Merge pull request #62 from unicef/staging

2025.1 release

.dockerignore

@@ -13,5 +13,4 @@ node_modules
 src/*.egg-info
 src/aurora/staticfiles/
 Makefile
-README.md
 manage.py

.env.example

@@ -0,0 +1,11 @@
+SECRET_KEY=secret-key
+
+DATABASE_URL=psql://postgres:postgres@db:5432/postgres
+CACHE_DEFAULT=redis://redis:6379/0
+STATIC_URL=/static/
+STATIC_ROOT=/var/static/
+
+POSTGRES_DB=postgres
+POSTGRES_USER=postgres
+POSTGRES_PASSWORD=postgres
+POSTGRES_HOST=db

.flake8

@@ -3,9 +3,20 @@ max-complexity = 20
 max-line-length = 120
 exclude =
     ~*
-ignore = E401,W391,E128,E261,E731,Q000,W504,W606,W503
-putty-ignore =
+    .venv,
+    venv,
+    .git,
+    __pycache__,
+    build,
+    dist,
+    migrations,
+    snapshots,
+    __pypackages__,
+
+ignore = E401,W391,E128,E261,E731,Q000,W504,W606,W503,E203
+;putty-ignore =
     ;    tests/test_choice_as_instance.py : E501
 
 per-file-ignores =
     */__init__.py:F401,F403
+    */migrations/*:E501

.github/actions/last_commit/action.yml

@@ -0,0 +1,31 @@
+name: 'Get Last commit'
+description: ''
+
+
+outputs:
+  last_commit_sha:
+    description: 'last_commit_sha'
+    value: ${{ steps.result.outputs.last_commit_sha }}
+  last_commit_short_sha:
+    description: 'last_commit_short_sha'
+    value: ${{ steps.result.outputs.last_commit_short_sha }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Setup Environment (PR)  
+      if: ${{ github.event_name == 'pull_request' }}  
+      shell: bash  
+      run: |  
+        echo "LAST_COMMIT_SHA=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV
+    - name: Setup Environment (Push)  
+      if: ${{ github.event_name == 'push' }}  
+      shell: bash
+      run: |  
+        echo "LAST_COMMIT_SHA=${GITHUB_SHA}" >> $GITHUB_ENV
+    - id: result
+      shell: bash
+      run: |
+        raw=${{env.LAST_COMMIT_SHA}} 
+        echo "last_commit_sha=$raw" >> $GITHUB_OUTPUT
+        echo "last_commit_short_sha=${raw::8}" >> $GITHUB_OUTPUT

.github/file-filters.yml

@@ -0,0 +1,45 @@
+# This is used by the action https://github.com/dorny/paths-filter
+docker: &docker
+  - added|modified: './docker/**/*'
+  - added|modified: './docker/*'
+
+dependencies: &dependencies
+  - 'pdm.lock'
+  - 'pyproject.toml'
+
+actions: &actions
+  - added|modified: './.github/**/*'
+
+python: &python
+  - added|modified: 'src/**'
+  - added|modified: 'tests/**'
+  - 'manage.py'
+
+changelog:
+  - added|modified: 'changes/**'
+  - 'CHANGELOG.md'
+
+mypy:
+  - *python
+  - 'mypy.ini'
+
+run_tests:
+  - *actions
+  - *python
+  - *docker
+  - *dependencies
+  - 'pytest.ini'
+
+migrations:
+  - added|modified: 'src/**/migrations/*'
+
+lint:
+  - *python
+  - '.flake8'
+  - 'pyproject.toml'
+
+docs:
+  - added|modified: './docs/**/*'
+  - modified: './src/aurora/config/__init__.py'
+  - modified: './github/workflows/docs.yml'
+  - modified: './github/file-filters.yml'

.github/workflows/docs.yml

@@ -0,0 +1,86 @@
+name: "Documentation"
+
+on:
+  push:
+    branches:
+      - develop
+      - master
+  schedule:
+    - cron: '37 23 * * 2'
+
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+
+concurrency:
+  group: "pages"
+  cancel-in-progress: false
+
+jobs:
+  changes:
+    runs-on: ubuntu-latest
+    timeout-minutes: 1
+    defaults:
+      run:
+        shell: bash
+    outputs:
+      docs: ${{ steps.changed_files.outputs.docs }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - id: changed_files
+        name: Check for file changes
+        uses: dorny/paths-filter@v3
+        with:
+          base: ${{ github.ref }}
+          token: ${{ github.token }}
+          filters: .github/file-filters.yml
+  generate:
+    name: Generate
+    if: needs.changes.outputs.docs == 'true'
+    needs: changes
+    runs-on: ubuntu-latest
+    env:
+      PYTHONPATH: src/
+    steps:
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+      - uses: actions/checkout@v4
+      - uses: yezz123/setup-uv@v4
+
+      - uses: actions/cache/restore@v4
+        id: restore-cache
+        with:
+          path: .venv
+          key: ${{ runner.os }}-${{ hashFiles('**/uv.lock') }}
+
+      - name: Install dependencies
+        run: uv sync --extra docs
+
+      - name: Build Doc
+        run: .venv/bin/mkdocs build -d ./docs-output
+
+      - uses: actions/cache/save@v4
+        id: cache
+        if: always() && steps.restore-cache.outputs.cache-hit != 'true'
+        with:
+          path: .venv
+          key: ${{ runner.os }}-${{ hashFiles('**/uv.lock') }}
+      - name: Upload artifact
+        uses: actions/upload-pages-artifact@v3
+        with:
+          path: ./docs-output
+
+  # Deployment job
+  deploy:
+    needs: generate
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v4

.github/workflows/lint.yml

@@ -0,0 +1,56 @@
+name: Lint
+on:
+  push:
+    branches:
+      - '**'
+#  pull_request:
+#    branches: [develop, master]
+#    types: [synchronize, opened, reopened, ready_for_review]
+
+defaults:
+  run:
+    shell: bash
+
+
+concurrency:
+  group: "${{ github.workflow }}-${{ github.ref }}"
+  cancel-in-progress: true
+
+
+permissions:
+  contents: read
+
+jobs:
+  changes:
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
+    name: check files
+    runs-on: ubuntu-latest
+    timeout-minutes: 3
+    outputs:
+      lint: ${{ steps.changes.outputs.lint }}
+      docker: ${{ steps.changes.outputs.docker_base }}
+    steps:
+      - run: git config --global --add safe.directory $(realpath .)
+      - uses: actions/checkout@v4
+      - id: changes
+        name: Check for backend file changes
+        uses: dorny/paths-filter@v3
+        with:
+          base: ${{ github.ref }}
+          token: ${{ github.token }}
+          filters: .github/file-filters.yml
+
+  ruff:
+    needs: changes
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.draft == false && needs.changes.outputs.lint
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+      - name: Install requirements
+        run: pip install ruff
+      - name: Check syntax
+        # Stop the build if there are Python syntax errors or undefined names
+        run: ruff check -e

.github/workflows/security.yml

@@ -0,0 +1,79 @@
+name: Security
+on:
+  push:
+    branches:
+      - develop
+      - master
+      - staging
+      - release/*
+      - feature/*
+      - bugfix/*
+      - hotfix/*
+#  pull_request:
+#    branches: [develop, master]
+#    types: [synchronize, opened, reopened, ready_for_review]
+
+defaults:
+  run:
+    shell: bash
+
+
+concurrency:
+  group: "${{ github.workflow }}-${{ github.ref }}"
+  cancel-in-progress: true
+
+
+permissions:
+  contents: read
+
+jobs:
+  changes:
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
+    name: check files
+    runs-on: ubuntu-latest
+    timeout-minutes: 3
+    env:
+      GIT_DISCOVERY_ACROSS_FILESYSTEM: 1
+    outputs:
+      lint: ${{ steps.changes.outputs.lint }}
+      docker: ${{ steps.changes.outputs.docker_base }}
+    steps:
+      - run: git config --global --add safe.directory $(realpath .)
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - id: changes
+        name: Check for backend file changes
+        uses: dorny/paths-filter@0bc4621a3135347011ad047f9ecf449bf72ce2bd # v3.0.0
+        with:
+          base: ${{ github.ref }}
+          token: ${{ github.token }}
+          filters: .github/file-filters.yml
+
+  bandit:
+    needs: changes
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.draft == false && needs.changes.outputs.lint
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    steps:
+      - uses: actions/checkout@v4
+      - name: Bandit Scan
+        uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c
+        with: # optional arguments
+          # exit with 0, even with results found
+          exit_zero: true # optional, default is DEFAULT
+          # Github token of the repository (automatically created by Github)
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information.
+          # File or directory to run bandit on
+          path: src # optional, default is .
+          # Report only issues of a given severity level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)
+          # level: # optional, default is UNDEFINED
+          # Report only issues of a given confidence level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)
+          # confidence: # optional, default is UNDEFINED
+          # comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default: .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg)
+          # excluded_paths: # optional, default is DEFAULT
+          # comma-separated list of test IDs to skip
+          # skips: # optional, default is DEFAULT
+          # path to a .bandit file that supplies command line arguments
+          # ini_path: # optional, default is DEFAULT