build: modernize python stack

.envrc

@@ -0,0 +1,4 @@
+has nix && use flake
+watch_file *.nix
+dotenv_if_exists .env # You can create a .env file with your env vars for this project. You can also use .secrets if you are using act. See the line below.
+dotenv_if_exists .secrets # Used by [act](https://nektosact.com/) to load secrets into the pipelines

.github/workflows/ci-master-scheduled.yml → .github/workflows/ci-master-scheduled.yaml

@@ -8,47 +8,36 @@ on:
 jobs:
   scheduled-test:
     strategy:
-      max-parallel: 1
+      max-parallel: 3
       fail-fast: false
       matrix:
         python_version:
           # https://python-release-cycle.glitch.me/
-          - "3.7"
-          - "3.8"
-          - "3.9"
           - "3.10"
           - "3.11"
+          - "3.12"
+          - "3.13"
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
 
-      - uses: actions/setup-python@v4
+      - name: Setup python
+        uses: actions/setup-python@v5
         with:
-          python-version: ${{ matrix.python_version }}
+          python-version: "${{ matrix.python_version }}"
 
-      - name: Install Poetry
-        run: python -m pip install poetry poetry-dynamic-versioning
-
-      - uses: actions/cache@v3
-        name: Cache Poetry dependencies
+      - name: Install uv
+        uses: astral-sh/setup-uv@v6
         with:
-          path: |
-            ~/.cache
-            ~/.local/share/virtualenvs/
-          key: ${{ runner.os }}-poetry-${{ hashFiles('**/poetry.lock') }}
-          restore-keys: |
-            ${{ runner.os }}-poetry-
-
-      - name: Get dependencies
-        run: poetry install
+            python-version: "${{ matrix.python_version }}"
+            enable-cache: true
+            version: "0.8.7"
 
       - name: Lint
         continue-on-error: true
         run: |
           # stop the build if there are Python syntax errors or undefined names
-          poetry run flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics
-          # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide
-          poetry run flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics
+          uvx ruff check . --fix --statistics --config ruff.toml --exclude specs
 
       - name: Travis Test - Start agent
         id: start_agent
@@ -59,11 +48,6 @@ jobs:
           sudo apt-get install linux-headers-$(uname -r) dkms gcc-multilib g++-multilib
           ./test/start_agent.sh
 
-      - name: Travis Test - Install dependencies
-        run: |
-          poetry build
-          python -m pip install $(find dist -iname "*.whl" | head -1)
-
       - name: Travis Test - Secure APIs
         env:
           PYTHON_SDC_TEST_API_TOKEN: ${{ secrets.STAGING_SECURE_API_TOKEN }}
@@ -75,7 +59,7 @@ jobs:
           SDC_SECURE_TOKEN: ${{ secrets.STAGING_SECURE_API_TOKEN }}
           SDC_MONITOR_URL: "https://app-staging.sysdigcloud.com"
           SDC_SECURE_URL: "https://secure-staging.sysdig.com"
-        run: poetry run mamba -f documentation
+        run: uv run -- mamba -f documentation
 
       - name: Travis Test - Stop agent
         run: ./test/stop_agent.sh

.github/workflows/ci-pull-request.yaml

@@ -0,0 +1,138 @@
+name: CI - Pull Request
+
+on:
+  pull_request:
+    branches:
+    - master
+
+jobs:
+  test:
+    needs:
+      - test-release
+    strategy:
+      max-parallel: 3
+      fail-fast: true
+      matrix:
+        python_version:
+          # https://python-release-cycle.glitch.me/
+          - "3.10"
+          - "3.11"
+          - "3.12"
+          - "3.13"
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Setup python
+      uses: actions/setup-python@v5
+      with:
+        python-version: "${{ matrix.python_version }}"
+
+    - name: Install uv
+      uses: astral-sh/setup-uv@v6
+      with:
+        python-version: "${{ matrix.python_version }}"
+        enable-cache: true
+        cache-dependency-glob: "uv.lock"
+        version: "0.8.7"
+
+    - name: Lint
+      run: |
+        # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide
+        uvx ruff check . --fix --statistics --config ruff.toml --exclude specs
+
+    - name: Test in staging
+      env:
+        SDC_MONITOR_TOKEN: ${{ secrets.STAGING_MONITOR_API_TOKEN }}
+        SDC_SECURE_TOKEN: ${{ secrets.STAGING_SECURE_API_TOKEN }}
+        SDC_MONITOR_URL: "https://app-staging.sysdigcloud.com"
+        SDC_SECURE_URL: "https://secure-staging.sysdig.com"
+      run: uv run mamba -f documentation -t integration
+
+  test-release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup go-chglog
+        working-directory: /tmp
+        env:
+          VERSION: "0.10.0"
+        run: |
+          wget https://github.com/git-chglog/git-chglog/releases/download/v${VERSION}/git-chglog_${VERSION}_linux_amd64.tar.gz
+          gunzip git-chglog_${VERSION}_linux_amd64.tar.gz
+          tar -xvf git-chglog_${VERSION}_linux_amd64.tar
+          sudo mv git-chglog /usr/local/bin/
+
+      - name: Generate changelog
+        run: git-chglog -c .github/git-chglog/config.yml -o RELEASE_CHANGELOG.md $(git describe --tags $(git rev-list --tags --max-count=1))
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.10"
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v6
+        with:
+          python-version: "3.10"
+          enable-cache: true
+          version: "0.8.7"
+
+      - name: Build
+        run: uv build
+  check_version:
+    name: Check Version
+    runs-on: ubuntu-latest
+    needs: test
+    permissions:
+      contents: write # required for creating a tag
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.sha }} # required for better experience using pre-releases
+          fetch-depth: '0' # Required due to the way Git works, without it this action won't be able to find any or the correct tags
+
+      - name: Extract current version
+        id: pyproject_version
+        run: |
+          TAG=v$(grep 'version =' pyproject.toml | sed -e 's/version = "\(.*\)"/\1/')
+          echo "TAG=$TAG" >> "$GITHUB_OUTPUT"
+
+      - name: Get branch ref name
+        id: branch_ref
+        run: |
+          BRANCH_NAME=${{ github.base_ref || github.ref_name }}
+          echo "$BRANCH_NAME"
+          echo "BRANCH_NAME=$BRANCH_NAME" >> "$GITHUB_OUTPUT"
+
+      - name: Get tag version
+        id: semantic_release
+        uses: anothrNick/[email protected]
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          DEFAULT_BUMP: "patch"
+          TAG_CONTEXT: 'repo'
+          WITH_V: true
+          DRY_RUN: true
+
+      - name: Compare versions
+        run: |
+          echo "Current version: ${{ steps.pyproject_version.outputs.TAG }}"
+          echo "New version: ${{ steps.semantic_release.outputs.tag }}"
+          if [ "${{ steps.pyproject_version.outputs.TAG }}" != "${{ steps.semantic_release.outputs.tag }}" ]; then
+            echo "### Version mismatch detected! :warning:
+            Current pyproject version: ${{ steps.pyproject_version.outputs.TAG }}
+            New Tag version: **${{ steps.semantic_release.outputs.tag }}**
+            Current Tag: ${{ steps.semantic_release.outputs.old_tag }}
+            Please update the version in pyproject.toml." >> $GITHUB_STEP_SUMMARY
+            exit 1
+          else
+            echo "### Version match confirmed! :rocket:
+            Current pyproject version: ${{ steps.pyproject_version.outputs.TAG }}
+            New Tag version: **${{ steps.semantic_release.outputs.tag }}**
+            The version is up-to-date." >> $GITHUB_STEP_SUMMARY
+          fi

.github/workflows/codeql-analysis.yml → .github/workflows/codeql-analysis.yaml

@@ -43,18 +43,18 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file. 
+        # By default, queries listed here will override any specified in a config file.
         # Prefix the list here with "+" to use these queries and those in the config file.
         # queries: ./path/to/local/query, your-org/your-repo/queries@main
 
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@v3
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -68,4 +68,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3

.github/workflows/release.yml → .github/workflows/release.yaml

@@ -4,7 +4,7 @@ on:
   push:
     tags:
       - v*
-
+  workflow_dispatch:
 jobs:
   release:
     runs-on: ubuntu-latest
@@ -48,14 +48,19 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
-          python-version: 3.8
+          python-version: "3.10"
 
-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install poetry poetry-dynamic-versioning
+      - name: Install uv
+        uses: astral-sh/setup-uv@v6
+        with:
+            python-version: "3.10"
+            enable-cache: true
+            cache-dependency-glob: "uv.lock"
+            version: "0.8.7"
 
       - name: Build and publish
-        run: poetry publish --build -u ${{ secrets.PYPI_USER }} -p ${{ secrets.PYPI_PASSWORD }}
+        run: |
+          uv build
+          uv publish -u ${{ secrets.PYPI_USER }} -p ${{ secrets.PYPI_PASSWORD }}