chore: update with repo template

.github/workflows/ci.yml

@@ -2,7 +2,7 @@
 name: Build & Release
 on:
   push:
-    branches: ['**/**']
+    branches: ['**']
   pull_request:
     branches: [main]
 permissions:
@@ -15,18 +15,41 @@ env:
   REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
   IMAGE_NAME: ${{ github.repository }}  # Image name will be <account>/<repo>
 jobs:
-  release:
+  verify-with-tox:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4
-      - id: rp
+      - name: 📄 Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          fetch-depth: 0
+      - name: 🧱 Install Poetry
+        run: curl -sSL https://install.python-poetry.org | python3 -
+      - name: 🧱 Setup Python
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b  # v5.3.0
+        with:
+          python-version: '3.13'
+          cache: poetry
+      - name: 🧱 Install dependencies
+        run: poetry install --all-extras
+      - name: 🧪 Run tests
+        run: poetry run tox
+      - name: Docker Hadolint
+        uses: hadolint/hadolint-action@d292784f8f3eacda47060b259a580467b0ba410c
+        with:
+          format: tty
+  release-please:
+    needs: verify-with-tox
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+      - id: release
         if: github.event_name != 'pull_request' && github.ref_name == 'main'
-        uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f  # v4
+        uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f  # v4.1.3
         with:
           release-type: simple
           include-v-in-tags: false
       - name: Log into registry ${{ env.REGISTRY }}
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567  # v3
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567  # v3.3.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ env.REGISTRY_USERNAME }}
@@ -35,11 +58,11 @@ jobs:
         id: tags
         env:
           # When release-please is skipped, these values will be empty
-          is_release: ${{ steps.rp.outputs.release_created }}
-          version: v${{ steps.rp.outputs.major }}.${{ steps.rp.outputs.minor }}.${{ steps.rp.outputs.patch }}
+          release_created: ${{ steps.release.outputs.release_created }}
+          version: ${{ steps.release.outputs.version }}
         run: |
           tags=""
-          if [[ "$is_release" = 'true' ]]; then
+          if [[ "$release_created" = 'true' ]]; then
             tags="type=semver,pattern={{version}},value=$version
           type=semver,pattern={{major}},value=$version
           type=semver,pattern={{major}}.{{minor}},value=$version"
@@ -54,16 +77,16 @@ jobs:
           } >> "$GITHUB_OUTPUT"
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96  # v5
+        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96  # v5.6.1
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: ${{ steps.tags.outputs.tags }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf  # v3
+        uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a  # v3.3.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5  # v3
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5  # v3.8.0
       - name: Build and push
-        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355  # v6
+        uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d  # v6.12.0
         with:
           context: .
           provenance: false

.github/workflows/pr.yml

@@ -10,12 +10,12 @@ jobs:
     name: Check commit messages
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           fetch-depth: 0
-      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b  # v5
+      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b  # v5.3.0
         with:
           cache: pip  # caching pip dependencies
       - run: pip install commitizen

.gitignore

@@ -1,35 +1,171 @@
-# Compiled class file
-*.class
+# Manually added from https://raw.githubusercontent.com/github/gitignore/master/Python.gitignore
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
 
-# Log file
-*.log
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
 
-# BlueJ files
-*.ctxt
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
 
-# Mobile Tools for Java (J2ME)
-.mtj.tmp/
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
 
-# Package Files #
-*.jar
-*.war
-*.nar
-*.ear
-*.zip
-*.tar.gz
-*.rar
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+cover/
 
-# virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
-hs_err_pid*
-replay_pid*
-.idea/*
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
 
-# code style config
-!.idea/codeStyles
-.idea/codeStyles/*
-!.idea/codeStyles/Project.xml
-!.idea/codeStyles/codeStyleConfig.xml
+# Flask stuff:
+instance/
+.webassets-cache
 
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
 target/
-*.iml
-dependency-reduced-pom.xml
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# poetry
+#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
+#poetry.lock
+
+# pdm
+#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
+#pdm.lock
+#   pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it
+#   in version control.
+#   https://pdm.fming.dev/latest/usage/project/#working-with-version-control
+.pdm.toml
+.pdm-python
+.pdm-build/
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# ruff
+.ruff_cache/
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# PyCharm
+#  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
+#  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
+#  and can be added to the global gitignore or merged into this file.  For a more nuclear
+#  option (not recommended) you can uncomment the following to ignore the entire idea folder.
+# .idea/
+
+# Additonal not included in Python.gitignore
+.idea/
+.vscode/
+junittest.xml

.pre-commit-config.yaml

@@ -15,6 +15,7 @@ repos:
       - id: trailing-whitespace
       - id: check-xml
       - id: check-json
+      - id: check-toml
       - id: check-yaml
       - id: no-commit-to-branch
       - id: mixed-line-ending
@@ -31,8 +32,28 @@ repos:
         entry: \b([uUeE]{1,2})\d{5,6}\b
         language: pygrep
         types: [text]
+  - repo: local
+    hooks:
+      - id: mypy
+        name: mypy
+        entry: poetry run mypy
+        language: system
+        types: [python]
+        exclude: (^tests/)
+        args: [--config-file, pyproject.toml]
+        require_serial: true  # Serial processing is required for mypy (better performance and error reporting)
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.9.2
+    hooks:
+      - id: ruff-format
+      - id: ruff
+  - repo: https://github.com/python-poetry/poetry
+    rev: 2.0.1
+    hooks:
+      - id: poetry-lock
+      - id: poetry-check
   - repo: https://github.com/zricethezav/gitleaks
-    rev: v8.22.1
+    rev: v8.23.1
     hooks:
       - id: gitleaks
   - repo: https://github.com/grigoriev/pre-commit-check-git-user

CONTRIBUTING.md

@@ -79,11 +79,11 @@ Before you submit your Pull Request (PR) consider the following guidelines:
   is necessary because release notes are automatically generated from these messages.
 
      ```shell
-     git commit -a -S
+     git commit -a --gpg-sign
      ```
   Note: The optional commit `-a` command line option will automatically "add" and "rm" edited files.
 
-  Note: The command line option `-S` generates a signed commit, which is required to make a contribution (See [Developer Certificate of Origin](./LICENSES/DCO.txt))
+  Note: The command line option `-S/--gpg-sign` generates a signed commit, which is required to make a contribution (See [Developer Certificate of Origin](./LICENSES/DCO.txt))
 
 * Push your branch to GitHub:
 

Dockerfile

@@ -1,10 +1,19 @@
-FROM python:3.13.1-slim@sha256:f41a75c9cee9391c09e0139f7b49d4b1fbb119944ec740ecce4040626dc07bed
+# hadolint global ignore=DL3008
+FROM python:3.13.1-slim@sha256:23a81be7b258c8f516f7a60e80943cace4350deb8204cf107c7993e343610d47
 LABEL maintainer="SBB Polarion Team <[email protected]>"
 
 ARG APP_IMAGE_VERSION=0.0.0-dev
 
 RUN apt-get update && \
-    apt-get --yes --no-install-recommends install chromium dbus fonts-dejavu fonts-liberation libpango-1.0-0 libpangoft2-1.0-0 python3-brotli python3-cffi vim && \
+    apt-get --yes --no-install-recommends install \
+    chromium dbus \
+    fonts-dejavu \
+    fonts-liberation \
+    libpango-1.0-0 \
+    libpangoft2-1.0-0 \
+    python3-brotli \
+    python3-cffi \
+    vim && \
     apt-get clean autoclean && \
     apt-get --yes autoremove && \
     rm -rf /var/lib/apt/lists/*
@@ -15,8 +24,8 @@ ENV WEASYPRINT_SERVICE_VERSION=${APP_IMAGE_VERSION}
 
 WORKDIR ${WORKING_DIR}
 
-RUN BUILD_TIMESTAMP=$(date -u +"%Y-%m-%dT%H:%M:%SZ") && \
-    echo ${BUILD_TIMESTAMP} > "${WORKING_DIR}/.build_timestamp"
+RUN BUILD_TIMESTAMP="$(date -u +'%Y-%m-%dT%H:%M:%SZ')" && \
+    echo "${BUILD_TIMESTAMP}" > "${WORKING_DIR}/.build_timestamp"
 
 COPY requirements.txt ${WORKING_DIR}/requirements.txt
 

LICENSES/SBB.txt

@@ -1,4 +1,5 @@
 Copyright 2024 SBB AG and contributors
+Version 1.0
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.