2.0.0

.github/actions/apt_requirements/restore_apt_cache/README.md

@@ -0,0 +1,29 @@
+# Composite action restore APT cache
+
+This action restores an APT cache from GitHub's cache.
+
+Combined with [**save_apt_cache**](../save_apt_cache/README.md), it helps save time by avoiding the download of APT requirements.
+
+The action is composed of five steps:
+
+1. **Compute APT requirements files SHA256 hash** - This step uses [**misc/compute_files_hash**](../../misc/compute_files_hash/README.md) action to compute a single SHA256 hash of the APT requirements file described by the *apt_rquirements_file_path* input variable. The computed SHA256 hash will be part of the cache key.
+2. **Backup `/var/cache/apt/archives permissions`** - This step backs up the permissions associated to the `/var/cache/apt/archives` directory. So, after restoring the APT cache they can be restored to the original ones.
+3. **Add write permissions for all to `/var/cache/apt/archives`** - This step sets the write permission to the `/var/cache/apt/archives`. This is crucial because the [**cache/restore**](https://github.com/actions/cache/blob/main/restore/README.md) GitHub's action needs to be able to write to it. Without setting the correct write permission, a permission error is raised.
+4. **Restore APT cache** - This step restores the APT cache. It uses the GitHub's [**cache/restore**](https://github.com/actions/cache/blob/main/restore/README.md) action with the following parameters:
+   * **path** - A list of files, directories, or paths to restore - set to `/var/cache/apt/archives/*.deb`.
+   * **key** - An explicit key for a cache entry - set to the combination of three strings:
+      * *git_reference*, provided as an input to the action.
+      * A static part, `-apt-`
+      * The previously computed SHA256 hash of the APT requirements file.
+5. **Restore original permissions to `/var/cache/apt/archives` and delete backup** - This step restore the original permissions to the `/var/cache/apt/archives` directory. Finally, the backup file is deleted.
+
+## Documentation
+
+### Inputs
+
+* **apt_requirements_file_path** - Required - Path to the APT requirements file. It will be used to compute a SHA256 hash used in the cache key.
+* **git_reference** - Optional - A git reference that will be used to build the cache key. It defaults to `github.ref_name` which is a context variable containing **the short ref name of the branch or tag that triggered the workflow run**. For example it may be `feature-branch-1` or, for pull requests, `<pr_number>/merge`.
+
+### Outputs
+
+* **cache-hit** - A boolean value which is true when APT cache is found in the GitHub's cache, false otherwise.

.github/actions/apt_requirements/restore_apt_cache/action.yml

@@ -0,0 +1,64 @@
+name: Composite action restore APT cache
+description: Composite action to restore APT cache
+inputs:
+  apt_requirements_file_path:
+    description: Path to the APT requirements file
+    required: true
+  git_reference:
+    description: A git reference (name of the branch, reference to the PR) that will be used to build the cache key.
+    required: false
+    default: ${{ github.ref_name }}
+
+outputs:
+  cache-hit:
+    description: Whether the APT cache was found in the GitHub's cache or not.
+    value: ${{ steps.restore_apt_cache.outputs.cache-hit }}
+
+
+runs:
+  using: "composite"
+  steps:
+    - name: Compute APT requirements file SHA256 hash
+      id: compute_apt_requirements_file_sha256_hash
+      uses: ./.github/actions/misc/compute_files_hash
+      with:
+        file_paths: ${{ inputs.apt_requirements_file_path }}
+
+    - name: Backup /var/cache/apt/archives permissions
+      id: backup_apt_cache_dir_permissions
+      run: |
+        PERMISSIONS_FILE_PATH="/tmp/apt_cache_dir_permissions.facl"
+        echo "apt_cache_dir_permissions_file=$PERMISSIONS_FILE_PATH" > $GITHUB_OUTPUT
+        sudo getfacl -p /var/cache/apt/archives > $PERMISSIONS_FILE_PATH
+        ARCHIVES_PERMISSIONS=$(ls -ld /var/cache/apt/archives)
+        echo "::debug::Original permissions given to /var/cache/apt/archives: $ARCHIVES_PERMISSIONS"
+        echo "::debug::Created /var/cache/apt/archives permissions backup to $PERMISSIONS_FILE_PATH"
+      shell: bash
+
+    # Vital to be able to restore cache
+    # If write permission is not set, a permissions error will be raised
+    - name: Add write permission for all to /var/cache/apt/archives
+      run: |
+        sudo chmod a+w /var/cache/apt/archives
+        ARCHIVES_NEW_PERMISSIONS=$(ls -ld /var/cache/apt/archives)
+        echo "::debug::New permissions given to /var/cache/apt/archives: $ARCHIVES_NEW_PERMISSIONS"
+      shell: bash
+
+    - name: Restore APT cache
+      uses: actions/cache/restore@v4
+      id: restore_apt_cache
+      with:
+        path: /var/cache/apt/archives/*.deb
+        key: ${{ inputs.git_reference }}-apt-${{ steps.compute_apt_requirements_file_sha256_hash.outputs.computed_hash }}
+
+    - name: Restore original permissions to /var/cache/apt/archives and delete backup
+      run: |
+        PERMISSIONS_FILE_PATH=${{ steps.backup_apt_cache_dir_permissions.outputs.apt_cache_dir_permissions_file }}
+        sudo setfacl --restore="$PERMISSIONS_FILE_PATH"
+        ARCHIVES_RESTORED_PERMISSIONS=$(ls -ld /var/cache/apt/archives)
+        echo "::debug::Restored original permissions to /var/cache/apt/archives: $ARCHIVES_RESTORED_PERMISSIONS"
+        if [[ -f "$PERMISSIONS_FILE_PATH" ]]; then
+          sudo rm "$PERMISSIONS_FILE_PATH"
+          echo "::debug::Correctly removed $PERMISSIONS_FILE_PATH permissions backup file"
+        fi
+      shell: bash

.github/actions/apt_requirements/save_apt_cache/README.md

@@ -0,0 +1,22 @@
+# Composite action save APT cache
+
+This action saves the APT cache, almost always located at `/var/cache/apt/archives/*.deb` to the GitHub's cache.
+
+Combined with [**restore_apt_cache**](../restore_apt_cache/README.md) helps save time by avoiding the download of APT requirements.
+
+The action is composed of two steps:
+
+1. **Compute APT requirements file SHA256 hash** - This step uses the [**misc/compute_files_hash**](../../misc/compute_files_hash/README.md) action to compute the SHA256 hash of the APT requriments file that will be part of the cache key.
+2. **Save APT cache** - This step does the real caching on GitHub. The GitHub's [**cache/save**](https://github.com/actions/cache/blob/main/save/README.md) is used with the following parameters:
+   1. **path** - A list of files, directories, or paths to cache - set to `/var/cache/apt/archives/*.deb` to save all `*.deb` files in APT cache.
+   2. **key** - An explicit key for a cache entry - set to the combination of three strings:
+      1. *git_reference*, provided as an input to the action.
+      2. A static part, `-apt-`
+      3. The previously computed SHA256 hash of the APT requirements file.
+
+## Documentation
+
+### Inputs
+
+* **apt_requirements_file_path** - Required - Path to the APT requirements file. It will be used to compute a SHA256 hash used in the cache key.
+* **git_reference** - Optional - A git reference that will be used to build the cache key. It defaults to `github.ref_name` which is a context variable containing **the short ref name of the branch or tag that triggered the workflow run**. For example it may be `feature-branch-1` or, for pull requests, `<pr_number>/merge`.

.github/actions/apt_requirements/save_apt_cache/action.yml

@@ -0,0 +1,24 @@
+name: Composite action save APT cache
+description: Composite action to save APT cache
+inputs:
+  apt_requirements_file_path:
+    description: Path to the APT requirements file
+    required: true
+  git_reference:
+    description: A git reference (name of the branch, reference to the PR) that will be used to build the cache key.
+    required: false
+    default: ${{ github.ref_name }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Compute APT requiremments file SHA256 hash
+      id: compute_apt_requirements_file_sha256_hash
+      uses: ./.github/actions/misc/compute_files_hash
+      with:
+        file_paths: ${{ inputs.apt_requirements_file_path }}
+    - name: Save APT cache
+      uses: actions/cache/save@v4
+      with:
+        path: /var/cache/apt/archives/*.deb
+        key: ${{ inputs.git_reference }}-apt-${{ steps.compute_apt_requirements_file_sha256_hash.outputs.computed_hash }}

.github/actions/codeql/action.yml

@@ -12,13 +12,12 @@ runs:
   using: "composite"
   steps:
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ inputs.language }}
-        setup-python-dependencies: false
         source-root: ${{ inputs.working_directory }}
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3
 
 

.github/actions/misc/compute_files_hash/README.md

@@ -0,0 +1,18 @@
+# Composite action compute files hash
+
+This action computes a single SHA256 hash of one or more files.
+Given a **space separated list of file paths**, a new file is created by concatenating all those files together. Then the SHA256 hash of the newly created file is computed and returned as the output.
+
+Before being joined together, each file is tested to ensure that it **exists** and that it is **a regular file**.
+
+This action is useful when saving/restoring a cache in which a unique key is required. As a matter of fact, the hash is used as a part of the hash key.
+
+## Documentation
+
+### Inputs
+
+* `file_paths` - Mandatory - Space separated list of file paths for which a single SHA256 hash will be computed.
+
+### Outputs
+
+* `computed_hash` - A SHA256 hash of the file obtained by joining (concatenating) all input files together.

.github/actions/misc/compute_files_hash/action.yml

@@ -0,0 +1,40 @@
+name: Composite action compute files hash
+description: Composite action to compute a single hash of one or more files
+inputs:
+  file_paths:
+    description: Space separeted list of files for which a single SHA256 hash will be computed.
+    required: true
+
+outputs:
+  computed_hash:
+    description: The hash of the concatenated files
+    value: ${{ steps.compute_files_sha256_hash.outputs.computed_hash }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Compute files SHA256 hash
+      id: compute_files_sha256_hash
+      run: |
+        if [[ -z '${{ inputs.file_paths }}' ]]; then
+          echo "::error::file_paths cannot be empty!"
+          exit 1
+        fi
+        JOINED_FILES="cat "
+        # Create a bash array of file paths
+        for file in ${{ inputs.file_paths }};
+        do
+          if [[ -f $file ]]; then
+            # Concat file path to cat command
+            JOINED_FILES+="$file "
+            echo "::debug::Current file is $file"
+            echo "::debug::JOINED_FILES variable state is $JOINED_FILES"
+          else
+            echo "::error::$file does not exist or it is not a regular file!"
+            exit 1
+          fi
+        done
+        COMPUTED_HASH=$($JOINED_FILES | sha256sum | cut -d ' ' -f 1)
+        echo "::debug::Hash is $COMPUTED_HASH"
+        echo "computed_hash=$COMPUTED_HASH" >> $GITHUB_OUTPUT
+      shell: bash

.github/actions/push_on_ecr/action.yml

@@ -0,0 +1,56 @@
+name: Composite action push on ecr
+description: Composite action push on ecr
+inputs:
+  repository:
+    description: Repository name
+    required: true
+  dockerfile:
+    description: Path for dockerfile from working directory
+    required: true
+  working_directory:
+    description: Docker build context
+    required: true
+
+  aws_account_id:
+    description: Aws User code
+    required: true
+  aws_access_key:
+    description: Aws access key
+    required: true
+  aws_secret_access_key:
+    description: Aws secret access key
+    required: true
+  image_tag:
+    description: Directory that must be run against the linters
+    required: true
+
+  aws_region:
+    description: Aws region
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Configure AWS Credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        aws-region: ${{ inputs.aws_region}}
+        aws-access-key-id: ${{ inputs.aws_access_key }}
+        aws-secret-access-key: ${{ inputs.aws_secret_access_key }}
+
+    - name: Login to Amazon ECR Private
+      id: login-ecr
+      uses: aws-actions/amazon-ecr-login@v2
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Build and push
+      uses: docker/build-push-action@v5
+      with:
+        context: ${{ inputs.working_directory }}
+        push: true
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
+        tags: ${{inputs.aws_account_id}}.dkr.ecr.${{inputs.aws_region}}.amazonaws.com/${{ inputs.repository }}:${{ inputs.image_tag }}
+        file: ${{ inputs.working_directory }}/${{ inputs.dockerfile }}

.github/actions/python_linter/action.yml

@@ -5,6 +5,12 @@ inputs:
     description: Directory that must be run against the linters
     required: true
 
+  use_autoflake:
+    description: Use autoflake
+    required: true
+  use_bandit:
+    description: Use bandit linter
+    required: true
   use_black:
     description: Use black formatter
     required: true
@@ -17,11 +23,11 @@ inputs:
   use_pylint:
     description: Use pylint linter
     required: true
-  use_bandit:
-    description: Use bandit linter
+  use_ruff_formatter:
+    description: Use ruff formatter
     required: true
-  use_autoflake:
-    description: Use autoflake
+  use_ruff_linter:
+    description: Use ruff linter
     required: true
 
 runs:
@@ -66,19 +72,16 @@ runs:
         else
             echo "Skipping isort linter"
         fi
-
       working-directory: ${{ inputs.working_directory }}
       shell: bash
 
-
     - name: bandit
       run: |
         if [[ ${{inputs.use_bandit }} != 'false' ]]; then
           bandit . -r -c ${GITHUB_WORKSPACE}/.github/configurations/python_linters/.bandit.yaml
         else
             echo "Skipping bandit linter"
         fi
-
       working-directory: ${{ inputs.working_directory }}
       shell: bash
 
@@ -90,4 +93,24 @@ runs:
             echo "Skipping autoflake"
         fi
       working-directory: ${{ inputs.working_directory }}
+      shell: bash
+
+    - name: ruff formatter
+      run: |
+        if [[ ${{ inputs.use_ruff_formatter }} != 'false' ]]; then
+          ruff format --config ${GITHUB_WORKSPACE}/.github/configurations/python_linters/.ruff.toml --diff .
+        else
+          echo "Skipping ruff formatter"
+        fi
+      working-directory: ${{ inputs.working_directory }}
+      shell: bash
+
+    - name: ruff linter
+      run: |
+        if [[ ${{ inputs.use_ruff_linter }} != 'false' ]]; then
+          ruff check --config ${GITHUB_WORKSPACE}/.github/configurations/python_linters/.ruff.toml .
+        else
+          echo "Skipping ruff linter"
+        fi
+      working-directory: ${{ inputs.working_directory }}
       shell: bash

.github/actions/python_requirements/create_dev_requirements_file/README.md

@@ -0,0 +1,13 @@
+# Composite action create Python dev requirements file
+
+This action creates the `requirements-dev.txt` file which will contain all **development dependencies**.
+
+As of today, the only development dependency supported is `coverage`.
+
+## Documentation
+
+### Inputs
+
+* **install_from** - Optional - The path used as working directory when creating the `requirements-dev.txt` file. It defaults to the current directory (i.e. `.`).
+* **project_dev_requirements_file** - Optional - The path of a project `requirements-dev.txt`. This was designed in case development requirements other than coverage are required. If specified, the dependencies in the project `requirements-dev.txt` will be appended in the newly created `requirements-dev.txt`. **Be careful: if a relative path is used this will depend on *install_from*.** Defaults to empty strings, and hence **no custom `requirements-dev.txt`**.
+* **use_coverage** - Optional - Whether to use coverage or not. It defaults to false.