Cédric OLIVIER · Pierre Smeyers · Pierre Smeyers · semantic-release-bot · 8bfdc581 · 8bfdc581
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
+# [6.5.0](https://gitlab.com/to-be-continuous/python/compare/6.4.1...6.5.0) (2023-12-01)
+
+
+### Features
+
+* support CI/CD component design ([0166bd4](https://gitlab.com/to-be-continuous/python/commit/0166bd43891f4bab8934e4379e8c34f399d681f5))
+
 ## [6.4.1](https://gitlab.com/to-be-continuous/python/compare/6.4.0...6.4.1) (2023-11-25)



--- a/README.md
+++ b/README.md
--- a/bumpversion.sh
+++ b/bumpversion.sh
@@ -27,7 +27,7 @@ if [[ "$curVer" ]]; then
  log_info "Bump version from \\e[33;1m${curVer}\\e[0m to \\e[33;1m${nextVer}\\e[0m (release type: $relType)..."

  # replace in README
-  sed -e "s/ref: '$curVer'/ref: '$nextVer'/" README.md > README.md.next
+  sed -e "s/ref: '$curVer'/ref: '$nextVer'/" -e "s/@$curVer/@$nextVer/" README.md > README.md.next
  mv -f README.md.next README.md

  # replace in template and variants

--- a/kicker.json
+++ b/kicker.json
@@ -148,6 +148,12 @@
      "description": "Detect security vulnerabilities with [Trivy](https://github.com/aquasecurity/trivy/) (dependencies analysis)",
      "enable_with": "PYTHON_TRIVY_ENABLED",
      "variables": [
+        {
+          "name": "PYTHON_TRIVY_IMAGE",
+          "description": "The Docker image used to run Trivy",
+          "default": "registry.hub.docker.com/aquasec/trivy:latest",
+          "advanced": true
+        },
        {
          "name": "PYTHON_TRIVY_ARGS",
          "description": "Additional [Trivy CLI options](https://aquasecurity.github.io/trivy/v0.21.1/getting-started/cli/fs/)",

--- a/templates/gitlab-ci-python-vault.yml
+++ b/templates/gitlab-ci-python-vault.yml
 # =====================================================================================================================
 # === Vault template variant
 # =====================================================================================================================
+spec:
+  inputs:
+    vault-base-url:
+      description: The Vault server base API url
+      default: '' # null
+    vault-oidc-aud:
+      description: The `aud` claim for the JWT
+      default: $CI_SERVER_URL
+---
 variables:
  # variabilized vault-secrets-provider image
-  TBC_VAULT_IMAGE: "$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master"
+  TBC_VAULT_IMAGE: $CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master
  # variables have to be explicitly declared in the YAML to be exported to the service
  VAULT_ROLE_ID: "$VAULT_ROLE_ID"
  VAULT_SECRET_ID: "$VAULT_SECRET_ID"
-  VAULT_OIDC_AUD: "$CI_SERVER_URL"
+  VAULT_OIDC_AUD: $[[ inputs.vault-oidc-aud ]]
+  VAULT_BASE_URL: $[[ inputs.vault-base-url ]]

 .python-base:
  services:
    - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "python", "6.4.1"]
+      command: ["--service", "python", "6.5.0"]
    - name: "$TBC_VAULT_IMAGE"
      alias: "vault-secrets-provider"
  variables:

--- a/templates/gitlab-ci-python.yml
+++ b/templates/gitlab-ci-python.yml
@@ -13,6 +13,148 @@
 # program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth
 # Floor, Boston, MA  02110-1301, USA.
 # =========================================================================================
+spec:
+  inputs:
+    image:
+      description: The Docker image used to run Python - **set the version required by your project**
+      default: registry.hub.docker.com/library/python:3
+    project-dir:
+      description: Python project root directory
+      default: .
+    build-system:
+      description: Python build-system to use to install dependencies, build and package the project
+      options:
+      - auto
+      - setuptools
+      - poetry
+      - pipenv
+      - reqfile
+      default: auto
+    reqs-file:
+      description: |-
+        Main requirements file _(relative to `$PYTHON_PROJECT_DIR`)_
+
+        For [Requirements Files](https://pip.pypa.io/en/stable/user_guide/#requirements-files) build-system only
+      default: requirements.txt
+    extra-reqs-files:
+      description: |-
+        Extra dev requirements file(s) to install _(relative to `$PYTHON_PROJECT_DIR`)_
+
+        For [Requirements Files](https://pip.pypa.io/en/stable/user_guide/#requirements-files) build-system only
+      default: requirements-dev.txt
+    compile-args:
+      description: '[`compileall` CLI options](https://docs.python.org/3/library/compileall.html)'
+      default: '*'
+    pip-opts:
+      description: pip extra [options](https://pip.pypa.io/en/stable/cli/pip/#general-options)
+      default: '' # null
+    extra-deps:
+      description: |-
+        Extra sets of dependencies to install
+
+        For [Setuptools](https://setuptools.pypa.io/en/latest/userguide/dependency_management.html?highlight=extras#optional-dependencies) or [Poetry](https://python-poetry.org/docs/pyproject/#extras) only
+      default: '' # null
+    package-enabled:
+      description: Enable package
+      type: boolean
+      default: false
+    pylint-enabled:
+      description: Enable pylint
+      type: boolean
+      default: false
+    pylint-args:
+      description: Additional [pylint CLI options](http://pylint.pycqa.org/en/latest/user_guide/run.html#command-line-options)
+      default: '' # null
+    pylint-files:
+      description: Files or directories to analyse
+      default: '' # null
+    unittest-enabled:
+      description: Enable unittest
+      type: boolean
+      default: false
+    unittest-args:
+      description: Additional xmlrunner/unittest CLI options
+      default: '' # null
+    pytest-enabled:
+      description: Enable pytest
+      type: boolean
+      default: false
+    pytest-args:
+      description: Additional [pytest](https://docs.pytest.org/en/stable/usage.html) or [pytest-cov](https://github.com/pytest-dev/pytest-cov#usage) CLI options
+      default: '' # null
+    nosetests-enabled:
+      description: Enable nosetest
+      type: boolean
+      default: false
+    nosetests-args:
+      description: Additional [nose CLI options](https://nose.readthedocs.io/en/latest/usage.html#options)
+      default: '' # null
+    bandit-enabled:
+      description: Enable Bandit
+      type: boolean
+      default: false
+    bandit-args:
+      description: Additional [Bandit CLI options](https://github.com/PyCQA/bandit#usage)
+      default: --recursive .
+    safety-enabled:
+      description: Enable Safety
+      type: boolean
+      default: false
+    safety-args:
+      description: Additional [Safety CLI options](https://github.com/pyupio/safety#usage)
+      default: --full-report
+    trivy-enabled:
+      description: Enable Trivy
+      type: boolean
+      default: false
+    trivy-image:
+      description: The Docker image used to run Trivy
+      default: registry.hub.docker.com/aquasec/trivy:latest
+    trivy-args:
+      description: Additional [Trivy CLI options](https://aquasecurity.github.io/trivy/v0.21.1/getting-started/cli/fs/)
+      default: --vuln-type library
+    sbom-disabled:
+      description: Disable Software Bill of Materials
+      type: boolean
+      default: false
+    sbom-syft-url:
+      description: |-
+        Url to the `tar.gz` package for `linux_amd64` of Syft to use
+
+        _When unset, the latest version will be used_
+      default: '' # null
+    sbom-name:
+      description: Component name of the emitted SBOM
+      default: $CI_PROJECT_PATH/$PYTHON_PROJECT_DIR
+    sbom-opts:
+      description: Options for syft used for SBOM analysis
+      default: --catalogers python-index-cataloger
+    release-enabled:
+      description: Enable Release
+      type: boolean
+      default: false
+    release-next:
+      description: 'The part of the version to increase (one of: `major`, `minor`, `patch`)'
+      options:
+      - ''
+      - major
+      - minor
+      - patch
+      default: minor
+    semrel-release-disabled:
+      description: Disable semantic-release integration
+      type: boolean
+      default: false
+    release-commit-message:
+      description: The Git commit message to use on the release commit. This is templated using the [Python Format String Syntax](http://docs.python.org/2/library/string.html#format-string-syntax). Available in the template context are current_version and new_version.
+      default: "chore(python-release): {current_version} \u2192 {new_version}"
+    repository-url:
+      description: |-
+        Target PyPI repository to publish packages.
+
+        _defaults to [GitLab project's packages repository](https://docs.gitlab.com/ee/user/packages/pypi_repository/)_
+      default: ${CI_SERVER_URL}/api/v4/projects/${CI_PROJECT_ID}/packages/pypi
+---
 # default workflow rules: Merge Request pipelines
 workflow:
  rules:
@@ -66,12 +208,13 @@ variables:
  POETRY_VIRTUALENVS_IN_PROJECT: "false"
  PIPENV_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pipenv"

-  PYTHON_IMAGE: "registry.hub.docker.com/library/python:3"
+  # PYTHON_IMAGE: "registry.hub.docker.com/library/python:3"
+  PYTHON_IMAGE: $[[ inputs.image ]]
  # Default Python project root directory
-  PYTHON_PROJECT_DIR: .
+  PYTHON_PROJECT_DIR: $[[ inputs.project-dir ]]

-  PYTHON_REQS_FILE: requirements.txt
-  PYTHON_EXTRA_REQS_FILES: "requirements-dev.txt"
+  PYTHON_REQS_FILE: $[[ inputs.reqs-file ]]
+  PYTHON_EXTRA_REQS_FILES: $[[ inputs.extra-reqs-files ]]

  # default production ref name (pattern)
  PROD_REF: '/^(master|main)$/'
@@ -81,29 +224,54 @@ variables:
  RELEASE_REF: '/^v?[0-9]+\.[0-9]+\.[0-9]+$/'

  # compileall
-  PYTHON_COMPILE_ARGS: "*"
+  PYTHON_COMPILE_ARGS: $[[ inputs.compile-args ]]

-  BANDIT_ARGS: "--recursive ."
+  BANDIT_ARGS: $[[ inputs.bandit-args ]]

  # Safety tool
-  SAFETY_ARGS: "--full-report"
+  SAFETY_ARGS: $[[ inputs.safety-args ]]

  # Trivy tool
-  PYTHON_TRIVY_IMAGE: "registry.hub.docker.com/aquasec/trivy:latest"
-  PYTHON_TRIVY_ARGS: "--vuln-type library"
+  PYTHON_TRIVY_ENABLED: $[[ inputs.trivy-enabled ]]
+  PYTHON_TRIVY_IMAGE: $[[ inputs.trivy-image ]]
+  PYTHON_TRIVY_ARGS: $[[ inputs.trivy-args ]]

-  PYTHON_SBOM_NAME: "$CI_PROJECT_PATH/$PYTHON_PROJECT_DIR"
-  PYTHON_SBOM_OPTS: "--catalogers python-index-cataloger"
+  PYTHON_SBOM_NAME: $[[ inputs.sbom-name ]]
+  PYTHON_SBOM_OPTS: $[[ inputs.sbom-opts ]]

-  PYTHON_RELEASE_NEXT: "minor"
-  PYTHON_RELEASE_COMMIT_MESSAGE: "chore(python-release): {current_version} → {new_version}"
+  PYTHON_RELEASE_NEXT: $[[ inputs.release-next ]]
+  PYTHON_RELEASE_COMMIT_MESSAGE: $[[ inputs.release-commit-message ]]

  # By default, publish on the Packages registry of the project
  # https://docs.gitlab.com/ee/user/packages/pypi_repository/#authenticate-with-a-ci-job-token
-  PYTHON_REPOSITORY_URL: ${CI_SERVER_URL}/api/v4/projects/${CI_PROJECT_ID}/packages/pypi
-  PYTHON_REPOSITORY_USERNAME: 'gitlab-ci-token'
+  PYTHON_REPOSITORY_URL: $[[ inputs.repository-url ]]
+  PYTHON_REPOSITORY_USERNAME: gitlab-ci-token
  PYTHON_REPOSITORY_PASSWORD: $CI_JOB_TOKEN

+  PYTHON_BUILD_SYSTEM: $[[ inputs.build-system ]]
+  PIP_OPTS: $[[ inputs.pip-opts ]]
+  PYTHON_EXTRA_DEPS: $[[ inputs.extra-deps ]]
+  PYTHON_PACKAGE_ENABLED: $[[ inputs.package-enabled ]]
+  PYLINT_ENABLED: $[[ inputs.pylint-enabled ]]
+  PYLINT_ARGS: $[[ inputs.pylint-args ]]
+  PYLINT_FILES: $[[ inputs.pylint-files ]]
+  UNITTEST_ENABLED: $[[ inputs.unittest-enabled ]]
+  UNITTEST_ARGS: $[[ inputs.unittest-args ]]
+  PYTEST_ENABLED: $[[ inputs.pytest-enabled ]]
+  PYTEST_ARGS: $[[ inputs.pytest-args ]]
+  NOSETESTS_ARGS: $[[ inputs.nosetests-args ]]
+
+  PYTHON_SBOM_SYFT_URL: $[[ inputs.sbom-syft-url ]]
+
+  PYTHON_SEMREL_RELEASE_DISABLED: $[[ inputs.semrel-release-disabled ]]
+
+  NOSETESTS_ENABLED: $[[ inputs.nosetests-enabled ]]
+  BANDIT_ENABLED: $[[ inputs.bandit-enabled ]]
+  SAFETY_ENABLED: $[[ inputs.safety-enabled ]]
+  PYTHON_SBOM_DISABLED: $[[ inputs.sbom-disabled ]]
+  PYTHON_RELEASE_ENABLED: $[[ inputs.release-enabled ]]
+
+
 .python-scripts: &python-scripts |
  # BEGSCRIPT
  set -e
@@ -639,7 +807,7 @@ stages:
  image: $PYTHON_IMAGE
  services:
    - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "python", "6.4.1"]
+      command: ["--service", "python", "6.5.0"]
  # Cache downloaded dependencies and plugins between builds.
  # To keep cache across branches add 'key: "$CI_JOB_NAME"'
  cache: