enpaul/vault2vault
1
0
Fork 0
mirror of https://github.com/enpaul/vault2vault.git synced 2024-11-21 17:46:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4 from enpaul/enp/ci

Browse Source 
Fix CI
This commit is contained in:
Ethan Paul 2023-03-29 20:17:40 -04:00 committed by GitHub
commit 90e4a32753
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 2158 additions and 1447 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
.github/scripts/setup-env.sh vendored
View File

@ -4,11 +4,13 @@
# to create a repeatable local environment for tests to be run in. The python env # to create a repeatable local environment for tests to be run in. The python env
# this script creates can be accessed at the location defined by the CI_VENV variable # this script creates can be accessed at the location defined by the CI_VENV variable
# below. # below.
#
# POETRY_VERSION can be set to install a specific version of Poetry
set -e; set -e;
CI_CACHE=$HOME/.cache; CI_CACHE=$HOME/.cache;
POETRY_VERSION=1.1.12; INSTALL_POETRY_VERSION="${POETRY_VERSION:-1.3.2}";
mkdir --parents "$CI_CACHE"; mkdir --parents "$CI_CACHE";
@ -20,15 +22,16 @@ curl --location https://install.python-poetry.org \
--silent \ --silent \
--show-error; --show-error;
python "$CI_CACHE/install-poetry.py" \ python "$CI_CACHE/install-poetry.py" \
--version "$POETRY_VERSION" \ --version "$INSTALL_POETRY_VERSION" \
--yes; --yes;
poetry --version --no-ansi; poetry --version --no-ansi;
poetry run pip --version; poetry run pip --version;
poetry install \ poetry install \
--quiet \ --sync \
--remove-untracked \ --no-ansi \
--no-ansi; --no-root \
--only ci;
poetry env info; poetry env info;
poetry run tox --version; poetry run tox --version;

37
.github/workflows/ci.yaml vendored
View File

@ -5,14 +5,16 @@ on:
types: ["opened", "synchronize"] types: ["opened", "synchronize"]
push: push:
branches: ["devel"] branches: ["devel"]
env:
POETRY_VERSION: 1.4.1
jobs: jobs:
Test: Test:
name: Python ${{ matrix.python.version }}
runs-on: ubuntu-latest runs-on: ubuntu-latest
strategy: strategy:
fail-fast: true
matrix: matrix:
python: python:
- version: "3.6"
toxenv: py36
- version: "3.7" - version: "3.7"
toxenv: py37 toxenv: py37
- version: "3.8" - version: "3.8"
@ -21,15 +23,19 @@ jobs:
toxenv: py39 toxenv: py39
- version: "3.10" - version: "3.10"
toxenv: py310 toxenv: py310
- version: "3.11"
toxenv: py311
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v2 uses: actions/checkout@v2
- name: Install Python ${{ matrix.python.version }} - name: Install Python ${{ matrix.python.version }}
uses: actions/setup-python@v1 uses: actions/setup-python@v4
with: with:
python-version: ${{ matrix.python.version }} python-version: ${{ matrix.python.version }}
- name: Configure Job Cache - name: Configure Job Cache
uses: actions/cache@v2 uses: actions/cache@v3
with: with:
path: | path: |
~/.cache/pip ~/.cache/pip
@ -39,38 +45,49 @@ jobs:
# will be invalidated, and thus all packages will be redownloaded, if the # will be invalidated, and thus all packages will be redownloaded, if the
# lockfile is updated # lockfile is updated
key: ${{ runner.os }}-${{ matrix.python.toxenv }}-${{ hashFiles('**/poetry.lock') }} key: ${{ runner.os }}-${{ matrix.python.toxenv }}-${{ hashFiles('**/poetry.lock') }}
- name: Configure Path - name: Configure Path
run: echo "$HOME/.local/bin" >> $GITHUB_PATH run: echo "$HOME/.local/bin" >> $GITHUB_PATH
- name: Configure Environment - name: Configure Environment
run: .github/scripts/setup-env.sh run: .github/scripts/setup-env.sh
- name: Run Toxenv ${{ matrix.python.toxenv }} - name: Run Toxenv ${{ matrix.python.toxenv }}
run: poetry run tox -e ${{ matrix.python.toxenv }} run: poetry run tox -e ${{ matrix.python.toxenv }}
Check: Check:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v2 uses: actions/checkout@v2
- name: Install Python 3.8
uses: actions/setup-python@v1 - name: Install Python 3.10
uses: actions/setup-python@v4
with: with:
python-version: 3.8 python-version: "3.10"
- name: Configure Job Cache - name: Configure Job Cache
uses: actions/cache@v2 uses: actions/cache@v3
with: with:
path: | path: |
~/.cache/pip ~/.cache/pip
~/.cache/pypoetry/cache ~/.cache/pypoetry/cache
~/.poetry ~/.poetry
# Hardcoded 'py38' slug here lets this cache piggyback on the 'py38' cache # Hardcoded 'py310' slug here lets this cache piggyback on the 'py310' cache
# that is generated for the tests above # that is generated for the tests above
key: ${{ runner.os }}-py38-${{ hashFiles('**/poetry.lock') }} key: ${{ runner.os }}-py310-${{ hashFiles('**/poetry.lock') }}
- name: Configure Path - name: Configure Path
run: echo "$HOME/.local/bin" >> $GITHUB_PATH run: echo "$HOME/.local/bin" >> $GITHUB_PATH
- name: Configure Environment - name: Configure Environment
run: .github/scripts/setup-env.sh run: .github/scripts/setup-env.sh
- name: Run Static Analysis Checks - name: Run Static Analysis Checks
run: poetry run tox -e static run: poetry run tox -e static
- name: Run Static Analysis Checks (Tests) - name: Run Static Analysis Checks (Tests)
run: poetry run tox -e static-tests run: poetry run tox -e static-tests
- name: Run Security Checks - name: Run Security Checks
run: poetry run tox -e security run: poetry run tox -e security

1
.pylintrc
View File

@ -11,7 +11,6 @@
# --disable=W" # --disable=W"
disable=logging-fstring-interpolation disable=logging-fstring-interpolation
,logging-format-interpolation ,logging-format-interpolation
,bad-continuation
,line-too-long ,line-too-long
,ungrouped-imports ,ungrouped-imports
,typecheck ,typecheck

4
CHANGELOG.md
View File

@ -18,8 +18,8 @@ View this release on: [Github](https://github.com/enpaul/vault2vault/releases/ta
- Fix bug causing stack trace when the same vaulted block appears in a YAML file more than - Fix bug causing stack trace when the same vaulted block appears in a YAML file more than
once once
- Fix bug where the `--ignore-undecryptable` option was not respected for vaulted variables - Fix bug where the `--ignore-undecryptable` option was not respected for vaulted
in YAML files variables in YAML files
- Update logging messages and levels to improve verbose output - Update logging messages and levels to improve verbose output
## Version 0.1.0 ## Version 0.1.0

15
CODE_OF_CONDUCT.md
View File

@ -27,9 +27,10 @@ Examples of unacceptable behavior include:
- The use of sexualized language or imagery, and sexual attention or advances of any kind - The use of sexualized language or imagery, and sexual attention or advances of any kind
- Trolling, insulting or derogatory comments, and personal or political attacks - Trolling, insulting or derogatory comments, and personal or political attacks
- Public or private harassment - Public or private harassment
- Publishing others' private information, such as a physical or email address, without their - Publishing others' private information, such as a physical or email address, without
explicit permission their explicit permission
- Other conduct which could reasonably be considered inappropriate in a professional setting - Other conduct which could reasonably be considered inappropriate in a professional
setting
## Enforcement Responsibilities ## Enforcement Responsibilities
@ -52,8 +53,8 @@ offline event.
## Enforcement ## Enforcement
Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the
community leaders responsible for enforcement at \[INSERT CONTACT METHOD\]. All community leaders responsible for enforcement at \[INSERT CONTACT METHOD\]. All complaints
complaints will be reviewed and investigated promptly and fairly. will be reviewed and investigated promptly and fairly.
All community leaders are obligated to respect the privacy and security of the reporter of All community leaders are obligated to respect the privacy and security of the reporter of
any incident. any incident.
@ -105,8 +106,8 @@ toward or disparagement of classes of individuals.
This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 2.0, This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 2.0,
available at https://www.contributor-covenant.org/version/2/0/code_of_conduct.html. available at https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
Community Impact Guidelines were inspired by [Mozilla's code of conduct Community Impact Guidelines were inspired by
enforcement ladder](https://github.com/mozilla/diversity). [Mozilla's code of conduct enforcement ladder](https://github.com/mozilla/diversity).
For answers to common questions about this code of conduct, see the FAQ at For answers to common questions about this code of conduct, see the FAQ at
https://www.contributor-covenant.org/faq. Translations are available at https://www.contributor-covenant.org/faq. Translations are available at

2
Makefile
View File

@ -33,7 +33,7 @@ test: ## Run the project testsuite(s)
poetry run tox --recreate --parallel poetry run tox --recreate --parallel
dev: ## Create the local dev environment dev: ## Create the local dev environment
poetry install poetry install --with dev --extras ansible --sync
poetry run pre-commit install poetry run pre-commit install
publish: test wheel source ## Build and upload to pypi (requires $PYPI_API_KEY be set) publish: test wheel source ## Build and upload to pypi (requires $PYPI_API_KEY be set)

18
README.md
View File

@ -30,10 +30,9 @@ terminal. Whatever, these things happen.
The built-in tool Ansible provides, The built-in tool Ansible provides,
[`ansible-vault rekey`](https://docs.ansible.com/ansible/latest/cli/ansible-vault.html#rekey), [`ansible-vault rekey`](https://docs.ansible.com/ansible/latest/cli/ansible-vault.html#rekey),
suffers from two main drawbacks: first, it only works on vault encrypted files and not on suffers from two main drawbacks: first, it only works on vault encrypted files and not on
vault encrypted YAML data; and second, it only works on a single vault encrypted file at vault encrypted YAML data; and second, it only works on a single vault encrypted file at a
a time. To rekey everything in a large project you'd need to write a script that time. To rekey everything in a large project you'd need to write a script that recursively
recursively goes through every file and rekeys every encrypted file and YAML variable all goes through every file and rekeys every encrypted file and YAML variable all at once.
at once.
This is that script. This is that script.
@ -58,8 +57,8 @@ install `vault2vault` using [PipX](https://pypa.github.io/pipx/) and the `ansibl
pipx install vault2vault[ansible] pipx install vault2vault[ansible]
``` ```
> Note: vault2vault requires an Ansible installation to function. If you are installing to a > Note: vault2vault requires an Ansible installation to function. If you are installing to
> standalone virtual environment (like with PipX) then you must install it with the > a standalone virtual environment (like with PipX) then you must install it with the
> `ansible` extra to ensure a version of Ansible is available to the application.\*\* > `ansible` extra to ensure a version of Ansible is available to the application.\*\*
## Usage ## Usage
@ -117,8 +116,8 @@ data successfully rekeyed and the other half not.
In the spirit of the In the spirit of the
[Unix philosophy](https://hackaday.com/2018/09/10/doing-one-thing-well-the-unix-philosophy/) [Unix philosophy](https://hackaday.com/2018/09/10/doing-one-thing-well-the-unix-philosophy/)
this tool does not include any built-in way to recover from this state. However, it can this tool does not include any built-in way to recover from this state. However, it can be
be done very effectively using a version control tool. done very effectively using a version control tool.
If you are using Git to track your project files then you can use the command If you are using Git to track your project files then you can use the command
`git reset --hard` to restore all files to the state of the currently checked out commit. `git reset --hard` to restore all files to the state of the currently checked out commit.
@ -160,7 +159,8 @@ roadmap focuses on stability and user experience ahead of a 1.0 release.
## Developer Documentation ## Developer Documentation
All project contributors and participants are expected to adhere to the All project contributors and participants are expected to adhere to the
[Contributor Covenant Code of Conduct, v2](CODE_OF_CONDUCT.md) ([external link](https://www.contributor-covenant.org/version/2/0/code_of_conduct/)). [Contributor Covenant Code of Conduct, v2](CODE_OF_CONDUCT.md)
([external link](https://www.contributor-covenant.org/version/2/0/code_of_conduct/)).
The `devel` branch has the latest (and potentially unstable) changes. The stable releases The `devel` branch has the latest (and potentially unstable) changes. The stable releases
are tracked on [Github](https://github.com/enpaul/vault2vault/releases), are tracked on [Github](https://github.com/enpaul/vault2vault/releases),

3415
poetry.lock generated
View File

File diff suppressed because it is too large Load Diff

57
pyproject.toml
View File

@ -22,11 +22,11 @@ classifiers = [
"Natural Language :: English", "Natural Language :: English",
"Operating System :: OS Independent", "Operating System :: OS Independent",
"Programming Language :: Python :: 3", "Programming Language :: Python :: 3",
"Programming Language :: Python :: 3.6",
"Programming Language :: Python :: 3.7", "Programming Language :: Python :: 3.7",
"Programming Language :: Python :: 3.8", "Programming Language :: Python :: 3.8",
"Programming Language :: Python :: 3.9", "Programming Language :: Python :: 3.9",
"Programming Language :: Python :: 3.10", "Programming Language :: Python :: 3.10",
"Programming Language :: Python :: 3.11",
"Programming Language :: Python :: Implementation :: CPython" "Programming Language :: Python :: Implementation :: CPython"
] ]
@ -37,30 +37,43 @@ vault2vault = "vault2vault:main"
ansible = ["ansible-core"] ansible = ["ansible-core"]
[tool.poetry.dependencies] [tool.poetry.dependencies]
python = "^3.6.1" python = "^3.7"
"ruamel.yaml" = "^0.17.16" "ruamel.yaml" = "^0.17.16"
ansible-core = {version = "^2.11.5", optional = true} ansible-core = {version = "^2.11.5", optional = true}
[tool.poetry.dev-dependencies] [tool.poetry.group.dev.dependencies]
bandit = "^1.6.2" black = {version = "^23.1.0", python = "^3.10"}
black = { version = "^21.9b0", allow-prereleases = true, python = "^3.7" } blacken-docs = {version = "^1.13.0", python = "^3.10"}
blacken-docs = "^1.8.0" ipython = {version = "^8.10.1", python = "^3.10"}
ipython = { version = "^7.18.1", python = "^3.7" } mdformat = {version = "^0.7.16", python = "^3.10"}
mypy = "^0.800" mdformat-gfm = {version = "^0.3.5", python = "^3.10"}
pre-commit = "^2.7.1" mypy = {version = "^1.1.1", python = "^3.10"}
pre-commit-hooks = "^3.3.0" pre-commit = {version = "^2.7.1", python = "^3.10"}
pylint = "^2.4.4" pre-commit-hooks = {version = "^3.3.0", python = "^3.10"}
pytest = "^6.0.2" pylint = {version = "^2.4.4", python = "^3.10"}
pytest-cov = "^2.10.1" reorder-python-imports = {version = "^2.3.5", python = "^3.10"}
reorder-python-imports = "^2.3.5" types-toml = {version = "^0.10.4", python = "^3.10"}
safety = "^1.9.0" # Implicit python version check fails for this one
toml = "^0.10.1" packaging = {version = "^23.0", python = "^3.10"}
tox = "^3.20.0"
tox-poetry-installer = { version = "^0.8.1", extras = ["poetry"] } [tool.poetry.group.security.dependencies]
types-toml = "^0.10.4" bandit = {version = "^1.6.2", python = "^3.10"}
mdformat = "^0.6.4" safety = {version = "^2.2.0", python = "^3.10"}
mdformat-gfm = "^0.2" poetry = {version = "^1.2.0", python = "^3.10"}
[tool.poetry.group.test.dependencies]
pytest = {version = "^6.0.2"}
pytest-cov = {version = "^2.10.1"}
toml = {version = "^0.10.1"}
typing-extensions = {version = "^4.5.0", python = "^3.8"}
[tool.poetry.group.ci.dependencies]
tox = {version = "^3.20.0"}
tox-poetry-installer = {version = "^0.10.1", extras = ["poetry"]}
# This doesn't get installed under py3.7 for some reason, but it's
# required for poetry. Will need to debug this more in the future
backports-cached-property = "^1.0.2"
[build-system] [build-system]
requires = ["poetry-core>=1.0.0"] requires = ["poetry-core>=1.1.0"]
build-backend = "poetry.core.masonry.api" build-backend = "poetry.core.masonry.api"

43
tox.ini
View File

@ -1,5 +1,5 @@
[tox] [tox]
envlist = py36, py37, py38, py39, py310, static, static-tests, security envlist = py3{7-11}, static, static-tests, security
isolated_build = true isolated_build = true
skip_missing_interpreters = true skip_missing_interpreters = true
@ -9,10 +9,8 @@ require_locked_deps = true
require_poetry = true require_poetry = true
extras = extras =
ansible ansible
locked_deps = poetry_dep_groups =
pytest test
pytest-cov
toml
commands = commands =
pytest {toxinidir}/tests/ \ pytest {toxinidir}/tests/ \
--cov vault2vault \ --cov vault2vault \
@ -21,20 +19,11 @@ commands =
[testenv:static] [testenv:static]
description = Static formatting and quality enforcement description = Static formatting and quality enforcement
basepython = python3.8 basepython = python3.10
platform = linux platform = linux
ignore_errors = true ignore_errors = true
locked_deps = poetry_dep_groups =
black dev
blacken-docs
mdformat
mdformat-gfm
mypy
reorder-python-imports
pre-commit
pre-commit-hooks
pylint
types-toml
commands = commands =
pre-commit run \ pre-commit run \
--all-files --all-files
@ -46,7 +35,7 @@ commands =
[testenv:static-tests] [testenv:static-tests]
description = Static formatting and quality enforcement for the tests description = Static formatting and quality enforcement for the tests
basepython = python3.8 basepython = python3.10
platform = linux platform = linux
ignore_errors = true ignore_errors = true
locked_deps = locked_deps =
@ -63,14 +52,12 @@ commands =
[testenv:security] [testenv:security]
description = Security checks description = Security checks
basepython = python3.8 basepython = python3.10
platform = linux platform = linux
ignore_errors = true ignore_errors = true
skip_install = true skip_install = true
locked_deps = poetry_dep_groups =
bandit security
safety
poetry
commands = commands =
bandit {toxinidir}/vault2vault.py \ bandit {toxinidir}/vault2vault.py \
--recursive \ --recursive \
@ -82,8 +69,14 @@ commands =
poetry export \ poetry export \
--format requirements.txt \ --format requirements.txt \
--output {envtmpdir}/requirements.txt \ --output {envtmpdir}/requirements.txt \
--without-hashes \ --without-hashes
--dev # For now these groups are disabled until this bug is resolved
# in poetry-plugin-export:
# https://github.com/python-poetry/poetry-plugin-export/issues/176
# --with dev \
# --with ci \
# --with security \
# --with test
safety check \ safety check \
--file {envtmpdir}/requirements.txt \ --file {envtmpdir}/requirements.txt \
--json --json