Merge pull request #1 from chainguard-dev/paulgibert/python

Paulgibert/python

airflow-2.10.3-r0.yaml

@@ -0,0 +1,130 @@
+package:
+  name: airflow
+  version: 2.10.3
+  epoch: 0
+  description: Platform to programmatically author, schedule, and monitor workflows
+  options:
+    #  There is a dependency on libarrow.so although it
+    #  is provided in the virtual environment. Enabling no-depends
+    #  works around this
+    no-depends: true
+  dependencies:
+    runtime:
+      - python-3.12
+  copyright:
+    - license: Apache-2.0
+
+environment:
+  contents:
+    packages:
+      - gcc
+      - glibc-dev
+      - mariadb-connector-c-dev
+      - mariadb-dev
+      - nodejs
+      - openssf-compiler-options
+      - pkgconf-dev
+      - postgresql-dev
+      - py3.12-pip
+      - py3-xmlsec
+      - python-3.12
+      - python-3.12-dev
+      - wolfi-base
+      - xmlsec-dev
+      - xmlsec-openssl
+      - yarn
+
+pipeline:
+  - uses: git-checkout
+    with:
+      repository: https://github.com/apache/airflow
+      tag: ${{package.version}}
+      expected-commit: c99887ec11ce3e1a43f2794fcf36d27555140f00
+
+  - runs: |
+      # by default airflow celery provider is not built,but running the upstream helm chart requires it
+       python patch.py
+       # remove the patcher
+       rm -rf patch.py
+
+  - uses: patch
+    with:
+      patches: requests.patch urllib3.patch
+
+  - runs: |
+      # requires EPOCH to be later that 1980
+      export SOURCE_DATE_EPOCH=315532800
+
+      python -m venv venv --system-site-packages
+      source venv/bin/activate
+
+      pip install build
+
+      # To install mysqlclient wheel
+      export MYSQLCLIENT_CFLAGS=`mysql_config --cflags`
+      export MYSQLCLIENT_LDFLAGS=`mysql_config --libs`
+
+      python -m build --wheel
+      pip install dist/*.whl
+
+  - runs: |
+      # CVE-2024-6345 GHSA-cx63-2mw6-8hw5
+      # setuptools comes from airflow/providers/google/provider.yaml having
+      # gcloud-aio-auth>=4.0.0,<5.0.0 . gcloud-aio-auth 4 is backlevel and has
+      # setuptools in it's pyproject.toml 'tool.poetry.dependencies'
+      # The tldr; For that case it is not needed in runtime.
+      ./venv/bin/pip uninstall --yes setuptools
+
+  - working-directory: venv/lib/python3.12/site-packages/airflow/www
+    runs: |
+      # front-end build
+      yarn install --frozen-lockfile
+      yarn run build
+      rm -rf node_modules
+
+  - runs: find . -name '__pycache__' -exec rm -rf {} +
+
+  - runs: |
+      mkdir -p ${{targets.destdir}}/opt/airflow/dags
+      mkdir -p ${{targets.destdir}}/scripts/docker
+
+      # The first time you run Airflow, it will create a file called `airflow.cfg` in
+      # `$AIRFLOW_HOME` directory
+      # However, for production case it is advised to generate the configuration
+      venv/bin/airflow config list --defaults > ${{targets.destdir}}/"airflow.cfg"
+
+      mv venv ${{targets.destdir}}/opt/airflow
+      rm -rf ${{targets.destdir}}/opt/airflow/venv/bin/__pycache*
+      sed -i "s|/home/build|/opt/airflow|g" ${{targets.destdir}}/opt/airflow/venv/bin/*
+
+      cp airflow/config_templates/default_webserver_config.py ${{targets.destdir}}/
+
+      cp scripts/docker/entrypoint_prod.sh ${{targets.destdir}}/entrypoint
+      chmod 755 ${{targets.destdir}}/entrypoint
+
+      cp scripts/docker/clean-logs.sh ${{targets.destdir}}/clean-logs
+      chmod 755 ${{targets.destdir}}/clean-logs
+
+      cp scripts/docker/airflow-scheduler-autorestart.sh ${{targets.destdir}}/airflow-scheduler-autorestart
+      chmod 755 ${{targets.destdir}}/airflow-scheduler-autorestart
+
+      cp -r scripts/docker/* ${{targets.destdir}}/scripts/docker
+      chmod 755 ${{targets.destdir}}/scripts/docker
+
+update:
+  enabled: true
+  ignore-regex-patterns:
+    - 'rc\d+$'
+    - 'helm-chart*'
+  github:
+    identifier: apache/airflow
+
+test:
+  environment:
+    contents:
+      packages:
+        - python3
+  pipeline:
+    - runs: |
+        export PATH=/opt/airflow/venv/bin:$PATH
+        HOME=/home/build airflow version

airflow-2.10.3-r0/patch.py

@@ -0,0 +1,52 @@
+import os
+
+# Path to the file you want to modify
+file_path = 'hatch_build.py'
+
+# Lines to be added
+lines_to_add = [
+    '    "amazon",\n',
+    '    "celery",\n',
+    '    "cncf.kubernetes",\n',
+    '    "docker",\n',
+    '    "elasticsearch",\n',
+    '    "google",\n',
+    '    "grpc",\n',
+    '    "hashicorp",\n',
+    '    "microsoft.azure",\n',
+    '    "mysql",\n',
+    '    "odbc",\n',
+    '    "openlineage",\n',
+    '    "postgres",\n',
+    '    "redis",\n',
+    '    "sendgrid",\n',
+    '    "sftp",\n',
+    '    "slack",\n',
+    '    "snowflake",\n',
+    '    "ssh",\n',
+]
+
+# Read the contents of the file
+with open(file_path, 'r') as file:
+    file_contents = file.readlines()
+
+# Find the index of the line where the new lines should be inserted
+insert_index = None
+for i, line in enumerate(file_contents):
+    if line.strip() == 'PRE_INSTALLED_PROVIDERS = [':
+        insert_index = i + 1
+        break
+
+# If the target line is found, insert the new lines
+if insert_index is not None:
+    for line in lines_to_add:
+        file_contents.insert(insert_index, line)
+        insert_index += 1
+
+    # Write the modified contents back to the file
+    with open(file_path, 'w') as file:
+        file.writelines(file_contents)
+
+    print(f'Lines added to {file_path}')
+else:
+    print(f'Target line not found in {file_path}')

airflow-2.10.3-r0/requests.patch

@@ -0,0 +1,29 @@
+From 2f5c710f941e340adb6d5de0a627b65d51d186c8 Mon Sep 17 00:00:00 2001
+From: Dentrax <[email protected]>
+Date: Mon, 2 Sep 2024 16:33:18 +0300
+Subject: [PATCH] fix requests patch
+
+Signed-off-by: Dentrax <[email protected]>
+---
+ hatch_build.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hatch_build.py b/hatch_build.py
+index f366ae9..1613d5c 100644
+--- a/hatch_build.py
++++ b/hatch_build.py
+@@ -474,7 +474,7 @@ DEPENDENCIES = [
+     "python-nvd3>=0.15.0",
+     "python-slugify>=5.0",
+     # Requests 3 if it will be released, will be heavily breaking.
+-    "requests>=2.27.0,<3",
++    "requests>=2.32.0,<3",
+     "requests-toolbelt>=0.4.0",
+     "rfc3339-validator>=0.1.4",
+     "rich-argparse>=1.0.0",
+ ]
+
+
+-- 
+2.39.3 (Apple Git-146)
+

airflow-2.10.3-r0/urllib3.patch

@@ -0,0 +1,22 @@
+diff --git a/clients/python/pyproject.toml b/clients/python/pyproject.toml
+index 0162beb575..ebdb46303e 100644
+--- a/clients/python/pyproject.toml
++++ b/clients/python/pyproject.toml
+@@ -52,7 +52,7 @@ classifiers = [
+
+ dependencies = [
+     "python-dateutil",
+-    "urllib3 >= 1.25.3",
++    "urllib3 >= 1.26.19",
+ ]
+
+ [project.urls]
+@@ -66,7 +66,7 @@ Homepage = "https://airflow.apache.org/"
+ [tool.hatch.envs.test]
+ dependencies = [
+     "pytest-cov>=2.8.1",
+-    "urllib3 >= 1.25.3",
++    "urllib3 >= 1.26.19",
+ ]
+
+ [tool.hatch.envs.test.scripts]

az-2.62.0-r0.yaml

@@ -0,0 +1,66 @@
+package:
+  name: az
+  version: 2.62.0
+  epoch: 0
+  description: Azure CLI
+  copyright:
+    - license: MIT
+
+environment:
+  contents:
+    packages:
+      - build-base
+      - busybox
+      - ca-certificates-bundle
+      - py3.11-pip
+      - python-3.11
+      - python-3.11-dev
+
+pipeline:
+  - uses: git-checkout
+    with:
+      repository: https://github.com/Azure/azure-cli/
+      tag: azure-cli-${{package.version}}
+      expected-commit: add4b2cc69df23d4e664d79b6aec3e036b2d6e2c
+
+  - name: Python Build
+    runs: |
+      pip install wheel
+      cd src/azure-cli
+      python setup.py bdist_wheel
+      cd ../azure-cli-core
+      python setup.py bdist_wheel
+
+  - runs: |
+      # Setup the virtualenv
+      python -m venv .venv
+      # Bump pip to patch a CVE
+      .venv/bin/pip install --upgrade pip==23.3.2
+      .venv/bin/pip install --upgrade setuptools==65.5.1
+
+  - runs: |
+      .venv/bin/pip install --no-compile src/azure-cli/dist/*.whl src/azure-cli-core/dist/*.whl
+
+  - runs: |
+      mkdir -p ${{targets.destdir}}/usr/share/az
+      mv .venv ${{targets.destdir}}/usr/share/az/
+
+      # edit the venv paths
+      sed -i "s|/home/build|/usr/share/az|g" ${{targets.destdir}}/usr/share/az/.venv/bin/*
+
+  - runs: |
+      mkdir -p ${{targets.destdir}}/usr/bin
+      ln -s /usr/share/az/.venv/bin/az ${{targets.destdir}}/usr/bin/az
+
+  - uses: strip
+
+update:
+  enabled: true
+  github:
+    identifier: Azure/azure-cli
+    strip-prefix: azure-cli-
+
+test:
+  pipeline:
+    - runs: |
+        az --version

ggshield-1.17.3-r0.yaml

@@ -0,0 +1,65 @@
+package:
+  name: ggshield
+  version: 1.33.0
+  epoch: 1
+  description: Find and fix 360+ types of hardcoded secrets and 70+ types of infrastructure-as-code misconfigurations.
+  copyright:
+    - license: MIT
+  dependencies:
+    runtime:
+      - git
+      - py3-certifi
+      - python3
+
+environment:
+  contents:
+    packages:
+      - build-base
+      - busybox
+      - ca-certificates-bundle
+      - openssf-compiler-options
+      - py3-pip
+      - py3-setuptools
+      - py3-wheel
+      - python3
+      - wolfi-base
+
+pipeline:
+  - uses: git-checkout
+    with:
+      repository: https://github.com/GitGuardian/ggshield
+      tag: v${{package.version}}
+      expected-commit: 537dbb82c54b792a2149e6b50a86de3025e10268
+
+  - runs: |
+      pip3 install certifi -U  # https://github.com/advisories/GHSA-xqr8-7jwr-rhp7
+      python3 setup.py bdist_wheel
+      pip3 install . --prefix=/usr --root="${{targets.destdir}}"
+      find ${{targets.destdir}} -name "*.pyc" -exec rm -rf '{}' +
+
+  - uses: strip
+
+update:
+  enabled: true
+  github:
+    identifier: GitGuardian/ggshield
+    use-tag: true
+    strip-prefix: v
+
+test:
+  pipeline:
+    - name: Check ggshield version
+      runs: |
+        ggshield --version
+        cmark --help
+        dotenv --version
+        dotenv --help
+        ggshield --help
+        normalizer --version
+        normalizer --help
+        pygmentize -v
+        pygmentize --help
+    - name: Check ggshield API status without API key
+      runs: |
+        output=$(ggshield api-status 2>&1 || true)
+        echo "$output" | grep "Error: A GitGuardian API key is needed to use ggshield."