port to binny and uv management (#784)

Signed-off-by: Alex Goodman <[email protected]>

Author: wagoodman

.binny.yaml

@@ -0,0 +1,40 @@
+tools:
+  # we want to use a pinned version of binny to manage the toolchain (so binny manages itself!)
+  - name: binny
+    version:
+      want: v0.9.0
+    method: github-release
+    with:
+      repo: anchore/binny
+
+  # used for running all local and CI tasks
+  - name: task
+    version:
+      want: v3.41.0
+    method: github-release
+    with:
+      repo: go-task/task
+
+  # used for showing the changelog at release
+  - name: glow
+    version:
+      want: v2.0.0
+    method: github-release
+    with:
+      repo: charmbracelet/glow
+
+  # used at release to generate the changelog
+  - name: chronicle
+    version:
+      want: v0.8.0
+    method: github-release
+    with:
+      repo: anchore/chronicle
+
+  # used at release to generate the changelog
+  - name: crane
+    version:
+      want: v0.20.3
+    method: github-release
+    with:
+      repo: google/go-containerregistry

.github/actions/bootstrap/action.yaml

@@ -11,14 +11,10 @@ inputs:
     # note: the caller really drives this in a matrix strategy run for unit tests.
     # this default value is used for the rest of the workflow.
     default: "3.11"
-  poetry-version:
-    description: "Poetry version to install"
+  uv-version:
+    description: "UV version to install"
     required: true
-    default: "2.0.0"
-  use-poetry-cache:
-    description: "Restore poetry cache"
-    required: true
-    default: "true"
+    default: "0.5.16"
   go:
     description: "Install go"
     required: true
@@ -39,41 +35,22 @@ runs:
   using: "composite"
   steps:
 
-    # note: go mod and build is automatically cached on default with v4+
-    - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe #v4.1.0
+    - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 #v5.3.0
       with:
         go-version: ${{ inputs.go-version }}
 
-    - uses: actions/setup-python@v4
+    - uses: astral-sh/setup-uv@f94ec6bedd8674c4426838e6b50417d36b6ab231 # v5.3.1
       with:
-        python-version: ${{ inputs.python-version }}
-
-    - name: Install poetry
-      shell: bash
-      run: |
-        python -m pip install poetry==${{ inputs.poetry-version }}
-        poetry self add "poetry-dynamic-versioning[plugin]"
+        enable-cache: true
 
-    - name: Cache Poetry virtualenv
-      uses: actions/cache@v3
-      if: inputs.use-poetry-cache == 'true'
-      id: cache
+    - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
       with:
-        path: ~/.virtualenvs
-        key: ${{ inputs.cache-key-prefix }}-python-${{ inputs.python-version }}-poetry-${{ inputs.poetry-version }}-${{ hashFiles('poetry.lock') }}
-        restore-keys: |
-          ${{ inputs.cache-key-prefix }}-python-${{ inputs.python-version }}-poetry-${{ inputs.poetry-version }}
-
-    - name: Setup Poetry config
-      shell: bash
-      run: |
-        poetry config virtualenvs.in-project false
-        poetry config virtualenvs.path ~/.virtualenvs
+        python-version: ${{ inputs.python-version }}
 
     - name: Restore tool cache
       id: tool-cache
       if: inputs.tools == 'true'
-      uses: actions/cache@v3
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
       with:
         path: ${{ github.workspace }}/.tmp
         key: ${{ inputs.cache-key-prefix }}-${{ runner.os }}-tool-${{ hashFiles('Makefile') }}
@@ -89,13 +66,13 @@ runs:
       run: |
         DEBIAN_FRONTEND=noninteractive sudo apt update && sudo -E apt install -y ${{ inputs.bootstrap-apt-packages }}
 
-    - name: Install dependencies and package
+    - name: Install project + dependencies
       shell: bash
-      run: poetry install
+      run: uv sync --all-extras --dev
 
     - name: Restore tox cache
       id: cache-tox
-      uses: actions/cache@v3
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
       with:
         path: .tox
         key: ${{ inputs.cache-key-prefix }}-${{ runner.os }}-${{ inputs.python-version }}-${{ hashFiles('pyproject.toml') }}-${{ hashFiles('tox.ini') }}

.github/actions/quality-gate/action.yaml

@@ -8,18 +8,17 @@ inputs:
 runs:
   using: "composite"
   steps:
-    # assume we have python and poetry installed
+    # assume we have python and uv installed
 
     - name: Capture vulnerability results
       shell: bash
       working-directory: tests/quality
-      run: poetry run make capture provider=${{ inputs.provider }}
-
+      run: make capture provider=${{ inputs.provider }}
 
     - name: Validate provider results
       shell: bash
       working-directory: tests/quality
-      run: poetry run make validate provider=${{ inputs.provider }}
+      run: make validate provider=${{ inputs.provider }}
 
     - name: Archive the provider state (${{ inputs.provider }})
       if: ${{ failure() }}
@@ -28,7 +27,7 @@ runs:
 
     - name: Upload the provider state archive (${{ inputs.provider }})
       if: ${{ failure() }}
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: qg-capture-state-${{ inputs.provider }}
         path: qg-capture-state-${{ inputs.provider }}.tar.gz
@@ -54,8 +53,7 @@ runs:
 
         Now you can debug the provider with yardstick:
         \`\`\`bash
-        poetry shell
-        yardstick result list
-        yardstick label explore
+        uv run yardstick result list
+        uv run yardstick label explore
         \`\`\`
         EOF

.github/dependabot.yml

@@ -1,9 +1,18 @@
 version: 2
 updates:
+
   - package-ecosystem: "github-actions"
-    directory: "/"
+    open-pull-requests-limit: 10
+    directory: "/.github/actions/bootstrap"
     schedule:
-      interval: daily
+      interval: "daily"
+
+  - package-ecosystem: "github-actions"
+    open-pull-requests-limit: 10
+    directory: "/.github/workflows"
+    schedule:
+      interval: "daily"
+
   - package-ecosystem: "pip"
     directory: "/"
     schedule:

.github/scripts/ci-check.sh

@@ -1,9 +1,10 @@
+#!/usr/bin/env bash
 set -euo pipefail
 
 DEV_VUNNEL_PROVIDERS=$@
 GRYPE_CONFIG=$(pwd)/.grype.yaml
 GRYPE_DB_CONFIG=$(pwd)/.grype-db.yaml
-DEV_POETRY_ENV_PATH=$(poetry env info --path)
+DEV_PYTHON_ENV_PATH=$(pwd)/.venv
 
 BOLD="\033[1m"
 UNDERLINE="\033[4m"
@@ -12,15 +13,15 @@ MAGENTA="\033[35m"
 RESET="\033[0m"
 
 function step() {
-  echo "${MAGENTA}• $*${RESET} ..."
+  echo -e "${MAGENTA}• $*${RESET} ..."
 }
 
 function title() {
-  echo "${BOLD}$*${RESET}"
+  echo -e "${BOLD}$*${RESET}"
 }
 
 function error() {
-  echo "${RED}$*${RESET}"
+  echo -e "${RED}$*${RESET}"
 }
 
 if [ -z  "$*" ]
@@ -85,8 +86,9 @@ for provider in $DEV_VUNNEL_PROVIDERS; do
 done
 export GRYPE_DB_CONFIG
 
-step "Activating poetry virtual env: $DEV_POETRY_ENV_PATH"
-source "$DEV_POETRY_ENV_PATH/bin/activate"
+step "Activating virtual env: $DEV_PYTHON_ENV_PATH"
+test -d "$DEV_PYTHON_ENV_PATH" || uv run vunnel --version
+source "$DEV_PYTHON_ENV_PATH/bin/activate"
 
 pids=""
 
@@ -108,10 +110,10 @@ export PATH=${DEV_VUNNEL_BIN_DIR}:$PATH
 export DEV_VUNNEL_SHELL=true
 
 echo
-echo "Note: development builds ${UNDERLINE}grype${RESET} and ${UNDERLINE}grype-db${RESET} are now available in your path."
-echo "To update these builds run '${UNDERLINE}make build-grype${RESET}' and '${UNDERLINE}make build-grype-db${RESET}' respectively."
-echo "To run your provider and update the grype database run '${UNDERLINE}make update-db${RESET}'."
-echo "Type '${UNDERLINE}exit${RESET}' to exit the development shell."
+echo -e "Note: development builds ${UNDERLINE}grype${RESET} and ${UNDERLINE}grype-db${RESET} are now available in your path."
+echo -e "To update these builds run '${UNDERLINE}make build-grype${RESET}' and '${UNDERLINE}make build-grype-db${RESET}' respectively."
+echo -e "To run your provider and update the grype database run '${UNDERLINE}make update-db${RESET}'."
+echo -e "Type '${UNDERLINE}exit${RESET}' to exit the development shell."
 
 # we were able to setup everything, no need to detect failures from this point on...
 trap - EXIT

.github/scripts/dev-shell.sh

@@ -1,6 +1,7 @@
+#!/usr/bin/env bash
 set -euo pipefail
 
-BIN_DIR=./bin
+BIN_DIR=./.tool
 GRYPE=${BIN_DIR}/grype
 GRYPE_DB=${BIN_DIR}/grype-db
 
@@ -10,15 +11,15 @@ MAGENTA="\033[35m"
 RESET="\033[0m"
 
 function step() {
-  echo "${MAGENTA}• $*${RESET} ..."
+  echo -e "${MAGENTA}• $*${RESET} ..."
 }
 
 function title() {
-  echo "${BOLD}$*${RESET}"
+  echo -e "${BOLD}$*${RESET}"
 }
 
 function error() {
-  echo "${RED}$*${RESET}"
+  echo -e "${RED}$*${RESET}"
 }
 
 step "Updating vunnel providers"

.github/scripts/update-dev-db.sh

@@ -28,7 +28,7 @@ jobs:
         id: determine-providers
         run: |
           # select all providers as test subjects (this populates the matrix downstream)
-          content=`cd tests/quality && poetry run make all-providers`
+          content=`cd tests/quality && make all-providers`
           echo $content
           echo "providers=$content" >> $GITHUB_OUTPUT
 

.github/workflows/nightly-quality-gate.yaml

@@ -31,10 +31,10 @@ jobs:
         run: |
           # be nice to folks troubleshooting in CI...
           cd tests/quality
-          poetry run make show-changes
+          make show-changes
 
           # determine which providers to run (to later populate the matrix)
-          content=`poetry run make select-providers`
+          content=`make select-providers`
           echo $content
           echo "providers=$content" >> $GITHUB_OUTPUT
 

.github/workflows/pr-quality-gate.yaml

@@ -99,8 +99,11 @@ jobs:
     needs:
       - tag
     runs-on: ubuntu-22.04
+    environment: release
     permissions:
       contents: read
+      # required to authenticate with PyPI via OIDC token
+      id-token: write
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
         with:
@@ -110,10 +113,9 @@ jobs:
       - name: Bootstrap environment
         uses: ./.github/actions/bootstrap
 
+      # note: authentication is via the OIDC token
       - name: Publish to PyPI
         run: make ci-publish-pypi
-        env:
-          POETRY_PYPI_TOKEN_PYPI: ${{ secrets.VUNNEL_PYPI_TOKEN }}
 
   release-docker:
     needs:

.github/workflows/release.yaml

@@ -26,11 +26,11 @@ jobs:
         uses: ./.github/actions/bootstrap
 
       - name: Run static analysis
-        run: poetry run make static-analysis
+        run: make static-analysis
 
-      # - name: Ensure quality gate tools are properly configured
-      #   run: |
-      #     cd tests/quality && make validate-test-tool-versions
+      - name: Ensure quality gate tools are properly configured
+        run: |
+          cd tests/quality && make validate-test-tool-versions
 
   Test:
     runs-on: ubuntu-22.04
@@ -57,10 +57,10 @@ jobs:
           python-version: ${{ matrix.python.version }}
 
       - name: Run unit tests
-        run: poetry run tox -e ${{ matrix.python.toxEnv }}
+        run: uv run tox -e ${{ matrix.python.toxEnv }}
 
       - name: Build assets
-        run: poetry run make build
+        run: make build
 
   # this is to help facilitate ensuring all checks have run with the checks API for release
   # see https://github.com/orgs/community/discussions/26822#discussioncomment-3305794
@@ -69,7 +69,7 @@ jobs:
     if: ${{ always() }}
     runs-on: ubuntu-22.04
     name: Test Gate
-    needs: [test]
+    needs: [Test]
     steps:
       - run: |
           result="${{ needs.Test.result }}"
@@ -101,13 +101,7 @@ jobs:
           echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io --username ${{ github.actor }} --password-stdin
 
       - name: Build assets
-        run: poetry run make build
+        run: make build
 
       - name: Publish commit image
         run: make ci-publish-commit
-
-      - name: Publish to test PyPI
-        run: make ci-publish-testpypi
-        env:
-          # note: "..._TESTPYPI" suffix should match the name of the testpypi repository (see the Makefile target)
-          POETRY_PYPI_TOKEN_TESTPYPI: ${{ secrets.TEST_PYPI_TOKEN }}