Migrate from pdm to Poetry

.coveragerc

@@ -1,5 +1,5 @@
 [run]
-source = operator-pipeline-images/operatorcert
+source = operatorcert
 omit =
-    operator-pipeline-images/operatorcert/webhook/*
-    operator-pipeline-images/operatorcert/integration/testcases/*
+    operatorcert/webhook/*
+    operatorcert/integration/testcases/*

operator-pipeline-images/.dockerignore → .dockerignore

@@ -1,12 +1,13 @@
+Dockerfile
+
 # Ignoring git and cache folders
 .git
 .github
 .cache
 
 # Ignoring all the markdown and class files
-*.md
 docs
 
 #Ignoring tekton pipeine and ansible tasks
 templates
-ansible
+ansible

.github/dependabot.yml

@@ -8,3 +8,13 @@ updates:
     schedule:
       # Check for updates to GitHub Actions every week
       interval: "weekly"
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      # Check for updates to Python dependencies every week
+      interval: "weekly"
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      # Check for updates to Docker images every week
+      interval: "weekly"

.github/workflows/build-and-test.yml

@@ -20,11 +20,16 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha || github.sha }}
 
-      - name: Set up PDM
-        uses: pdm-project/setup-pdm@94a823180e06fcde4ad29308721954a521c96ed0 # v4.4
+      - name: Setup Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: "3.13"
 
+      - name: Set up poetry
+        uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9
+        with:
+          poetry-version: "2.3.1"
+
       - name: Install non-python dependencies
         run: |
           sudo apt-get update && sudo apt-get install -y libkrb5-dev
@@ -35,14 +40,14 @@ jobs:
           /home/linuxbrew/.linuxbrew/bin/brew install hadolint
           sudo ln -s /home/linuxbrew/.linuxbrew/bin/hadolint /usr/bin/
 
-      - name: Install Python dependencies
+      - name: Install dependencies
         run: |
-          pdm sync -dG tox
-          pipx install ansible-lint
+          poetry config virtualenvs.in-project true
+          poetry install --no-interaction
 
       - name: Run Tests
         run: |
-          pdm run -v tox
+          poetry run tox
 
   build:
     name: Build and push image
@@ -69,7 +74,7 @@ jobs:
           image: operator-pipelines-images
           tags: ${{ steps.set-vars.outputs.tags }}
           dockerfiles: |
-            ./operator-pipeline-images/Dockerfile
+            ./Dockerfile
 
       - name: Push To quay.io
         id: push-to-quay
@@ -114,7 +119,7 @@ jobs:
           pipx inject ansible-core jmespath openshift pygithub
 
           # Add certificates to trusted list
-          sudo cp  operator-pipeline-images/certs/* /usr/local/share/ca-certificates
+          sudo cp  certs/* /usr/local/share/ca-certificates
           # Rename all .pem files to .crt to allow update-ca-certificates
           for file in /usr/local/share/ca-certificates/*.pem
           do

Dockerfile

@@ -0,0 +1,105 @@
+FROM quay.io/fedora/fedora:42
+
+LABEL description="Cli tools for operator certification pipeline"
+LABEL summary="This image contains tools required for operator bundle certification pipeline."
+
+LABEL org.opencontainers.image.authors="The Collective <exd-guild-isv@redhat.com>" \
+  org.opencontainers.image.url="quay.io/redhat-isv/operator-pipelines-images" \
+  org.opencontainers.image.source="https://github.com/redhat-openshift-ecosystem/operator-pipelines" \
+  org.opencontainers.image.vendor="Red Hat." \
+  org.opencontainers.image.title="Operator certification tools" \
+  org.opencontainers.image.description="Cli tools for operator certification pipeline." \
+  org.opencontainers.image.base.name="quay.io/fedora/fedora:42"
+
+ARG USER_UID=1000
+ARG PODMAN_USER_UID=1001
+ARG ARCH=amd64
+
+USER root
+
+# setup certificates
+COPY certs/* /etc/pki/ca-trust/source/anchors/
+RUN /usr/bin/update-ca-trust
+# This is just a temporary workaround until we figure out how to
+# override CA bundle in OCP
+RUN cp /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/custom-ca-bundle.crt
+
+ENV REQUESTS_CA_BUNDLE="/etc/pki/tls/certs/custom-ca-bundle.crt"
+
+# Install all system dependencies including Python and development tools
+RUN dnf update -y && \
+  dnf install -y \
+  buildah \
+  cargo \
+  findutils \
+  gcc \
+  gh \
+  git \
+  gnupg2 \
+  jq \
+  krb5-devel \
+  krb5-workstation \
+  libffi-devel \
+  openssl-devel \
+  pinentry \
+  podman \
+  python3 \
+  python3-devel \
+  python3-pip \
+  redhat-rpm-config \
+  skopeo \
+  yamllint && \
+  dnf clean all
+
+COPY config/krb5.conf /etc/krb5.conf
+COPY hacks/retry-command.sh /usr/local/bin/retry
+
+# Install oc, opm and operator-sdk CLI
+RUN curl -LO https://github.com/operator-framework/operator-registry/releases/download/v1.46.0/linux-${ARCH}-opm && \
+  chmod +x linux-${ARCH}-opm && \
+  mv linux-${ARCH}-opm /usr/local/bin/opm && \
+  curl -LO https://mirror.openshift.com/pub/openshift-v4/${ARCH}/clients/ocp/stable-4.20/openshift-client-linux.tar.gz && \
+  tar xzvf openshift-client-linux.tar.gz -C /usr/local/bin oc && \
+  curl -LO https://github.com/operator-framework/operator-sdk/releases/download/v1.36.1/operator-sdk_linux_${ARCH} && \
+  chmod +x operator-sdk_linux_${ARCH} && \
+  mv operator-sdk_linux_${ARCH} /usr/local/bin/operator-sdk
+
+# Create users
+RUN useradd -lms /bin/bash -u "${USER_UID}" user && \
+  useradd -lu "${PODMAN_USER_UID}" podman; \
+  echo podman:10000:5000 >> /etc/subuid; \
+  echo podman:10000:5000 >> /etc/subgid;
+
+WORKDIR /home/user
+
+# Set directory ownership
+RUN chgrp -R 0 /home/user /etc/passwd && \
+  chmod -R g=u /home/user /etc/passwd
+
+# Install Poetry
+RUN pip3 install --no-cache-dir --upgrade poetry==2.3.1
+
+# Copy only dependency files first (better caching)
+COPY pyproject.toml poetry.lock /home/user/
+
+# Configure Poetry for container optimization
+ENV POETRY_VIRTUALENVS_IN_PROJECT=true \
+  POETRY_CACHE_DIR=/tmp/poetry_cache
+
+# Install dependencies in separate layer (cached until deps change)
+RUN poetry install --without dev --no-root && \
+  rm -rf /tmp/poetry_cache
+
+# Copy code AFTER deps (doesn't bust dependency cache)
+COPY operatorcert ./operatorcert
+COPY README.md ./
+
+# Install the package itself (quick since deps already installed)
+RUN poetry install --only-root
+
+# Set up PATH to use the virtual environment
+ENV PATH=/home/user/.venv/bin:$PATH
+
+USER "${USER_UID}"
+
+ENTRYPOINT [ "/usr/bin/sh" ]

Makefile

@@ -81,7 +81,7 @@ build-and-test-isv-fbc-catalog:
 .PHONY: build
 build:
 	@echo "Building..."
-	podman build -t pipelines . -f operator-pipeline-images/Dockerfile
+	podman build -t pipelines . -f Dockerfile
 	@echo "Tagging..."
 	podman tag pipelines $(PIPELINE_IMAGE_REPO):$(TAG)
 	podman push $(PIPELINE_IMAGE_REPO):$(TAG)

docs/developer-guide.md

@@ -13,17 +13,31 @@
 
 ## Setup
 
-1. [Git leaks detection](#git-leaks-detection)
-1. [Prepare a development environment](#prepare-a-development-environment)
-1. [Prepare a certification project](#prepare-a-certification-project)
-1. [Prepare an Operator bundle](#prepare-an-operator-bundle)
-1. [Prepare your `ci.yaml`](#prepare-your-ciyaml)
-1. [Create a bundle pull request](#create-a-bundle-pull-request) (optional)
-   - Required for testing hosted or release pipelines
-1. [Create an API key](#create-an-api-key) (optional)
-   - Required for testing submission with the CI pipeline
-1. [Prepare the CI to run from your fork](ci-cd.md) (optional)
-   - Required to run integration testing on forks of this repo.
+- [Developer Guide](#developer-guide)
+  - [Workflow](#workflow)
+  - [Setup](#setup)
+    - [Git leaks detection](#git-leaks-detection)
+    - [Prepare a Development Environment](#prepare-a-development-environment)
+      - [Integration tests](#integration-tests)
+      - [Install tkn](#install-tkn)
+      - [Using CodeReady Containers](#using-codeready-containers)
+        - [Running a Pipeline with CRC](#running-a-pipeline-with-crc)
+      - [Prepare a Certification Project](#prepare-a-certification-project)
+      - [Prepare an Operator Bundle](#prepare-an-operator-bundle)
+      - [Prepare Your ci.yaml](#prepare-your-ciyaml)
+      - [Create a Bundle Pull Request](#create-a-bundle-pull-request)
+      - [Create an API Key](#create-an-api-key)
+  - [Making Changes to the Pipelines](#making-changes-to-the-pipelines)
+    - [Guiding Principles](#guiding-principles)
+    - [Applying Pipeline Changes](#applying-pipeline-changes)
+  - [Making Changes to the Pipeline Image](#making-changes-to-the-pipeline-image)
+    - [Dependency](#dependency)
+    - [Run Unit Tests, Code Style Checkers, etc.](#run-unit-tests-code-style-checkers-etc)
+      - [Preparation on RPM-based Linux](#preparation-on-rpm-based-linux)
+      - [Preparation on other Linux systems](#preparation-on-other-linux-systems)
+      - [Run the local tests](#run-the-local-tests)
+    - [Local development](#local-development)
+    - [Build \& Push](#build--push)
 
 ### Git leaks detection
 
@@ -280,30 +294,23 @@ oc apply -R -f ansible/roles/operator-pipeline/templates/openshift
 ### Dependency
 
 Operator pipelines project is configured to automatically manage Python
-dependencies using [PDM][1] tool. The pdm automates definition, installation,
+dependencies using [Poetry][1] tool. The poetry automates definition, installation,
 upgrades and the whole lifecycle of dependency in a project. All dependencies
-are stored in `pyproject.toml` file in a groups that corresponds to individual
-applications within the Operator pipelines project.
+are stored in `pyproject.toml` file.
 
 Adding, removing and updating of dependency needs to be always done
-using `pdm` cli.
+using `poetry` cli.
 
 ```bash
-pdm add -G operator-pipelines gunicorn==20.1.0
+poetry add gunicorn==20.1.0
 ```
 
-After a dependency is installed it is added to pdm.lock file. The lock file
+After a dependency is installed it is added to poetry.lock file. The lock file
 is always part of git repository.
 
-If you want to install specific group set of dependencies use following command:
-
-```bash
-pdm install -G operator-pipelines
-```
-
 Dependencies are stored into virtual environment (.venv) which is automatically
-created after `pdm install`. If .venv wasn't created, configure pdm to
-automatically create it during installation with `pdm config python.use_venv true`.
+created after `poetry install`. If .venv wasn't created, configure poetry to
+automatically create it during installation with `POETRY_VIRTUALENVS_IN_PROJECT=true`.
 
 ### Run Unit Tests, Code Style Checkers, etc.
 
@@ -314,9 +321,9 @@ Choose the preparation process according to your Linux version.
 
 ```bash
 sudo dnf -y install hadolint
-python3 -m pip install pdm
-pdm venv create 3.13
-pdm install
+python3 -m pip install poetry
+poetry env use python3.13
+poetry install
 source .venv/bin/activate
 python3 -m pip install ansible-lint
 ```
@@ -327,9 +334,9 @@ Before starting, make sure you have installed the [Brew][2] package manager.
 
 ```bash
 brew install hadolint
-python3 -m pip install pdm
-pdm venv create 3.13
-pdm install
+python3 -m pip install poetry
+poetry env use python3.13
+poetry install
 source .venv/bin/activate
 python3 -m pip install ansible-lint
 ```
@@ -344,11 +351,11 @@ tox
 
 ### Local development
 
-Setup python virtual environment using pdm.
+Setup python virtual environment using poetry.
 
 ```shell
-pdm venv create 3.13
-pdm install
+poetry env use python3.13
+poetry install
 source .venv/bin/activate
 ```
 
@@ -375,5 +382,5 @@ source .venv/bin/activate
     buildah login quay.io
     ```
 
-[1]: https://pdm.fming.dev/latest/
+[1]: https://python-poetry.org
 [2]: https://brew.sh/

docs/users/fbc_autorelease.md

@@ -55,7 +55,7 @@ The `replaces` field is optional and it specifies the bundle that the new bundle
 replaces in the update graph.
 
 ### File structure
-The schema of the file is available here: [release-config.yaml schema](https://github.com/redhat-openshift-ecosystem/operator-pipelines/blob/main/operator-pipeline-images/operatorcert/schemas/release-config-schema.json).
+The schema of the file is available here: [release-config.yaml schema](https://github.com/redhat-openshift-ecosystem/operator-pipelines/blob/main/operatorcert/schemas/release-config-schema.json).
 The schema is validated automatically in the pipeline and the PR will fail with explanations if the file is not valid.
 
 Here is a summary of the file structure:

docs/users/static_checks.md

@@ -139,7 +139,7 @@ including the schema definition can be found [here](./fbc_autorelease.md#release
 
 #### check_schema_operator_ci_config
 The test validates the `ci.yaml` file against the schema. The schema definition can
-be found[here](https://github.com/redhat-openshift-ecosystem/operator-pipelines/blob/main/operator-pipeline-images/operatorcert/schemas/ci-schema.json).
+be found[here](https://github.com/redhat-openshift-ecosystem/operator-pipelines/blob/main/operatorcert/schemas/ci-schema.json).
 
 #### check_catalog_usage_ci_config
 The test makes sure the `fbc.catalog_mapping` in `ci.yaml` file is not mapping a single

docs/webhook-dispatcher.md

@@ -49,7 +49,7 @@ When developers submit operators via pull requests, the dispatcher:
 
 1. Install dependencies:
 ```bash
-pdm install --no-dev
+poetry install
 ```
 
 2. Create database:

local-dev/pip-audit-parse.py

@@ -53,7 +53,7 @@ def parse_vulnerabilities_json(data: Dict[str, Any]) -> bool:
             to_update.add(package["name"])
         console = Console()
         console.print(table)
-        print(f"To fix, run:\npdm update {' '.join(to_update)} --update-reuse")
+        print(f"To fix, run:\npoetry update {' '.join(to_update)} --update-reuse")
         return False
     return True