ci: use submodules, add dependabot, automatically update

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @pomerium/dev-backend

.github/dependabot.yaml

@@ -1,5 +1,15 @@
 version: 2
 updates:
+  - package-ecosystem: "gitsubmodule"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    groups:
+      gitsubmodule:
+        patterns:
+          - "*"
+        exclude-patterns:
+          - "deps/github.com/pomerium/*"
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:

.github/workflows/build.yaml

@@ -0,0 +1,16 @@
+name: Build
+
+on:
+  pull_request:
+    branches-ignore:
+      - "dependabot/**"
+  push:
+    branches:
+      - "main"
+
+jobs:
+  build:
+    name: Build
+    uses: ./.github/workflows/reusable-build.yaml
+    with:
+      ref: ${{ github.head_ref }}

.github/workflows/dependabot.yaml

@@ -0,0 +1,34 @@
+name: Dependabot
+
+on:
+  pull_request:
+    branches:
+      - "dependabot/**"
+
+jobs:
+  generate:
+    name: Generate
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+        with:
+          ref: ${{ github.head_ref }}
+          submodules: "true"
+          token: ${{ secrets.APPARITOR_GITHUB_TOKEN }}
+
+      - name: Generate
+        run: make generate
+
+      - name: Commit
+        uses: devops-infra/action-commit-push@e6a24fad602d1f92e46432c89a7e0c7fdd45d62d
+        with:
+          github_token: ${{ secrets.APPARITOR_GITHUB_TOKEN }}
+          commit_message: "dependabot: generate"
+
+  build:
+    name: Build
+    needs: generate
+    uses: ./.github/workflows/reusable-build.yaml
+    with:
+      ref: ${{ github.head_ref }}

.github/workflows/reusable-build.yaml

@@ -0,0 +1,28 @@
+name: Build
+
+on:
+  workflow_call:
+    inputs:
+      ref:
+        required: true
+        type: string
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+        with:
+          ref: ${{ inputs.ref }}
+
+      - name: Setup Python
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Test
+        run: make test

.github/workflows/update-pomerium.yaml

@@ -0,0 +1,42 @@
+name: Update Pomerium
+
+on:
+  schedule:
+    - cron: "40 1 * * *"
+  workflow_dispatch:
+
+jobs:
+  update:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+        with:
+          submodules: "true"
+          token: ${{ secrets.APPARITOR_GITHUB_TOKEN }}
+
+      - name: Update Pomerium
+        run: make update-pomerium
+
+      - name: Generate
+        run: make generate
+
+      - name: Check for changes
+        id: git-diff
+        run: |
+          git config --global user.email "apparitor@users.noreply.github.com"
+          git config --global user.name "GitHub Actions"
+          git add deps/github.com/pomerium
+          git diff --cached --exit-code || echo "changed=true" >> $GITHUB_OUTPUT
+
+      - name: Create Pull Request
+        if: ${{ steps.git-diff.outputs.changed }} == 'true'
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e
+        with:
+          author: GitHub Actions <apparitor@users.noreply.github.com>
+          body: "This PR updates Pomerium Dependencies"
+          commit-message: "ci: update pomerium dependencies"
+          delete-branch: true
+          labels: ci
+          title: "ci: update pomerium dependencies"
+          token: ${{ secrets.APPARITOR_GITHUB_TOKEN }}

.gitignore

@@ -146,5 +146,3 @@ cython_debug/
 # End of https://www.toptal.com/developers/gitignore/api/python
 
 # Custom rules (everything added below won't be overriden by 'Generate .gitignore File' if you use 'Update' option)
-
-deps/

.gitmodules

@@ -0,0 +1,12 @@
+[submodule "deps/github.com/pomerium/enterprise-client"]
+	path = deps/github.com/pomerium/enterprise-client
+	url = git@github.com:pomerium/enterprise-client
+[submodule "deps/github.com/envoyproxy/protoc-gen-validate"]
+	path = deps/github.com/envoyproxy/protoc-gen-validate
+	url = git@github.com:envoyproxy/protoc-gen-validate
+[submodule "deps/github.com/census-instrumentation/opencensus-proto"]
+	path = deps/github.com/census-instrumentation/opencensus-proto
+	url = git@github.com:census-instrumentation/opencensus-proto
+[submodule "deps/github.com/open-telemetry/opentelemetry-proto"]
+	path = deps/github.com/open-telemetry/opentelemetry-proto
+	url = git@github.com:open-telemetry/opentelemetry-proto

Makefile

@@ -1,19 +1,29 @@
 PYTHON:=python3
 
 .PHONY: all
-all: test pkg
+all: generate test pkg
 
 .PHONY: pkg
-pkg:
+pkg: install
 	@echo "==> $@"
+	$(PYTHON) -m pip install build
 	$(PYTHON) -m build .
 
-.PHONY: update
-update:
+.PHONY: generate
+generate: install
 	@echo "==> $@"
-	@scripts/update
+	@scripts/generate
+
+.PHONY: install
+install:
+	$(PYTHON) -m pip install .
 
 .PHONY: test
-test:
+test: install
 	@echo "==> $@"
 	PYTHONPATH=src/ $(PYTHON) -m unittest discover -s src -v
+
+.PHONY: update-pomerium
+update-pomerium:
+	@echo "==> $@"
+	git submodule update --remote deps/github.com/pomerium

scripts/generate

@@ -0,0 +1,96 @@
+#!/bin/bash
+set -euo pipefail
+
+_scripts_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)"
+_root_dir="$(dirname "$_scripts_dir")"
+_deps_dir="$_root_dir/deps"
+
+function replace-in-file() {
+	if [ "$(uname)" = 'Darwin' ]; then
+		# for MacOS
+		sed -i '' -E "$1" "$2"
+	else
+		# for Linux and Windows
+		sed -i'' -E "$1" "$2"
+	fi
+}
+
+function download() {
+	local _url="$1"
+	local _dst="$2"
+
+	echo "downloading $_url to $_dst"
+	curl \
+		--silent \
+		--compressed \
+		--fail \
+		--location \
+		--time-cond "$_dst" \
+		--output "$_dst" \
+		"$_url"
+}
+
+function join_by() {
+	local IFS="$1"
+	shift
+	echo "$*"
+}
+
+_proto_files=(
+	activity_log.proto
+	clusters.proto
+	devices.proto
+	external_data_sources.proto
+	key_chain.proto
+	namespaces.proto
+	policy.proto
+	report.proto
+	route_health_check.proto
+	route_redirect_action.proto
+	routes.proto
+	settings.proto
+	types.proto
+	users.proto
+)
+
+echo "installing python dependencies"
+pip install \
+	'wheel==0.45.1' \
+	'protobuf==5.29.4' \
+	'grpcio==1.71.0' \
+	'grpcio-tools==1.71.0' \
+	'mypy-protobuf==3.6.0'
+
+(
+	cd "$_root_dir"
+
+	echo "generating dependency protobuf code"
+	python -m grpc_tools.protoc \
+		-I "$_deps_dir/github.com/envoyproxy/protoc-gen-validate" \
+		-I "$_deps_dir/github.com/census-instrumentation/opencensus-proto/src" \
+		-I "$_deps_dir/github.com/open-telemetry/opentelemetry-proto" \
+		-I "$_deps_dir/github.com/prometheus/client_model" \
+		--python_out="src" \
+		$(cd deps/github.com/envoyproxy/protoc-gen-validate && find . -regex '.*\.proto' | sed 's|^./||')
+
+	echo "generating enterprise-client protobuf code"
+	mkdir -p src/pomerium/pb
+	python -m grpc_tools.protoc \
+		-I "$_deps_dir" \
+		-I "$_deps_dir/github.com/envoyproxy/protoc-gen-validate" \
+		-I "$_deps_dir/github.com/pomerium/enterprise-client/protos/pomerium-console" \
+		--mypy_out="src/pomerium/pb" \
+		--mypy_grpc_out="src/pomerium/pb" \
+		--python_out="src/pomerium/pb" \
+		--grpc_python_out="src/pomerium/pb" \
+		"${_proto_files[@]}"
+
+	# fix package names for grpc
+	for _file in src/pomerium/pb/*.py; do
+		replace-in-file 's/^import ([a-z_]+)_pb2/import pomerium.pb.\1_pb2/' "$_file"
+	done
+
+	# add __init__ files
+	find src -type d -exec touch __init__.py \;
+	rm __init__.py
+)