feature/improve pdm setup (#12)

# PR Context

- repair and improve template after initial pdm switch

# Fixed

- add missing pytest-xdist dependency
- fix linting issue in `docs/conf.py`

# Security

- fix trivy cve scan to work with pdm

---------

Signed-off-by: Nicolas Drebenstedt <[email protected]>

CHANGELOG.md

@@ -24,9 +24,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - fix finding of rejected cruft files
 - fix dependabot pr review assignment
+- add missing pytest-xdist dependency
+- fix linting issue in `docs/conf.py`
 
 ### Security
 
+- fix trivy cve scan to work with pdm
+
 ## [0.1.0] - 2024-03-11
 
 ### Added

mex-{{ cookiecutter.project_name }}/.github/workflows/cve-scan.yml

@@ -26,30 +26,51 @@ jobs:
         with:
           fetch-depth: 1
 
-      - name: Cache trivy
+      - name: Cache requirements
         uses: actions/cache@v4
         env:
-          cache-name: cache-trivy
+          cache-name: cache-requirements
         with:
-          path: ~/.cache/trivy
+          path: ~/.cache/pip
+          {% raw %}key: ${{ env.cache-name }}-${{ hashFiles('requirements.txt') }}{% endraw %}
+          restore-keys: |
+            {% raw %}${{ env.cache-name }}-{% endraw %}
+
+      - name: Cache environment
+        uses: actions/cache@v4
+        env:
+          cache-name: cache-environment
+        with:
+          path: ~/.cache/pip
           {% raw %}key: ${{ env.cache-name }}-${{ hashFiles('*.lock') }}{% endraw %}
           restore-keys: |
             {% raw %}${{ env.cache-name }}-{% endraw %}
 
+      - name: Setup python
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.11
+
+      - name: Install requirements
+        run: make setup
+
+      - name: Export dependencies
+        run: |
+          mkdir --parents pdm
+          pdm export -G :all -f requirements > pdm/requirements.txt
+
       - name: Run trivy
         uses: aquasecurity/trivy-action@master
         with:
-          exit-code: 1
           format: 'sarif'
+          list-all-pkgs: 'true'
           output: 'trivy-results.sarif'
           scan-ref: '.'
           scan-type: 'fs'
-          severity: 'CRITICAL,HIGH'
-          list-all-pkgs: 'true'
-          ignore-unfixed: true
+          severity: 'MEDIUM,HIGH,CRITICAL'
 
       - name: Publish results
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v3
         if: always()
         with:
           sarif_file: 'trivy-results.sarif'

mex-{{ cookiecutter.project_name }}/.pre-commit-config.yaml

@@ -3,12 +3,12 @@ default_language_version:
   python: python3.11
 repos:
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.3.2
+    rev: v0.3.3
     hooks:
       - id: ruff
         args: [--fix, --exit-non-zero-on-fix]
   - repo: https://github.com/psf/black
-    rev: 24.2.0
+    rev: 24.3.0
     hooks:
       - id: black
   - repo: https://github.com/pre-commit/pre-commit-hooks

mex-{{ cookiecutter.project_name }}/docs/conf.py

@@ -6,4 +6,4 @@
 napoleon_include_init_with_doc = True
 napoleon_include_private_with_doc = True
 project = "mex-{{ cookiecutter.project_name }}"
-templates_path = ['.']
+templates_path = ["."]

mex-{{ cookiecutter.project_name }}/pyproject.toml

@@ -9,13 +9,14 @@ urls = { Repository = "https://github.com/robert-koch-institut/mex-{{ cookiecutt
 requires-python = ">=3.11"
 dependencies = []
 optional-dependencies.dev = [
-    "black>=24.2.0",
+    "black>=24.3.0",
     "ipdb>=0.13.13",
     "mypy>=1.9.0",
     "pytest>=8.1.1",
     "pytest-cov>=4.1.0",
     "pytest-random-order>=1.1.1",
-    "ruff>=0.3.2",
+    "pytest-xdist>=3.5.0",
+    "ruff>=0.3.3",
     "sphinx>=7.2.6",
 ]