str:
+    """Get database URL from environment or config."""
+    host = os.getenv("DATABASE_HOST", "localhost")
+    port = os.getenv("DATABASE_PORT", "5432")
+    db = os.getenv("DATABASE_NAME", "controlplane")
+    user = os.getenv("DATABASE_USER", "controlplane")
+    password = os.getenv("DATABASE_PASSWORD", "devpassword")
+    return f"postgresql+asyncpg://{user}:{password}@{host}:{port}/{db}"
+
+
+def run_migrations_offline() -> None:
+    """Run migrations in 'offline' mode — generates SQL without connecting."""
+    url = get_url()
+    context.configure(
+        url=url,
+        target_metadata=target_metadata,
+        literal_binds=True,
+        dialect_opts={"paramstyle": "named"},
+    )
+
+    with context.begin_transaction():
+        context.run_migrations()
+
+
+def do_run_migrations(connection: Connection) -> None:
+    """Run migrations with a live connection."""
+    context.configure(
+        connection=connection,
+        target_metadata=target_metadata,
+    )
+
+    with context.begin_transaction():
+        context.run_migrations()
+
+
+async def run_async_migrations() -> None:
+    """Run migrations in async mode."""
+    configuration = config.get_section(config.config_ini_section, {})
+    configuration["sqlalchemy.url"] = get_url()
+
+    connectable = async_engine_from_config(
+        configuration,
+        prefix="sqlalchemy.",
+        poolclass=pool.NullPool,
+    )
+
+    async with connectable.connect() as connection:
+        await connection.run_sync(do_run_migrations)
+
+    await connectable.dispose()
+
+
+def run_migrations_online() -> None:
+    """Run migrations in 'online' mode — connects to the database."""
+    asyncio.run(run_async_migrations())
+
+
+if context.is_offline_mode():
+    run_migrations_offline()
+else:
+    run_migrations_online()