Merge pull request #311 from dbatten5/fix-ci

Fix ci

.github/workflows/tests.yml

@@ -23,12 +23,10 @@ jobs:
           - { python: "3.11", os: ubuntu-latest, session: "mypy" }
           - { python: "3.10", os: ubuntu-latest, session: "mypy" }
           - { python: "3.9", os: ubuntu-latest, session: "mypy" }
-          - { python: "3.8", os: ubuntu-latest, session: "mypy" }
           - { python: "3.11", os: ubuntu-latest, session: "tests" }
           - { python: "3.10", os: ubuntu-latest, session: "tests" }
           - { python: "3.9", os: ubuntu-latest, session: "tests" }
-          - { python: "3.8", os: ubuntu-latest, session: "tests" }
-          - { python: "3.11", os: windows-latest, session: "tests" }
+          # - { python: "3.11", os: windows-latest, session: "tests" }
           # - { python: "3.11", os: macos-latest, session: "tests" }
           - { python: "3.11", os: ubuntu-latest, session: "typeguard" }
           - { python: "3.11", os: "ubuntu-latest", session: "docs-build" }
@@ -62,14 +60,16 @@ jobs:
               print(f"VIRTUALENV_PIP={pip.__version__}", file=io)
 
       - name: Install Poetry
+        working-directory: ${{ github.workspace }}
         run: |
-          pipx install --pip-args=--constraint=.github/workflows/constraints.txt poetry
+          cat .github/workflows/constraints.txt
+          pipx install "--pip-args=--constraint=$GITHUB_WORKSPACE/.github/workflows/constraints.txt" poetry
           poetry --version
 
       - name: Install Nox
         run: |
-          pipx install --pip-args=--constraint=.github/workflows/constraints.txt nox
-          pipx inject --pip-args=--constraint=.github/workflows/constraints.txt nox nox-poetry
+          pipx install "--pip-args=--constraint=$GITHUB_WORKSPACE/.github/workflows/constraints.txt" nox
+          pipx inject "--pip-args=--constraint=$GITHUB_WORKSPACE/.github/workflows/constraints.txt" nox nox-poetry
           nox --version
 
       - name: Compute pre-commit cache key
@@ -133,13 +133,13 @@ jobs:
 
       - name: Install Poetry
         run: |
-          pipx install --pip-args=--constraint=.github/workflows/constraints.txt poetry
+          pipx install "--pip-args=--constraint=$GITHUB_WORKSPACE/.github/workflows/constraints.txt" poetry
           poetry --version
 
       - name: Install Nox
         run: |
-          pipx install --pip-args=--constraint=.github/workflows/constraints.txt nox
-          pipx inject --pip-args=--constraint=.github/workflows/constraints.txt nox nox-poetry
+          pipx install "--pip-args=--constraint=$GITHUB_WORKSPACE/.github/workflows/constraints.txt" nox
+          pipx inject "--pip-args=--constraint=$GITHUB_WORKSPACE/.github/workflows/constraints.txt" nox nox-poetry
           nox --version
 
       - name: Download coverage data

.pre-commit-config.yaml

@@ -39,8 +39,3 @@ repos:
         language: system
         types: [text]
         stages: [commit, push, manual]
-  - repo: https://github.com/pre-commit/mirrors-prettier
-    rev: v2.3.0
-    hooks:
-      - id: prettier
-        exclude_types: [markdown]

.safety-policy.yml

@@ -0,0 +1,88 @@
+# Safety Security and License Configuration file
+# We recommend checking this file into your source control in the root of your Python project
+# If this file is named .safety-policy.yml and is in the same directory where you run `safety check` it will be used by default.
+# Otherwise, you can use the flag `safety check --policy-file <path-to-this-file>` to specify a custom location and name for the file.
+# To validate and review your policy file, run the validate command: `safety validate policy_file --path <path-to-this-file>`
+project: # Project to associate the scans with on pyup.io.
+  id: ""
+security: # configuration for the `safety check` command
+  ignore-unpinned-requirements: True # This will ignore dependencies found in requirement files without a pinned specification. Like requests or requests>=0 or django>=2.2
+  ignore-cvss-severity-below: 0 # A severity number between 0 and 10. Some helpful reference points: 9=ignore all vulnerabilities except CRITICAL severity. 7=ignore all vulnerabilities except CRITICAL & HIGH severity. 4=ignore all vulnerabilities except CRITICAL, HIGH & MEDIUM severity.
+  ignore-cvss-unknown-severity: False # True or False. We recommend you set this to False.
+  ignore-vulnerabilities: # Here you can list multiple specific vulnerabilities you want to ignore (optionally for a time period)
+    # We recommend making use of the optional `reason` and `expires` keys for each vulnerability that you ignore.
+    70612:
+      reason: The affected spec is >=0 which doesn't seem right
+      expires: '2025-06-15'
+  continue-on-vulnerability-error: False # Suppress non-zero exit codes when vulnerabilities are found. Enable this in pipelines and CI/CD processes if you want to pass builds that have vulnerabilities. We recommend you set this to False.
+alert: # configuration for the `safety alert` command
+  security:
+    # Configuration specific to Safety's GitHub Issue alerting
+    github-issue:
+      # Same as for security - these allow controlling if this alert will fire based
+      # on severity information.
+      # default: not set
+      # ignore-cvss-severity-below: 6
+      # ignore-cvss-unknown-severity: False
+
+      # Add a label to pull requests with the cvss severity, if available
+      # default: true
+      # label-severity: True
+
+      # Add a label to pull requests, default is 'security'
+      # requires private repo permissions, even on public repos
+      # default: security
+      # labels:
+      #  - security
+
+      # Assign users to pull requests, default is not set
+      # requires private repo permissions, even on public repos
+      # default: empty
+      # assignees:
+      #  - example-user
+
+      # Prefix to give issues when creating them. Note that changing
+      # this might cause duplicate issues to be created.
+      # default: "[PyUp] "
+      # issue-prefix: "[PyUp] "
+
+    # Configuration specific to Safety's GitHub PR alerting
+    github-pr:
+      # Same as for security - these allow controlling if this alert will fire based
+      # on severity information.
+      # default: not set
+      # ignore-cvss-severity-below: 6
+      # ignore-cvss-unknown-severity: False
+
+      # Set the default branch (ie, main, master)
+      # default: empty, the default branch on GitHub
+      branch: ""
+
+      # Add a label to pull requests with the cvss severity, if available
+      # default: true
+      # label-severity: True
+
+      # Add a label to pull requests, default is 'security'
+      # requires private repo permissions, even on public repos
+      # default: security
+      # labels:
+      #  - security
+
+      # Assign users to pull requests, default is not set
+      # requires private repo permissions, even on public repos
+      # default: empty
+      # assignees:
+      #  - example-user
+
+      # Configure the branch prefix for PRs created by this alert.
+      # NB: Changing this will likely cause duplicate PRs.
+      # default: pyup/
+      branch-prefix: pyup/
+
+      # Set a global prefix for PRs
+      # default: "[PyUp] "
+      pr-prefix: "[PyUp] "
+security-updates: # configuration for the `safety check --apply-security-updates` command
+  auto-security-updates-limit:
+    # A list of allowed values: major, minor, patch
+    - patch

docs/conf.py

@@ -1,4 +1,5 @@
 """Sphinx configuration."""
+
 project = "Maison"
 author = "Dom Batten"
 copyright = "2021, Dom Batten"  # noqa: A001

noxfile.py

@@ -1,4 +1,5 @@
 """Nox sessions."""
+
 import os
 import shutil
 import sys
@@ -21,7 +22,7 @@
 
 
 package = "maison"
-python_versions = ["3.11", "3.10", "3.9", "3.8"]
+python_versions = ["3.11", "3.10", "3.9"]
 nox.needs_version = ">= 2021.6.6"
 nox.options.sessions = (
     "pre-commit",
@@ -110,7 +111,9 @@ def safety(session: Session) -> None:
     """Scan dependencies for insecure packages."""
     requirements = session.poetry.export_requirements()
     session.install("safety")
-    session.run("safety", "check", "--full-report", f"--file={requirements}")
+    session.run(
+        "safety", "check", "--full-report", f"--file={requirements}", "--ignore=70612"
+    )
 
 
 @session(python=python_versions)