Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
A command line CI pipeline build harness utility for Python 3 projects based on known best practices.
There are lots of accessories that are useful for establishing a high quality Python pipeline and copy-pasting all the bits and pieces to initialize a new project is tedious and error prone. This utility aims to streamline the creation of a project with all the necessary development and pipeline dependencies and a ready to run pipeline.
.. contents::
.. section-numbering::
NOTE: build-harness
requires git >= 2.28.0 due to the use of the
--initial-branch
option to manage a user specified default branch at
initialization.
Ensure that git is installed where build_harness
is going to be installed. eg.
.. code-block::
sudo apt install -y git
The build_harness
package is available from PyPI. Installing into a virtual
environment is recommended.
.. code-block::
python3 -m venv .venv
&& .venv/bin/pip install build_harness
&& .venv/bin/build-harness bootstrap my_new_project
The bootstrap command generates a new Python project with the name my_new_project
from a template with a ready to run CI pipeline and an initial commit of the template
files. You will need to set up the git remote to correctly point to your git
repository and from there your initial "feature" should be tweaking any project
configuration to meet your specific needs.
Note that Ubuntu, for example, separates pip
and venv
installations from the
main Python installation and they are not installed by default, so if you are
working with a fresh Ubuntu install you will need something like this to acquire them
before running the above commands:
.. code-block::
sudo apt update && sudo apt install -y python3-pip python3-venv
Note also that the flit
package manager and gitlab-ci
CI pipeline are presently
the only official choice for use with build_harness
. Over time support for other
package managers and CI tools are expected to be added.
Installation makes a command line utility build-harness
available in the virtual
environment. There are currently five groups of sub-commands available.
acceptance
Run and manage Gherkin features and step files using the behave package.
bootstrap
Create a new project with ready to run CI pipeline that runs tests, checks
coverage and publishes a release to pypi.org on a semantic version git tag.
formatting
Format source code to PEP-8 standard using the isort and black packages.
install
Install and manage project dependencies in the virtual environment. The install
command will look for a virtual environment .venv
in the project root directory
and create it if needed. Then it installs and manages all the project dependencies
there.
This command only installs packages when they are missing or out of date, so it makes efficient use of network capacity and can reduce installation time when only incremental changes are needed. package Build wheel and sdist packages of the project. publish Publish project artifacts to publication repositories such as PyPI and readthedocs. static-analysis Run static analysis on source code; pydocstyle, flake8 and mypy packages. unit-test Run unit tests of the project using pytest.
Further options for these commands can be explored using the --help
argument.
.. code-block::
build-harness --help build-harness --help
A quick summary of using each of the sub-commands, or a specified sub-command.
.. code-block::
build-harness install
build-harness install --check
.. code-block::
build-harness formatting
build-harness formatting --check
.. code-block::
build-harness static-analysis
.. code-block::
build-harness unit-test
build-harness unit-test --check
.. code-block::
build-harness acceptance tests
build-harness acceptance snippets
build-harness acceptance tags
.. code-block::
build-harness build --release-id build-harness publish --user token --password --publish yes
For now, the sub-commands are limited to a specific set of tools (the ones I have found to be most useful).
Fine tuning configuration of the underlying tools is generally possible using
configuration files such as sections added to pyproject.toml
or setup.cfg
or
tool specific files in some cases.
Release Management ^^^^^^^^^^^^^^^^^^
In essence release management is the definition of release states before and after a
formal "production" release, how the transitions between release states occur, how
those transitions interact with repository branching strategies and how each release
state is identified in project packaging (the release id), source control and other
related artifacts for the purpose of traceability. Python has myriad ways of managing
releases for a project and almost all of them require some custom workflow from the
user to make it work for automation so it's really difficult to support all of them.
For this reason the default packaging option of build_harness
using the package --release-id
option does nothing relating to the release id and assumes that the
user has done whatever is necessary for their workflow to correctly define the
release id for packaging.
Having said that, the goal of the build_harness
project is to have useful
out-of-the-box functionality as much as possible, so described here are workflows
that have been integrated into the project. Because release management preferences
are so varied a separate utility called release-flow
is introduced for
identifying branches and relating them to source control repository branches. See the
Release identity
_ section below for more details.
There's a fairly useful survey of Python release management in the answers to this
StackOverflow question <https://stackoverflow.com/questions/458550/standard-way-to-embed-version-into-python-package>
.
The setuptools_scm package <https://pypi.org/project/setuptools-scm/>
also has some
useful notes on different ways to control release id insertion to a package.
Release identity ++++++++++++++++
Very closely related to release management is the concept of a release identity, how that identity changes between release states and how those changes are mapped to changes in source control repository branches and/or tags. Similar to release management there are myriad ways of identifying formal releases and pre-releases, constrained only by the PEP-440 definitions for Python projects.
The release-flow
utility applies a relatively simple release identity and
branching strategy that in my experience is useful for most projects:
semantic versions <https://semver.org>
_ to identify formal releases<last semantic version>-post<commit offset from last semantic version>
Further to the above steps relating to the release-flow
utility, these steps must
be applied by the CI pipeline:
Finally, the source control repository itself must have a tag semantic version tag applied to the first commit of the repository. Recommend that the first commit tag is "0.0.0".
VERSION file workflow +++++++++++++++++++++
This is the workflow used by the build_harness
project itself, so you can refer
to the source code for an example of how to implement this workflow.
VERSION
in the
top-level Python package of your project and applies it to the __version__
variable in the package.__version__
variable for the project
from the content of the VERSION file.The default release id must be readily recognisable as having not been built by a pipeline. eg. If a developer builds the package locally it should be clear that the package they built is not an official release (which in turn should only have been built by a pipeline).
A default value I have historically used is "0.0.0". Within the limitations defined by PEP-440 another option could be "0.0.0+local". The advantage of using the "+local" prefix is that as defined by PEP-440 the presence of this local identifier suffix will result in the failure of an attempted upload to pypi.org, so there is much less change of accidental publishing of a pre-release package.
For manual release definition you have to ensure that the content of the VERSION file reflects the release id you are releasing. Doing this manually is error prone and easily acquires a number of deficiencies with respect to how organizations often want to organize their releases.
For automation the pipeline just needs to be able to update the content of the file with the release id defined for a release; this is easily achieved by defining semantic version tags on the repo (or some similar such rule that can be incorporated into the pipeline code) as a formal release and having the pipeline update the VERSION file with the tag text.
.. code-block::
# top-level __init__.py
"""flit requires top-level docstring summary of project"""
from ._version import __version__ # noqa: F401
.. code-block::
# _version.py
import pathlib
from ._default_values import DEFAULT_RELEASE_ID
def acquire_version() -> str:
"""
Acquire PEP-440 compliant version from VERSION file.
Returns:
Acquired version text.
Raises:
RuntimeError: If version is not valid.
"""
here = pathlib.Path(__file__).parent
version_file_path = (here / "VERSION").absolute()
if version_file_path.is_file():
with version_file_path.open(mode="r") as version_file:
version = version_file.read().strip()
else:
version = DEFAULT_RELEASE_ID
if not version:
raise RuntimeError("Unable to acquire version")
return version
__version__ = acquire_version()
.. code-block::
# _default_values.py
DEFAULT_RELEASE_ID = "0.0.0"
Publishing workflow +++++++++++++++++++
The publish-flow
utility implements a simple mapping between branches and tags and
whether or not to publish artifacts. PyPI.org has a test upload site which in this
simple workflow is used to test the upload for all non-release packages. On a
semantic version release tag the workflow enables publishing to pypi.org, or the
PEP-503 artifact repository of your choice, as defined in .pyirc
.
Note that for publishing, the default CI pipeline requires the secret
PYPI_API_TOKEN
to contain the token needed to publish packages to pypi.org. You
will need to generate an API token using your pypi.org account for the CI pipeline to
successfully complete.
Why not just use CookieCutter?
build_harness
complements the use of CookieCutter
nicely - you can use
build_harness
to establish and maintain your Python project pipeline with minimal
effort and then focus on using CookieCutter
to implement your business specific
customization of build, test and analysis options.
build_harness
also lends itself to being easily applied across multiple use cases,
from the pipeline itself, to pre-commit
hooks, to developers manually running
specific components of the pipeline for test and debug.
Why aren't you using flake8-import-order
?
This plugin appears to conflict with isort
. Since isort actually
actually formats rather than just reporting a format failure I consider this more useful
and have prioritized use of isort. In future it may be possible to configure flake8-import-order
to align with isort, or vice-versa.
Why aren't you using flake8-black
?
The flake8-black
package is developed independently of black
and seems to introduce it's own
problems synchronizing with the evolving black package, and in addition suffers from the same "why
check when you can actually format?" problem as flake8-import-order
.
FAQs
CI build harness embodying best practices for Python projects.
We found that build-harness demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.