xcp-ng · glehmann · Sep 16, 2025 · Sep 5, 2025 · Sep 5, 2025
diff --git a/.github/actions/uv-setup/action.yml b/.github/actions/uv-setup/action.yml
@@ -0,0 +1,35 @@
+name: Setup UV and Sync
+description: 'Install uv and sync the dependencies'
+inputs:
+  sync:
+    description: 'Whether to run `uv sync` after setting up.'
+    required: false
+    default: 'true'
+    type: boolean
+  dev:
+    description: 'Whether to use `--no-dev` with `uv sync`.'
+    required: false
+    default: 'true'
+    type: boolean
+  activate-environment:
+    description: 'Wether to activate the virtual env or not'
+    required: false
+    default: true
+    type: boolean
+runs:
+  using: 'composite'
+  steps:
+    - uses: astral-sh/setup-uv@bd01e18f51369d5a26f1651c3cb451d3417e3bba  # v6.3.1
+      with:
+        version: "0.7.x"
+        activate-environment: ${{ inputs.activate-environment }}
+    - if: inputs.sync == 'true' && inputs.dev == 'false'
+      run: uv sync --frozen --no-dev
+      shell: bash
+      env:
+        FORCE_COLOR: "1"
+    - if: inputs.sync == 'true' && inputs.dev == 'true'
+      run: uv sync --frozen
+      shell: bash
+      env:
+        FORCE_COLOR: "1"
diff --git a/.github/workflows/code-checkers.yml b/.github/workflows/code-checkers.yml
@@ -0,0 +1,48 @@
+name: Static code checkers
+
+on:
+  push:
+    branches:
+      - 'master'
+  pull_request:
+
+permissions: {}
+
+jobs:
+  mypy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - uses: ./.github/actions/uv-setup/
+      - run: mypy --install-types --non-interactive .
+
+  pyright:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - uses: ./.github/actions/uv-setup/
+      - run: pyright
+
+  ruff:
+    runs-on: ubuntu-latest
+    env:
+      FORCE_COLOR: "1"
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - uses: ./.github/actions/uv-setup/
+      - run: ruff check
+
+  flake8:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - uses: ./.github/actions/uv-setup/
+      - run: flake8
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -1,26 +1,32 @@
 name: Build and Push Docker Image to GHCR
 
-on: push
+on:
+  push:
+    branches:
+      - 'master'
+  pull_request:
 
-permissions:
-  contents: read # Required to checkout the repo code
-  packages: write # Required to push packages to GHCR
+permissions: {}
 
 jobs:
   xcp-ng-build-env-82:
     runs-on: ubuntu-latest
+    permissions:
+      packages: write # Required to push packages to GHCR
     steps:
       - uses: actions/checkout@v4
-      - uses: docker/setup-buildx-action@v3
+        with:
+          persist-credentials: false
+      - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
         with:
           driver: docker-container
-      - uses: docker/login-action@v3
+      - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1
         if: github.ref == 'refs/heads/master'
         with:
           registry: ghcr.io
           username: ${{ github.actor }} # Uses the GitHub user/org name that triggered the workflow
           password: ${{ secrets.GITHUB_TOKEN }} # Automatically provided by GitHub
-      - uses: docker/build-push-action@v5 # Using v5 for latest features
+      - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
         with:
           context: ./src/xcp_ng_dev/
           file: ./src/xcp_ng_dev/files/Dockerfile-8.x
@@ -35,18 +41,23 @@ jobs:
 
   xcp-ng-build-env-83:
     runs-on: ubuntu-latest
+    permissions:
+      packages: write # Required to push packages to GHCR
     steps:
       - uses: actions/checkout@v4
-      - uses: docker/setup-buildx-action@v3
+        with:
+          persist-credentials: false
+      - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
         with:
           driver: docker-container
-      - uses: docker/login-action@v3
+      - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1
         if: github.ref == 'refs/heads/master'
         with:
           registry: ghcr.io
           username: ${{ github.actor }} # Uses the GitHub user/org name that triggered the workflow
           password: ${{ secrets.GITHUB_TOKEN }} # Automatically provided by GitHub
-      - uses: docker/build-push-action@v5 # Using v5 for latest features
+      - run: echo "VERSION=$(cat ./src/xcp_ng_dev/files/protocol-version.txt | tr -d '\n')" >> $GITHUB_ENV
+      - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
         with:
           context: ./src/xcp_ng_dev/
           file: ./src/xcp_ng_dev/files/Dockerfile-8.x
@@ -60,18 +71,22 @@ jobs:
   # TODO: uncomment once we have a public xcp-ng 9.0 repository
   # xcp-ng-build-env-90:
   #   runs-on: ubuntu-latest
+  #   permissions:
+  #     packages: write # Required to push packages to GHCR
   #   steps:
   #     - uses: actions/checkout@v4
-  #     - uses: docker/setup-buildx-action@v3
+  #       with:
+  #         persist-credentials: false
+  #     - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
   #       with:
   #         driver: docker-container
-  #     - uses: docker/login-action@v3
+  #     - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1
   #       if: github.ref == 'refs/heads/master'
   #       with:
   #         registry: ghcr.io
   #         username: ${{ github.actor }} # Uses the GitHub user/org name that triggered the workflow
   #         password: ${{ secrets.GITHUB_TOKEN }} # Automatically provided by GitHub
-  #     - uses: docker/build-push-action@v5 # Using v5 for latest features
+  #     - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
   #       with:
   #         context: ./src/xcp_ng_dev/
   #         file: ./src/xcp_ng_dev/files/Dockerfile-9.x

diff --git a/.github/workflows/format.yaml b/.github/workflows/format.yaml
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -6,19 +6,18 @@ on:
       - 'master'
   pull_request:
 
+permissions: {}
+
 jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
-    - name: Install uv
-      uses: astral-sh/setup-uv@v6
-      with:
-        version: "0.7.x"
-    - name: Install dependencies
-      run: uv sync --frozen
-    - name: Test
-      # use script to provide a tty (workaround of systematic "docker -t"?)
-      shell: 'script -q -e -c "bash {0}"'
-      run: |
-        uv run ./test/test.sh
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: true  # required for git lfs
+      - uses: ./.github/actions/uv-setup/
+      - name: Test
+        # use script to provide a tty (workaround of systematic "docker -t"?)
+        shell: 'script -q -e -c "bash {0}"'
+        run: |
+          ./test/test.sh
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,52 @@
+name: Create a release from tag
+
+permissions: {}
+
+on:
+  push:
+    tags:
+      - '*'
+
+jobs:
+  build:
+    name: Build and store python artifacts
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - uses: ./.github/actions/uv-setup/
+
+      - name: Build
+        run: uv build
+
+      - name: Store python distribution artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: artifacts
+          path: dist/
+
+  release:
+    permissions:
+      contents: write # allow creating a release
+
+    name: "Create and package a release"
+    runs-on: ubuntu-latest
+    needs: [build]
+    steps:
+      - name: Retrieve distribution artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: artifacts
+          path: dist/
+
+      - name: Create release ${{ github.ref_name }}
+        shell: bash
+        run: |
+          gh release create ${GITHUB_REF_NAME} --repo ${{ github.repository }} --generate-notes dist/*
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/requirements-check.yml b/.github/workflows/requirements-check.yml
@@ -0,0 +1,22 @@
+name: Check requirements file consistency
+
+on:
+  push:
+    branches:
+      - 'master'
+  pull_request:
+
+permissions: {}
+
+jobs:
+  requirements-check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - uses: ./.github/actions/uv-setup/
+        with:
+          dev: false
+      - run: ./requirements/update_requirements.py
+      - run: git diff --exit-code
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -0,0 +1,24 @@
+name: GitHub Actions Security Analysis with zizmor 🌈
+
+on:
+  push:
+    branches:
+      - 'master'
+  pull_request:
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: zizmor latest
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - uses: ./.github/actions/uv-setup/
+        with:
+          sync: false
+      - run: uvx zizmor --color=always .
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} 
diff --git a/.python-version b/.python-version
@@ -0,0 +1 @@
+3.11.11