Merge branch 'master' into dependabot/github_actions/actions/download-artifact-8

Author: dvershinin

.github/workflows/dockerpublish.yml

@@ -25,28 +25,28 @@ jobs:
         uses: actions/checkout@v3
 
       - name: Log in to Docker Hub
-        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_TOKEN }}
 
       - name: Log in to the Container registry
-        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf
         with:
           images: |
             ${{ github.repository }}
             ghcr.io/${{ github.repository }}
 
       - name: Build and push Docker images
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294
         with:
           context: .
           push: true

.github/workflows/rpmbuild.yml

@@ -9,9 +9,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Install SSH key
-      uses: shimataro/ssh-key-action@v2
+      uses: shimataro/ssh-key-action@87a8f067114a8ce263df83e9ed5c849953548bc3  # v2.8.1
       with:
         key: ${{ secrets.BUILDER_SSH_KEY }}
         known_hosts: ${{ secrets.BUILDER_SSH_KNOWN_HOSTS }}
     - name: Trigger RPM build
-      run: ${{ secrets.RPM_BUILD_CMD }}
+      run: eval "$RPM_BUILD_CMD"
+      env:
+        RPM_BUILD_CMD: ${{ secrets.RPM_BUILD_CMD }}

CLAUDE.md

@@ -0,0 +1,90 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Project
+
+**lastversion** — CLI tool and Python library that finds the latest stable release version of software projects across multiple hosting platforms (GitHub, GitLab, PyPI, Bitbucket, SourceForge, WordPress, etc.). Used heavily in RPM build automation and CI/CD pipelines.
+
+## Development Setup
+
+- **Virtualenv:** `~/.virtualenvs/lastversion/`
+- **Secrets:** Source `~/.secrets` before running tests (contains `GITHUB_API_TOKEN` and other API tokens)
+
+## Common Commands
+
+```bash
+# Run all tests (sources secrets, activates venv, parallel execution with 10min timeout)
+make test
+
+# Run a single test
+source ~/.secrets && ~/.virtualenvs/lastversion/bin/python -m pytest tests/test_github.py::test_function_name -v
+
+# Lint
+~/.virtualenvs/lastversion/bin/python -m flake8 src tests
+~/.virtualenvs/lastversion/bin/python -m pylint src tests
+
+# Security scan
+~/.virtualenvs/lastversion/bin/python -m bandit -c pyproject.toml -r src/lastversion
+
+# Release (CI auto-publishes to PyPI on GitHub release creation)
+# 1. Bump __version__ in src/lastversion/__about__.py
+# 2. Commit: git commit -m "chore(release): X.Y.Z"
+# 3. Tag: git tag -s vX.Y.Z -m "vX.Y.Z"
+# 4. Push: git push origin master && git push origin vX.Y.Z
+# 5. Create release: gh release create vX.Y.Z --title "vX.Y.Z" --notes "..."
+# CI workflow pythonpublish.yml handles PyPI upload automatically.
+# Do NOT use `make publish` or manual `twine upload`.
+make publish  # backup only, prefer CI
+
+# Build single binary
+make one-file
+```
+
+## Architecture
+
+### Repository Holder Pattern
+
+Core abstraction: `BaseProjectHolder` (in `src/lastversion/repo_holders/base.py`) is the abstract base class for all hosting platform adapters. Each adapter lives in `src/lastversion/repo_holders/` and implements release discovery for its platform.
+
+`HolderFactory` (`holder_factory.py`) maintains an ordered registry of adapters and selects the appropriate one based on the input URL/name. Detection order matters — adapters are tried in registration order.
+
+### Key Modules
+
+- **`lastversion.py`** — Core logic: `latest()`, `has_update()`, `check_version()` entry points
+- **`cli.py`** — CLI argument parsing, all subcommands (get, download, extract, install, update-spec, etc.)
+- **`version.py`** — `Version` class extending `packaging.Version` with normalization for messy real-world version strings (dashed versions, Java-style, pre-release variants)
+- **`cache.py`** — Dual-level caching: HTTP-level (CacheControl/ETag) + release-data-level (File or Redis backend) with PID-based file locking
+- **`config.py`** — Platform-aware config singleton (`~/.config/lastversion/lastversion.yml` on Linux, `~/Library/Application Support/lastversion/lastversion.yml` on macOS)
+
+### GitHub Adapter (`repo_holders/github.py`)
+
+Most complex adapter. Uses GraphQL API with REST fallback. Handles rate limiting, API tokens (`GITHUB_API_TOKEN`/`GITHUB_TOKEN` env vars), commit-based version extraction, and release note parsing.
+
+### RPM Spec Integration
+
+`update-spec` command parses `.spec` files for `%{upstream_github}`, `%global lastversion_repo`, and `%global lastversion_*` directives to determine repo and version constraints.
+
+## Testing
+
+- **Framework:** pytest with pytest-xdist (parallel: `-n auto`)
+- **CI matrix:** Python 3.6, 3.9, 3.13
+- Tests include live API calls — require valid API tokens
+- Test files mirror the module structure: `test_github.py`, `test_gitlab.py`, `test_pypi.py`, etc.
+- Helper utilities in `tests/helpers.py`
+
+## Linting
+
+- **flake8:** max-line-length=120, select C,E,F,W,B,B950, ignore E203/E501/E704 (configured in `setup.cfg`)
+- **bandit:** security scanning configured in `pyproject.toml`
+- **pre-commit:** ruff, flake8, black, isort, bandit — all at line-length 120
+
+## Code Style
+
+- **Docstrings:** Google-style on all new/modified functions. First line: one-sentence imperative summary ending with a period. Include Args, Returns, Raises sections with type info even if type hints exist. Document coroutine behavior where relevant.
+- **Interpreter:** Always use `~/.virtualenvs/lastversion/bin/python` — never bare `python` or `pytest`.
+- **PRs:** Must include docstrings for new/modified functions. Must update `.cursor/rules/` if adding new modules or architectural changes.
+
+## Python Compatibility
+
+Supports Python 3.6+. Conditional dependencies exist for `cachecontrol` and `urllib3` based on Python version (see `setup.py`).

Dockerfile

@@ -1,5 +1,5 @@
 # Use a lightweight base image with Python and pip installed
-FROM python:3.13-alpine
+FROM python:3.13-alpine # NOSONAR - root required for GitHub Actions workspace compatibility
 
 # Using "lastversion" user as provided by some linter was a mistake and causes issues with GitHub actions being ran as "runner"
 # and lastversion running as a different user and being unable to work with workspace files for extracting to its directory

docs/requirements.txt

@@ -4,3 +4,4 @@ mkdocs-material
 mkdocstrings[crystal,python]
 markdown-include
 pymdown-extensions
+markdown>=3.8.1 # not directly required, pinned by Snyk to avoid a vulnerability

scripts/check_docs_frontmatter.py

@@ -27,7 +27,7 @@
 REQUIRED_FIELDS = ["title", "description"]
 
 # Regex to extract YAML front-matter
-FRONTMATTER_REGEX = re.compile(r"^---\s*\n(.*?)\n---\s*\n", re.DOTALL)
+FRONTMATTER_REGEX = re.compile(r"^---[ \t]*\n(.*?)\n---[ \t]*\n", re.DOTALL)
 
 
 def is_excluded(filepath: Path) -> bool:

src/lastversion/cli.py

@@ -494,8 +494,8 @@ def main(argv=None):
         args.repo = __self__
 
     # "expand" repo:1.2 as repo --branch 1.2
-    # noinspection HttpUrlsUsage
-    if ":" in args.repo and not (args.repo.startswith(("https://", "http://")) and args.repo.count(":") == 1):
+    _url_prefixes = ("https://", "http://")  # NOSONAR - URL parsing, not HTTP request
+    if ":" in args.repo and not (args.repo.startswith(_url_prefixes) and args.repo.count(":") == 1):
         # right split ':' once only to preserve it in protocol of URLs
         # https://github.com/repo/owner:2.1
         repo_args = args.repo.rsplit(":", 1)

src/lastversion/lastversion.py

@@ -99,7 +99,7 @@ def get_repo_data_from_spec(rpmspec_filename):
             elif line.startswith("Source0:"):
                 source0 = line.split("Source0:")[1].strip()
                 # noinspection HttpUrlsUsage
-                if source0.startswith("https://") or source0.startswith("http://"):
+                if source0.startswith("https://") or source0.startswith("http://"):  # NOSONAR
                     spec_urls.append(source0)
             elif line.startswith("%global upstream_version "):
                 current_version = shlex.split(line)[2].strip()

src/lastversion/repo_holders/alpine.py

@@ -101,7 +101,7 @@ def _fetch_package_from_index(self, branch, apk_repo, arch):
 
             # APKINDEX is a tar.gz containing an APKINDEX file
             tar_bytes = io.BytesIO(response.content)
-            with tarfile.open(fileobj=tar_bytes, mode="r:gz") as tar:
+            with tarfile.open(fileobj=tar_bytes, mode="r:gz") as tar:  # NOSONAR
                 for member in tar.getmembers():
                     if member.name == "APKINDEX":
                         file_obj = tar.extractfile(member)

src/lastversion/repo_holders/base.py

@@ -68,7 +68,7 @@ def _is_process_alive(pid):
         return False
     try:
         # On Unix, signal 0 doesn't kill but checks if process exists
-        os.kill(pid, 0)
+        os.kill(pid, 0)  # NOSONAR
         return True
     except OSError as err:
         # ESRCH = No such process, EPERM = Permission denied (process exists)