fix(docker): switch Dockerfile to Python 3.14 and uv (#8)

Reviewed-on: #8

.gitea/CODEOWNERS

@@ -0,0 +1 @@
+*   @luke

.gitea/workflows/ci.yml

@@ -0,0 +1,95 @@
+name: CI
+on:
+  pull_request:
+    types:
+      - opened
+      - edited
+      - synchronize
+      - reopened
+
+jobs:
+  ci:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v6.0.1
+        with:
+          fetch-depth: 0
+
+      - name: Run Hadolint
+        uses: hadolint/hadolint-action@v3.3.0
+        with:
+          dockerfile: Dockerfile
+          output-file: hadolint.out
+          format: sonarqube
+          no-fail: true
+
+      - name: Setup Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: "3.14"
+
+      - name: uv cache
+        uses: actions/cache@v5
+        with:
+          path: /tmp/.uv-cache
+          key: uv-${{ runner.os }}-${{ hashFiles('uv.lock') }}
+          restore-keys: |
+            uv-${{ runner.os }}-${{ hashFiles('uv.lock') }}
+            uv-${{ runner.os }}
+
+      - name: Install dependencies
+        run: uv sync
+      
+      - name: Check Import Sorting
+        run: uv run isort --check app/ tests/
+
+      - name: Lint
+        run: |
+          uv run pylint --fail-under=8 --recursive=yes --output-format=parseable --output=lintreport.txt app/ tests/
+          cat lintreport.txt
+
+      - name: Unit Test
+        run: |
+          uv run coverage run -m pytest -v --junitxml=testresults.xml
+          uv run coverage report
+        # sed -i 's@${{ gitea.workspace }}@/github/workspace@g' coverage.xml
+
+      - name: Minimize uv cache
+        run: uv cache prune --ci
+
+      # - name: SonarQube Scan
+      #   uses: SonarSource/sonarqube-scan-action@v5.2.0
+      #   env:
+      #     SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST_URL }}
+      #     SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }}
+
+      - name: Set up environment for Snyk
+        run: |
+          uv pip freeze > requirements.txt
+          mv pyproject.toml pyproject.toml.bak
+          mv uv.lock uv.lock.bak
+
+      - name: Snyk SAST Scan
+        uses: snyk/actions/python@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          # command: snyk
+          args: snyk code test #--all-projects --exclude=.archive
+
+      # - name: Snyk Vulnerability Scan
+      #   uses: snyk/actions/python@master
+      #   continue-on-error: true # Sometimes vulns aren't immediately fixable
+      #   env:
+      #     SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      #     DEBUG: "*snyk*"
+      #   with:
+      #     # command: snyk
+      #     args: snyk test #--all-projects --exclude=.archive
+      
+      - name: Reverse set up environment for Snyk
+        run: |
+          rm -f requirements.txt
+          mv pyproject.toml.bak pyproject.toml
+          mv uv.lock.bak uv.lock

.gitea/workflows/conventional_commit.yml

@@ -0,0 +1,16 @@
+name: Validate PR Title
+on:
+  pull_request:
+    types:
+      - opened
+      - edited
+      - synchronize
+      - reopened
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: https://git.tainton.uk/actions/conventional-commits-check-action@v1.3.0
+        with:
+          commit-message: ${{ gitea.event.pull_request.title }}

.gitea/workflows/release.yml

@@ -0,0 +1,98 @@
+name: Release
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 9 * * 0'
+
+jobs:
+  tag:
+    name: Tag release
+    uses: https://git.tainton.uk/actions/gha-workflows/.gitea/workflows/release-with-tag.yaml@main
+
+  create_release:
+    name: Create Release
+    needs: tag
+    uses: https://git.tainton.uk/actions/gha-workflows/.gitea/workflows/create-release-preexisting-tag.yaml@main
+    with:
+      tag: ${{ needs.tag.outputs.tag_name }}
+      body: ${{ needs.tag.outputs.changelog }}
+    secrets:
+      ACTIONS_TOKEN: ${{ secrets.ACTIONS_TOKEN }}
+
+  create_docker:
+    name: Publish Docker Images
+    runs-on: ubuntu-latest
+    needs: [tag, create_release]
+    steps:
+      - name: Update Docker configuration
+        continue-on-error: true
+        run: |
+          mkdir -p /etc/default
+          mkdir -p /etc/docker
+          touch -a /etc/default/docker
+          touch -a /etc/docker/daemon.json
+          echo "DOCKER_OPTS=\"--insecure-registry ${{ vars.PACKAGES_REGISTRY_URL }}\"" >> /etc/default/docker
+          echo "{\"insecure-registries\": [\"${{ vars.PACKAGES_REGISTRY_URL }}\"]}" > /etc/docker/daemon.json
+
+      - name: Get repo name
+        id: split
+        run: echo "repo=${REPO##*/}" >> "$GITEA_OUTPUT"
+        env:
+          REPO: ${{ gitea.repository }}
+
+      - name: Check out repository
+        uses: actions/checkout@v6.0.1
+        with:
+          fetch-depth: 0
+          ref: ${{ needs.tag.outputs.tag_name }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Gitea Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ vars.PACKAGES_REGISTRY_URL }}
+          username: ${{ vars.ACTIONS_USERNAME }}
+          password: ${{ secrets.ACTIONS_TOKEN }}
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ vars.GHCR_USERNAME }}
+          password: ${{ secrets.GHCR_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          tags: type=semver,pattern=v{{version}},value=${{ needs.tag.outputs.tag_name }}
+          images: |
+            ghcr.io/${{ vars.GHCR_USERNAME }}/${{ steps.split.outputs.repo }}
+            ${{ vars.PACKAGES_REGISTRY_URL }}/${{ gitea.repository }}
+
+      - name: Print metadata
+        run: |
+          printf "Annotations:\n${{ steps.meta.outputs.annotations }}"
+          echo ""
+          printf "Labels:\n${{ steps.meta.outputs.labels }}"
+          echo ""
+          printf "Tags:\n${{ steps.meta.outputs.tags }}"
+
+      - name: Build images
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: false
+          load: true
+          annotations: ${{ steps.meta.outputs.annotations }}
+          labels: ${{ steps.meta.outputs.labels }}
+          tags: ${{ steps.meta.outputs.tags }}
+
+      - name: Push images
+        run: |
+          strtags="${{ steps.meta.outputs.tags }}"
+          readarray -t lines <<<"$strtags"
+          for element in "${lines[@]}"; do docker push "$element"; done
+          unset strtags lines

.gitea/workflows/snyk.yml

@@ -0,0 +1,24 @@
+name: Snyk
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+  schedule:
+    - cron: "@daily"
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v6.0.1
+
+      - name: Snyk
+        uses: snyk/actions/python@master
+        continue-on-error: true
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          command: monitor

Dockerfile

@@ -1,18 +1,23 @@
-FROM python:3.14-slim
+FROM python:3.14.2-slim
 LABEL maintainer="Luke Tainton <luke@tainton.uk>"
-LABEL org.opencontainers.image.source="https://github.com/luketainton/6to4_converter"
 USER root
 
-ENV PYTHONPATH="/run:/usr/local/lib/python3.11/lib-dynload:/usr/local/lib/python3.11/site-packages:/usr/local/lib/python3.11"
+ENV PYTHONPATH="/run:/usr/local/lib/python3.14/lib-dynload:/usr/local/lib/python3.14/site-packages:/usr/local/lib/python3.14"
+ENV UV_PROJECT_ENVIRONMENT="/usr/local/"
+
 WORKDIR /run
 
 RUN mkdir -p /.local && \
     chmod -R 777 /.local && \
-    pip install -U pip
+    pip install -U pip uv==0.9.21
 
-COPY requirements.txt /run/requirements.txt
-RUN pip install --no-cache-dir -r requirements.txt
+COPY pyproject.toml /run/pyproject.toml
+COPY uv.lock /run/uv.lock
+# needed for PDM build
+COPY README.md /run/README.md
 
-ENTRYPOINT ["python3", "-B", "-m", "app.main"]
+RUN uv sync --frozen
+
+ENTRYPOINT ["uv", "run", "python", "-B", "-m", "app.main"]
 
 COPY app /run/app

README.md

@@ -1,10 +1,11 @@
-# 6to4_converter [![CI](https://github.com/luketainton/6to4_converter/actions/workflows/merge-to-main.yml/badge.svg?branch=main)](https://github.com/luketainton/6to4_converter/actions/workflows/merge-to-main.yml) [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=luketainton_6to4_converter&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=luketainton_6to4_converter)
+# 6to4_converter
 
 ## Description
 Simple script to convert IPv4 addresses to 6to4 addresses. See RFC 3056 for details.
 
 ## How to install
 - Clone the repository.
+- Run `uv sync`.
 
 ## How to use
-- Run `python3 app/main.py --help` for information on how to use this script.
+- Run `uv run python -m app.main --help` for information on how to use this script.

renovate.json

@@ -0,0 +1,23 @@
+{
+  "assignAutomerge": false,
+  "assigneesFromCodeOwners": false,
+  "dependencyDashboardAutoclose": true,
+  "extends": ["config:recommended"],
+  "ignorePaths": ["**/.archive/**"],
+  "labels": ["type/dependencies"],
+  "platformCommit": "enabled",
+  "rebaseWhen": "behind-base-branch",
+  "rollbackPrs": true,
+  "semanticCommits": "enabled",
+  "semanticCommitScope": "deps",
+  "semanticCommitType": "feat",
+  "vulnerabilityAlerts": {
+    "commitMessagePrefix": "[SECURITY] ",
+    "enabled": true,
+    "labels": ["security"],
+    "prCreation": "immediate"
+  },
+  "lockFileMaintenance": {
+    "enabled": true
+  }
+}