reactive-firewall-org · reactive-firewall · Nov 7, 2024 · Oct 30, 2024 · Oct 30, 2024 · Oct 30, 2024
diff --git a/.coderabbit.yaml b/.coderabbit.yaml
@@ -9,8 +9,14 @@ reviews:
     # Code Review Instructions
 
     - Ensure the code follows best practices and coding standards.
+    - Check for security vulnerabilities and potential issues.
+    - Ensure the code follows the **DRY, AHA, and SOLID** principles.
+    - Our "Code Review Checklist Guide" is documented in
+      [CEP-4](https://gist.github.com/reactive-firewall/cc041f10aad1d43a5ef15f50a6bbd5a5)
     - For **Python** code, follow
-      [PEP 20](https://www.python.org/dev/peps/pep-0020/) and
+      [PEP 20](https://www.python.org/dev/peps/pep-0020/),
+      [PEP 483](https://peps.python.org/pep-0483/),
+      [PEP 729](https://peps.python.org/pep-0729/), and
       [CEP-8](https://gist.github.com/reactive-firewall/b7ee98df9e636a51806e62ef9c4ab161)
       standards.
     - For **BASH** and **Shellscript** code, follow
@@ -19,25 +25,29 @@ reviews:
       standards.
     - Check all **BASH** files start with an
       [extensive disclaimer](https://gist.github.com/reactive-firewall/866b42d175ae3ebefcb2a5878b30ea17).
-    - Check for security vulnerabilities and potential issues.
-    - Ensure the code follows the **DRY, AHA, and SOLID** principles.
 
     # Documentation Review Instructions
     - Verify that documentation and comments are clear and comprehensive.
     - Verify that documentation and comments are free of spelling mistakes.
     - Verify that technical documentation includes a "References" section at
       the end of documentation, using the same format as actual RFCs, with
       both "Normative References" and "Informative References".
+    - Ensure that that documentation and comments follow
+      [CEP-7](https://gist.github.com/reactive-firewall/123b8a45f1bdeb064079e0524a29ec20)
 
     # Test Code Review Instructions
     - Ensure that test code is automated, comprehensive, and follows testing best practices.
     - Verify that all critical functionality is covered by tests.
-    - Ensure that test code follow
-      [CEP-8](https://gist.github.com/reactive-firewall/d840ee9990e65f302ce2a8d78ebe73f6)
+    - Ensure that the test coverage meets or exceeds the project's required threshold
+      (e.g., aiming for 100% coverage as per Issue #53).
+    - For **test** code, *also* follow
+      [CEP-9](https://gist.github.com/reactive-firewall/d840ee9990e65f302ce2a8d78ebe73f6)
 
     # Misc.
     - Confirm that the code meets the project's requirements and objectives.
     - Confirm that copyright years are up-to date whenever a file is changed.
+    - For **Python** code, consider [PEP 290](https://peps.python.org/pep-0290/) whenever a python
+      (e.g. has the extension '.py') file is changed.
   request_changes_workflow: true
   high_level_summary: true
   high_level_summary_placeholder: '@coderabbitai summary'
@@ -81,7 +91,7 @@ reviews:
         3. You may assume the file 'README.md' will contain GitHub flavor Markdown.
     - path: '**/*.py'
       instructions: >-
-        When reviewing Python code for this project:
+        When reviewing **Python** code for this project:
 
         1. Prioritize portability over clarity, especially when dealing with cross-Python compatibility. However, with the priority in mind, do still consider improvements to clarity when relevant.
 
@@ -96,7 +106,7 @@ reviews:
         6. Verify Flake8's configuration file is located at ".flake8.ini"
     - path: tests/*
       instructions: >-
-        When reviewing test code:
+        When reviewing **test** code:
 
         1. Prioritize portability over clarity, especially when dealing with cross-Python compatibility. However, with the priority in mind, do still consider improvements to clarity when relevant.
 
@@ -167,6 +177,7 @@ reviews:
           - 'CEP-8'
           - 'CEP-7'
           - 'CEP-5'
+          - 'CEP-4'
           - 'Shellscript'
           - 'bash'
         disabled_rules:

diff --git a/.coveragerc b/.coveragerc
@@ -12,6 +12,7 @@ exclude_lines =
     pragma: no cover
     from . import
     pass
+    except ImportError
     except Exception
     except BaseException
     # Don't complain if tests don't hit defensive assertion code:

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -24,7 +24,7 @@ updates:
         dependency-type: "development"
         exclude-patterns:
           - "setuptools*"
-    allow: 
+    allow:
       - dependency-name: "setuptools"
         dependency-type: "production"
       - dependency-name: "pip"

diff --git a/.github/workflows/Labeler.yml b/.github/workflows/Labeler.yml
@@ -2,7 +2,7 @@ name: "Pull Request Labeler"
 on:
   pull_request_target:
     types: [opened, reopened]
-    branches: [ master, stable ]
+    branches: ["master", "stable"]
 
 # Declare default permissions as none.
 permissions: {}

diff --git a/.github/workflows/Tests.yml b/.github/workflows/Tests.yml
@@ -1,9 +1,10 @@
 name: CI
-on:
+on:  # yamllint disable-line rule:truthy
   push:
     branches:
       - master
       - stable
+      - HOTFIX-*
     tags:
       - v*
   pull_request:
@@ -14,11 +15,18 @@
       - synchronize
       - ready_for_review
 
-# Declare default permissions as read only.
-permissions: read-all
+# Declare default permissions as none.
+permissions: {}
 
 jobs:
   BUILD:
+    permissions:
+      actions: read
+      contents: read
+      statuses: write
+      packages: none
+      pull-requests: read
+      security-events: none
     if: github.repository == 'reactive-firewall/multicast'
     runs-on: ubuntu-latest
     defaults:
@@ -43,6 +51,13 @@
 
 
   BOOTSTRAP:
+    permissions:
+      actions: read
+      contents: read
+      statuses: write
+      packages: none
+      pull-requests: read
+      security-events: none
     if: ${{ !cancelled() }}
     needs: BUILD
     runs-on: ubuntu-latest
@@ -124,6 +139,13 @@
 
 
   MATS:
+    permissions:
+      actions: read
+      contents: read
+      statuses: write
+      packages: none
+      pull-requests: read
+      security-events: none
     if: ${{ !cancelled() }}
     needs: BUILD
     runs-on: ubuntu-latest
@@ -167,14 +189,21 @@
 
 
   COVERAGE:
+    permissions:
+      actions: read
+      contents: read
+      statuses: write
+      packages: none
+      pull-requests: read
+      security-events: none
     if: ${{ success() }}
     needs: [BUILD, MATS]
     runs-on: ${{ matrix.os }}
     timeout-minutes: 10
     strategy:
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
-        python-version: ["3.10", "3.11", "3.12"]
+        python-version: ["3.10", "3.11", "3.12", "3.13"]
     env:
       OS: ${{ matrix.os }}
       PYTHON_VERSION: ${{ matrix.python-version }}
@@ -192,6 +221,9 @@
       uses: actions/setup-python@v5
       with:
         python-version: ${{ matrix.python-version }}
+    - name: Fix braindead windows ${{ matrix.python-version }} on ${{ matrix.os }}
+      if: ${{ !cancelled() && runner.os == 'Windows' }}
+      run: python -m pip install --upgrade pip
     - name: Install dependencies for python ${{ matrix.python-version }} on ${{ matrix.os }}
       run: |
         pip install --upgrade "pip>=22.0" "setuptools>=75.0" "wheel>=0.44" "build>=1.2.1";
@@ -248,6 +280,13 @@
 
 
   STYLE:
+    permissions:
+      actions: read
+      contents: read
+      statuses: write
+      packages: none
+      pull-requests: read
+      security-events: none
     if: ${{ success() }}
     needs: [BUILD, MATS]
     runs-on: ubuntu-latest
@@ -257,15 +296,15 @@
     timeout-minutes: 10
 
     env:
-      PYTHON_VERSION: '3.12'
+      PYTHON_VERSION: '3.13'
       LANG: "en_US.utf-8"
 
     steps:
     - uses: actions/checkout@v4
     - name: Set up Python
       uses: actions/setup-python@v5
       with:
-        python-version: "3.12"
+        python-version: "3.13"
     - name: Install dependencies for python Linters
       run: |
         pip install --upgrade "pip>=22.0" "setuptools>=75.0" "wheel>=0.44" "build>=1.2.2";
@@ -286,14 +325,21 @@
 
 
   INTEGRATION:
+    permissions:
+      actions: read
+      contents: read
+      statuses: write
+      packages: none
+      pull-requests: read
+      security-events: none
     if: ${{ success() }}
     needs: [MATS, COVERAGE]
     runs-on: ${{ matrix.os }}
     timeout-minutes: 10
     strategy:
       matrix:
         os: [ubuntu-latest, macos-latest]
-        python-version: ["3.10", "3.11", "3.12"]
+        python-version: ["3.10", "3.11", "3.12", "3.13"]
     env:
       OS: ${{ matrix.os }}
       PYTHON_VERSION: ${{ matrix.python-version }}
@@ -395,6 +441,13 @@
 
 
   EXTRAS-FOR-SETUP:
+    permissions:
+      actions: read
+      contents: read
+      statuses: write
+      packages: none
+      pull-requests: read
+      security-events: none
     if: ${{ success() }}
     needs: [BOOTSTRAP, MATS]
     runs-on: ${{ matrix.os }}
@@ -405,7 +458,7 @@
     strategy:
       matrix:
         os: [ubuntu-latest, macos-latest]
-        python-version: ["3.10", "3.11", "3.12"]
+        python-version: ["3.10", "3.11", "3.12", "3.13"]
     env:
       OS: ${{ matrix.os }}
       PYTHON_VERSION: ${{ matrix.python-version }}
@@ -468,6 +521,13 @@
 
 
   EXTRAS-FOR-PIP:
+    permissions:
+      actions: read
+      contents: read
+      statuses: write
+      packages: none
+      pull-requests: read
+      security-events: none
     if: ${{ !cancelled() }}
     needs: [BOOTSTRAP, MATS]
     runs-on: ubuntu-latest
@@ -478,7 +538,7 @@
     strategy:
       matrix:
         os: [ubuntu-latest]
-        python-version: ["3.10", "3.11", "3.12"]
+        python-version: ["3.10", "3.11", "3.12", "3.13"]
     env:
       OS: 'ubuntu-latest'
       PYTHON_VERSION: ${{ matrix.python-version }}
@@ -516,6 +576,13 @@
 
 
   DOCS:
+    permissions:
+      actions: read
+      contents: read
+      statuses: write
+      packages: none
+      pull-requests: read
+      security-events: none
     if: ${{ !cancelled() }}
     needs: [MATS, COVERAGE, EXTRAS-FOR-SETUP, EXTRAS-FOR-PIP]
     runs-on: ${{ matrix.os }}
@@ -539,6 +606,9 @@
       uses: actions/setup-python@v5
       with:
         python-version: ${{ matrix.python-version }}
+    - name: Fix braindead windows ${{ matrix.python-version }} on ${{ matrix.os }}
+      if: ${{ !cancelled() && runner.os == 'Windows' }}
+      run: python -m pip install --upgrade pip
     - name: Install dependencies for python ${{ matrix.python-version }} on ${{ matrix.os }}
       run: |
         pip install --upgrade "pip>=22.0" "setuptools>=75.0" "wheel>=0.44" "build>=1.2.1";
@@ -548,10 +618,10 @@
      id: clean-prep
      run: make -j1 -f Makefile clean ;
    - name: Pre-build for Python ${{ matrix.python-version }} on ${{ matrix.os }}
      run: make -j1 -f Makefile build ;
      if: ${{ success() }}
    - name: Generate documentation with py${{ matrix.python-version }} on ${{ matrix.os }}
      run: make -j1 -f Makefile build-docs 2>&1 >> $GITHUB_STEP_SUMMARY ;
      if: ${{ !cancelled() }}
    - name: Lint documentation
      run: |
@@ -575,6 +645,13 @@
 
 
   TOX:
+    permissions:
+      actions: read
+      contents: read
+      statuses: write
+      packages: none
+      pull-requests: read
+      security-events: none
     if: ${{ success() }}
     needs: [MATS, STYLE, COVERAGE, INTEGRATION, DOCS]
     runs-on: ubuntu-latest

diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml
@@ -11,12 +11,12 @@
 # https://pypi.org/project/bandit/ is Apache v2.0 licensed, by PyCQA
 
 name: Bandit
-on:
+on:  # yamllint disable-line rule:truthy
   push:
-    branches: [ "master", "stable", feature-*, HOTFIX-* ]
+    branches: ["main", "master", "stable"]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [ "master", "stable" ]
+    branches: ["main", "master", "stable", feature-*, patch-*, HOTFIX-*]
 
 permissions: {}
 
@@ -48,4 +48,3 @@ jobs:
           # skips: # optional, default is DEFAULT
           # path to a .bandit file that supplies command line arguments
           # ini_path: # optional, default is DEFAULT
-
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -13,10 +13,10 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [ master, stable ]
+    branches: ["master", "stable"]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [ stable ]
+    branches: ["master", "stable"]
   schedule:
     - cron: '17 5 * * 1'
 
@@ -32,8 +32,8 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'python', 'javascript' ]
-        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        language: ['python', 'javascript']
+        # CodeQL supports ['cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby']
         # Learn more about CodeQL language support at https://git.io/codeql-language-support
 
     steps:

diff --git a/.github/workflows/makefile-lint.yml b/.github/workflows/makefile-lint.yml
@@ -3,9 +3,9 @@
 name: Makefile Lint
 on:  # yamllint disable-line rule:truthy
   push:
-    branches: ["main", "master", "stable", feature*]
-  pull_request:
     branches: ["main", "master", "stable"]
+  pull_request:
+    branches: ["main", "master", "stable", feature-*, patch-*, HOTFIX-*]
 
 permissions: {}  # Setting default permissions to none for enhanced security