port to binny and uv management

Signed-off-by: Alex Goodman <[email protected]>

.binny.yaml

@@ -0,0 +1,40 @@
+tools:
+  # we want to use a pinned version of binny to manage the toolchain (so binny manages itself!)
+  - name: binny
+    version:
+      want: v0.9.0
+    method: github-release
+    with:
+      repo: anchore/binny
+
+  # used for running all local and CI tasks
+  - name: task
+    version:
+      want: v3.41.0
+    method: github-release
+    with:
+      repo: go-task/task
+
+  # used for showing the changelog at release
+  - name: glow
+    version:
+      want: v2.0.0
+    method: github-release
+    with:
+      repo: charmbracelet/glow
+
+  # used at release to generate the changelog
+  - name: chronicle
+    version:
+      want: v0.8.0
+    method: github-release
+    with:
+      repo: anchore/chronicle
+
+  # used at release to generate the changelog
+  - name: crane
+    version:
+      want: v0.20.3
+    method: github-release
+    with:
+      repo: google/go-containerregistry

.github/actions/bootstrap/action.yaml

@@ -11,14 +11,10 @@ inputs:
     # note: the caller really drives this in a matrix strategy run for unit tests.
     # this default value is used for the rest of the workflow.
     default: "3.11"
-  poetry-version:
-    description: "Poetry version to install"
+  uv-version:
+    description: "UV version to install"
     required: true
-    default: "2.0.0"
-  use-poetry-cache:
-    description: "Restore poetry cache"
-    required: true
-    default: "true"
+    default: "0.5.16"
   go:
     description: "Install go"
     required: true
@@ -39,36 +35,17 @@ runs:
   using: "composite"
   steps:
 
-    # note: go mod and build is automatically cached on default with v4+
-    - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe #v4.1.0
+    - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 #v5.3.0
       with:
         go-version: ${{ inputs.go-version }}
 
-    - uses: actions/setup-python@v4
+    - uses: astral-sh/setup-uv@v5
       with:
-        python-version: ${{ inputs.python-version }}
-
-    - name: Install poetry
-      shell: bash
-      run: |
-        python -m pip install poetry==${{ inputs.poetry-version }}
-        poetry self add "poetry-dynamic-versioning[plugin]"
+        enable-cache: true
 
-    - name: Cache Poetry virtualenv
-      uses: actions/cache@v3
-      if: inputs.use-poetry-cache == 'true'
-      id: cache
+    - uses: actions/setup-python@v4
       with:
-        path: ~/.virtualenvs
-        key: ${{ inputs.cache-key-prefix }}-python-${{ inputs.python-version }}-poetry-${{ inputs.poetry-version }}-${{ hashFiles('poetry.lock') }}
-        restore-keys: |
-          ${{ inputs.cache-key-prefix }}-python-${{ inputs.python-version }}-poetry-${{ inputs.poetry-version }}
-
-    - name: Setup Poetry config
-      shell: bash
-      run: |
-        poetry config virtualenvs.in-project false
-        poetry config virtualenvs.path ~/.virtualenvs
+        python-version: ${{ inputs.python-version }}
 
     - name: Restore tool cache
       id: tool-cache
@@ -89,9 +66,9 @@ runs:
       run: |
         DEBIAN_FRONTEND=noninteractive sudo apt update && sudo -E apt install -y ${{ inputs.bootstrap-apt-packages }}
 
-    - name: Install dependencies and package
+    - name: Install project + dependencies
       shell: bash
-      run: poetry install
+      run: uv sync --all-extras --dev
 
     - name: Restore tox cache
       id: cache-tox

.github/actions/quality-gate/action.yaml

@@ -8,18 +8,17 @@ inputs:
 runs:
   using: "composite"
   steps:
-    # assume we have python and poetry installed
+    # assume we have python and uv installed
 
     - name: Capture vulnerability results
       shell: bash
       working-directory: tests/quality
-      run: poetry run make capture provider=${{ inputs.provider }}
-
+      run: make capture provider=${{ inputs.provider }}
 
     - name: Validate provider results
       shell: bash
       working-directory: tests/quality
-      run: poetry run make validate provider=${{ inputs.provider }}
+      run: make validate provider=${{ inputs.provider }}
 
     - name: Archive the provider state (${{ inputs.provider }})
       if: ${{ failure() }}
@@ -54,8 +53,7 @@ runs:
 
         Now you can debug the provider with yardstick:
         \`\`\`bash
-        poetry shell
-        yardstick result list
-        yardstick label explore
+        uv run yardstick result list
+        uv run yardstick label explore
         \`\`\`
         EOF

.github/dependabot.yml

@@ -1,9 +1,18 @@
 version: 2
 updates:
+
   - package-ecosystem: "github-actions"
-    directory: "/"
+    open-pull-requests-limit: 10
+    directory: "/.github/actions/bootstrap"
     schedule:
-      interval: daily
+      interval: "daily"
+
+  - package-ecosystem: "github-actions"
+    open-pull-requests-limit: 10
+    directory: "/.github/workflows"
+    schedule:
+      interval: "daily"
+
   - package-ecosystem: "pip"
     directory: "/"
     schedule:

.github/scripts/dev-shell.sh

@@ -3,7 +3,7 @@ set -euo pipefail
 DEV_VUNNEL_PROVIDERS=$@
 GRYPE_CONFIG=$(pwd)/.grype.yaml
 GRYPE_DB_CONFIG=$(pwd)/.grype-db.yaml
-DEV_POETRY_ENV_PATH=$(poetry env info --path)
+DEV_PYTHON_ENV_PATH=$(pwd)/.venv
 
 BOLD="\033[1m"
 UNDERLINE="\033[4m"
@@ -85,8 +85,8 @@ for provider in $DEV_VUNNEL_PROVIDERS; do
 done
 export GRYPE_DB_CONFIG
 
-step "Activating poetry virtual env: $DEV_POETRY_ENV_PATH"
-source "$DEV_POETRY_ENV_PATH/bin/activate"
+step "Activating virtual env: $DEV_PYTHON_ENV_PATH"
+source "$DEV_PYTHON_ENV_PATH/bin/activate"
 
 pids=""
 

.github/workflows/nightly-quality-gate.yaml

@@ -28,7 +28,7 @@ jobs:
         id: determine-providers
         run: |
           # select all providers as test subjects (this populates the matrix downstream)
-          content=`cd tests/quality && poetry run make all-providers`
+          content=`cd tests/quality && make all-providers`
           echo $content
           echo "providers=$content" >> $GITHUB_OUTPUT
 

.github/workflows/pr-quality-gate.yaml

@@ -31,10 +31,10 @@ jobs:
         run: |
           # be nice to folks troubleshooting in CI...
           cd tests/quality
-          poetry run make show-changes
+          make show-changes
 
           # determine which providers to run (to later populate the matrix)
-          content=`poetry run make select-providers`
+          content=`make select-providers`
           echo $content
           echo "providers=$content" >> $GITHUB_OUTPUT
 

.github/workflows/release.yaml

@@ -99,8 +99,11 @@ jobs:
     needs:
       - tag
     runs-on: ubuntu-22.04
+    environment: release
     permissions:
       contents: read
+      # required to authenticate with PyPI via OIDC token
+      id-token: write
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
         with:
@@ -110,10 +113,9 @@ jobs:
       - name: Bootstrap environment
         uses: ./.github/actions/bootstrap
 
+      # note: authentication is via the OIDC token
       - name: Publish to PyPI
         run: make ci-publish-pypi
-        env:
-          POETRY_PYPI_TOKEN_PYPI: ${{ secrets.VUNNEL_PYPI_TOKEN }}
 
   release-docker:
     needs:

.github/workflows/validations.yaml

@@ -26,11 +26,11 @@ jobs:
         uses: ./.github/actions/bootstrap
 
       - name: Run static analysis
-        run: poetry run make static-analysis
+        run: make static-analysis
 
-      # - name: Ensure quality gate tools are properly configured
-      #   run: |
-      #     cd tests/quality && make validate-test-tool-versions
+      - name: Ensure quality gate tools are properly configured
+        run: |
+          cd tests/quality && make validate-test-tool-versions
 
   Test:
     runs-on: ubuntu-22.04
@@ -57,10 +57,10 @@ jobs:
           python-version: ${{ matrix.python.version }}
 
       - name: Run unit tests
-        run: poetry run tox -e ${{ matrix.python.toxEnv }}
+        run: uv run tox -e ${{ matrix.python.toxEnv }}
 
       - name: Build assets
-        run: poetry run make build
+        run: make build
 
   # this is to help facilitate ensuring all checks have run with the checks API for release
   # see https://github.com/orgs/community/discussions/26822#discussioncomment-3305794
@@ -69,7 +69,7 @@ jobs:
     if: ${{ always() }}
     runs-on: ubuntu-22.04
     name: Test Gate
-    needs: [test]
+    needs: [Test]
     steps:
       - run: |
           result="${{ needs.Test.result }}"
@@ -101,13 +101,7 @@ jobs:
           echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io --username ${{ github.actor }} --password-stdin
 
       - name: Build assets
-        run: poetry run make build
+        run: make build
 
       - name: Publish commit image
         run: make ci-publish-commit
-
-      - name: Publish to test PyPI
-        run: make ci-publish-testpypi
-        env:
-          # note: "..._TESTPYPI" suffix should match the name of the testpypi repository (see the Makefile target)
-          POETRY_PYPI_TOKEN_TESTPYPI: ${{ secrets.TEST_PYPI_TOKEN }}

.gitignore

@@ -1,5 +1,8 @@
+# tools
 .mise.toml
+.tool/
 
+# development config and assets
 .vunnel.yaml
 .grype-db.yaml
 .grype.yaml
@@ -8,14 +11,17 @@
 *.tar.gz
 *.zip
 
+# common data directories
 /bin
 /data/
 /backup/
 .pytype/
 .wily/
 .cache/
-
 /.tmp/
+data/
+
+# release related
 CHANGELOG.md
 VERSION
 
@@ -24,8 +30,6 @@ __pycache__/
 *.py[cod]
 *$py.class
 
-data/
-
 # C extensions
 *.so
 

.pre-commit-config.yaml

@@ -56,14 +56,13 @@ repos:
       stages:
         - pre-push
 
-  # why use the local repo instead of hosted hooks? so that dependencies are centrally managed through poetry
+  # why use the local repo instead of hosted hooks? so that dependencies are centrally managed through uv
   - repo: local
     hooks:
 
       # note: this is used in lieu of autopep8 and yapf
       - id: format
         name: format
-        # note: why not use the official black pre-commit hook? so we can use poetry to control which version of black is used.
         entry: make format
         pass_filenames: false
         language: system