churn: update pre-commit

.github/workflows/release.yml

@@ -99,7 +99,7 @@ jobs:
             git commit -a -m "Releasing version $RELEASE_VERSION"
             git push origin ${{ github.ref }}
           fi
-          
+
           echo "RELEASE_TAG=v$RELEASE_VERSION" >> $GITHUB_OUTPUT
 
       - name: Tag release

.gitignore

@@ -8,11 +8,12 @@ __pycache__/
 .vscode
 
 dist
+site
 .venv/
 .cache/
 
 ### Ignoring otterdog out directory orgs
-orgs*
+orgs/
 
 ### Ignoring data to test
 data

.pre-commit-config.yaml

@@ -1,4 +1,4 @@
-files: '^(otterdog|tests)/'
+exclude: '^(mkdocs.yml|scripts|otterdog-complete.bash)'
 default_language_version:
     python: python3.10
 repos:
@@ -11,7 +11,7 @@ repos:
       - id: mixed-line-ending
       - id: trailing-whitespace
   - repo: https://github.com/psf/black
-    rev: 23.10.1
+    rev: 24.1.1
     hooks:
       - id: black
   - repo: https://github.com/asottile/blacken-docs
@@ -20,15 +20,19 @@ repos:
       - id: blacken-docs
         args: [--skip-errors, --skip-string-normalization]
   - repo: https://github.com/timothycrosley/isort
-    rev: 5.12.0
+    rev: 5.13.2
     hooks:
       - id: isort
   - repo: https://github.com/pycqa/flake8
-    rev: 6.1.0
+    rev: 7.0.0
     hooks:
       - id: flake8
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.6.1
+    rev: v1.8.0
     hooks:
       - id: mypy
         additional_dependencies: [types-requests]
+  - repo: https://github.com/shellcheck-py/shellcheck-py
+    rev: v0.9.0.6
+    hooks:
+    -   id: shellcheck

.readthedocs.yaml

@@ -16,4 +16,4 @@ build:
       - poetry install --only=docs
 
 mkdocs:
-  configuration: mkdocs.yml
+  configuration: mkdocs.yml

LICENSE

@@ -274,4 +274,4 @@ version(s), and exceptions or additional permissions here}."
   file in a relevant directory) where a recipient would be likely to
   look for such a notice.
 
-  You may add additional accurate notices of copyright ownership.
+  You may add additional accurate notices of copyright ownership.

Makefile

@@ -46,7 +46,7 @@ container_build_dev:
 container_clean:
 	$(call CONTAINER_CLEANER,$(image_version))
 
-container_clean_dev: 
+container_clean_dev:
 	$(call CONTAINER_CLEANER,"dev")
 
 define CONTAINER_BUILDER

docker/Dockerfile

@@ -51,4 +51,4 @@ WORKDIR /app
 ENV PYTHONDONTWRITEBYTECODE 1
 ENV PYTHONUNBUFFERED 1
 
-ENTRYPOINT ["/app/entrypoint.sh"]
+ENTRYPOINT ["/app/entrypoint.sh"]

docker/control.sh

@@ -35,7 +35,7 @@ printHelp () {
 }
 
 dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
-pushd $dir > /dev/null
+pushd "$dir" > /dev/null
 
 case "$1" in
 start)
@@ -73,4 +73,4 @@ logs)
 	;;
 esac
 
-popd > /dev/null
+popd > /dev/null

docker/hypercorn-cfg.toml

@@ -2,4 +2,4 @@ bind = "0.0.0.0:5000"
 workers = 1
 accesslog = '-'
 loglevel = 'info'
-h11_max_incomplete_size = 4
+h11_max_incomplete_size = 4

docs/contributing.md

@@ -77,7 +77,7 @@ TODO
 
 ## Documentation style
 
-Documentation is written in Markdown and built using [Material for MkDocs](https://squidfunk.github.io/mkdocs-material/). 
+Documentation is written in Markdown and built using [Material for MkDocs](https://squidfunk.github.io/mkdocs-material/).
 
 ### Code documentation
 
@@ -125,4 +125,3 @@ You may include example code in docstrings. This code should be complete, self-c
     Class attributes should be documented in the class docstring.
 
     Instance attributes should be documented as "Args" in the `__init__` docstring.
-

docs/index.md

@@ -1,8 +1,8 @@
-[`Otterdog`](https://gitlab.eclipse.org/eclipsefdn/security/otterdog/) is a tool to manage GitHub organizations at 
-scale using an infrastructure as code approach. It is actively developed by the 
-[Eclipse Foundation](https://www.eclipse.org/) and used to manage its numerous projects hosted on 
+[`Otterdog`](https://gitlab.eclipse.org/eclipsefdn/security/otterdog/) is a tool to manage GitHub organizations at
+scale using an infrastructure as code approach. It is actively developed by the
+[Eclipse Foundation](https://www.eclipse.org/) and used to manage its numerous projects hosted on
 [GitHub](https://eclipsefdn.github.io/otterdog-configs/).
 
 The infrastructure configuration for enabled GitHub organizations is hosted in a separate repository of the
 organization itself and contributors can suggest changes to the configuration via pull requests. Changes to the
-configuration need to be approved by the configured teams and applied manually using the `otterdog` command line tool.
+configuration need to be approved by the configured teams and applied manually using the `otterdog` command line tool.

docs/install.md

@@ -48,7 +48,7 @@ apt install pass
 
 ## Build instructions
 
-After installing the required system dependencies, a virtual python environment needs to be setup 
+After installing the required system dependencies, a virtual python environment needs to be setup
 and populated with all python dependencies:
 
 ```console
@@ -61,7 +61,7 @@ You should be set to finally run otterdog:
 $ ./otterdog.sh --version
 ```
 
-Additionally, `make init` creates a symlink called `otterdog` in `~/.local/bin`, so you can also run it like that: 
+Additionally, `make init` creates a symlink called `otterdog` in `~/.local/bin`, so you can also run it like that:
 
 ```console
 $ otterdog --version
@@ -81,5 +81,5 @@ To enable shell completion, add the following snippet to your shell configuratio
     eval "$(_OTTERDOG_COMPLETE=zsh_source otterdog)"
     ```
 
-When running `otterdog` in a directory that contains a `otterdog.json` file, shell completion will be able to suggest 
-organizations found in the `otterdog.json` file.
+When running `otterdog` in a directory that contains a `otterdog.json` file, shell completion will be able to suggest
+organizations found in the `otterdog.json` file.

docs/reference/operations/apply.md

@@ -32,14 +32,14 @@ When the `apply` operation is executed, the following happens:
 !!! note
 
     As otterdog does not maintain any local state, it can not determine if secret values need to be updated as
-    GitHub will not disclose secret values via their APIs anymore after they have been set. As a consequence, 
-    `otterdog` will not update secret values by default unless `--update-secrets` or `--update-webhooks` 
+    GitHub will not disclose secret values via their APIs anymore after they have been set. As a consequence,
+    `otterdog` will not update secret values by default unless `--update-secrets` or `--update-webhooks`
     has been specified.
 
 ## Example
 
 ```shell
-tn@proteus:~/.../otterdog-configs$ otterdog apply adoptium 
+tn@proteus:~/.../otterdog-configs$ otterdog apply adoptium
 
 Apply changes for configuration at '.../otterdog-configs/otterdog.json'
 
@@ -51,7 +51,7 @@ Actions are indicated with the following symbols:
 
 Organization adoptium[id=adoptium]
   there have been 4 validation infos, enable verbose output with '-v' to to display them.
-  
+
   ~ settings {
     ~ name                                                     = "Eclipse Adoptium" -> "Eclipse Adoptium Project"
     }

docs/reference/operations/import.md

@@ -7,8 +7,8 @@ them locally in a file `<github-id>/<github-id>.jsonnet` in the organization spe
   -c, --config FILE  configuration file to use  [default: otterdog.json]
   -f, --force        skips interactive approvals
   -n, --no-web-ui    skip settings retrieved via web ui
-  
-  --local            work in local mode, not updating the referenced default config  
+
+  --local            work in local mode, not updating the referenced default config
 
   -v, --verbose      enable verbose output (-vvv for more verbose output)
   -h, --help         Show this message and exit.

docs/reference/operations/index.md

@@ -37,5 +37,3 @@ Commands:
 When running `otterdog`, all used data is stored and accessed locally. The configuration files for each
 organization are expected to be at location `$CWD/<config-dir>/<github-id>/`, where `<config-dir>` can be configured
 in `otterdog.json` and defaults to `orgs`.
-
-

docs/reference/organization/repository/branch-protection-rule.md

@@ -28,9 +28,9 @@ Definition of a Branch Protection Rule, the following properties are supported:
 | _allows_force_pushes_              | boolean                                | If enabled, actors with push permission can force push to matching branches                                                                                                                 | This property takes precedence over `bypass_force_push_allowances` if enabled, allowing all users with write access to force push                                                                                                                                                                                    |
 | _bypass_force_push_allowances_     | list\[[Actor](actor.md)\]              | List of actors able to force push to matching branches                                                                                                                                      | This property is only taken into account when `allows_force_pushes` is disabled                                                                                                                                                                                                                                      |
 | _allows_deletions_                 | boolean                                | If enabled, allows actors with push permission to delete matching branches                                                                                                                  |                                                                                                                                                                                                                                                                                                                      |
- 
+
 !!! note
-    
+
     Property `allows_force_pushes` takes precedence of `bypass_force_push_allowances`. If it is enabled, any actor with
     write permissions can force push to matching branches. If you want to specify a list of actors that are allowed to
     force push, set `allows_force_pushes` to `false` and specify the allowed list of actors in `bypass_force_push_allowances`.

docs/reference/organization/repository/index.md

@@ -32,7 +32,7 @@ Definition of a Repository for a GitHub organization, the following properties a
 | _is_template_                         | boolean                                                   | If the repo is can be used as a template repository                                     |                                                                                          |
 | _merge_commit_message_                | string                                                    | Can be PR_BODY, PR_TITLE, or BLANK for a default merge commit message                   |                                                                                          |
 | _merge_commit_title_                  | string                                                    | Can be PR_TITLE or MERGE_MESSAGE for a default merge commit title                       |                                                                                          |
-| _post_process_template_content_       | list[string]                                              | A list of content paths in a template repository that shall be processed after creation | only considered during creation                                                          | 
+| _post_process_template_content_       | list[string]                                              | A list of content paths in a template repository that shall be processed after creation | only considered during creation                                                          |
 | _secret_scanning_                     | string                                                    | If secret scanning is "enabled" or "disabled"                                           |                                                                                          |
 | _secret_scanning_push_protection_     | string                                                    | If secret scanning push protection is "enabled" or "disabled"                           |                                                                                          |
 | _squash_merge_commit_message_         | string                                                    | Can be PR_BODY, COMMIT_MESSAGES, or BLANK for a default squash merge commit message     |                                                                                          |
@@ -67,7 +67,7 @@ Definition of a Repository for a GitHub organization, the following properties a
 !!! note
 
     In general, you will only ever use `orgs.newRepo` as this function will define a new repository with default
-    values. However, in some cases it might be needed to change properties for a repo that has already been defined 
+    values. However, in some cases it might be needed to change properties for a repo that has already been defined
     in the default configuration. In such situation, you should use `orgs.extendRepo`.
 
 ## Validation rules

docs/reference/organization/repository/ruleset.md

@@ -30,9 +30,9 @@ Rulesets can be used for use-cases (e.g. to support auto merging of pull request
 - define a set of required status checks
 - define a set of users that can bypass pull requests
 
-Branch Protection Rules always consider the required status checks, even when directly pushing to the branch, e.g. when no pull request 
+Branch Protection Rules always consider the required status checks, even when directly pushing to the branch, e.g. when no pull request
 is required, or you can push due to a bypass allowance. This can be modelled with Rulesets though, as the bypass actors as defined for a Ruleset
-are taken into account for all settings (except `allows_force_pushes`), while the bypass allowance for Branch Protection Rules only apply for 
+are taken into account for all settings (except `allows_force_pushes`), while the bypass allowance for Branch Protection Rules only apply for
 pull requests in general.
 
 ## Jsonnet Function

docs/reference/organization/repository/status-check.md

@@ -20,19 +20,19 @@ Given the following workflows `ci.yaml` and `job-legal.yaml` in a GitHub reposit
 
     ```yaml
     name: ci
-    
+
     on:
       pull_request:
         ...
-    
+
     jobs:
       build:
         ...
-    
+
       test:
         name: testing
         ...
-    
+
       call-legal:
         uses: ./.github/workflows/job-legal.yaml
     ```
@@ -44,7 +44,7 @@ Given the following workflows `ci.yaml` and `job-legal.yaml` in a GitHub reposit
     on:
       workflow_call:  # allow this workflow to be called from other workflows
         ...
-    
+
     jobs:
       legal:
         name: Legal Checks
@@ -62,7 +62,7 @@ Rules for translating jobs to stats-checks:
 - if a job has no name specified, use its id
 - if reusable workflows are called, join the jobs in their call hierarchy with ` / `.
 
-Now, as an example to protect the `main` branch by enforcing specific status checks to pass before a pull request can be merged into it, 
+Now, as an example to protect the `main` branch by enforcing specific status checks to pass before a pull request can be merged into it,
 you can add the status checks as below:
 
 ```jsonnet
@@ -72,4 +72,4 @@ orgs.newBranchProtectionRule('main') {
         "call-legal / Legal Checks"
     ]
 }
-```
+```

docs/reference/organization/repository/workflow-settings.md

@@ -21,7 +21,7 @@ Definition of workflow settings on repository level, the following properties ar
     ``` jsonnet
     orgs.newRepo('jdk21u') {
         ...
-        workflows+: { 
+        workflows+: {
             enabled: false,
         },
         ...

docs/reference/organization/settings.md

@@ -49,7 +49,7 @@ The following table captures all supported settings on organization level:
 === "jsonnet"
     ``` jsonnet
     orgs.newOrg('adoptium') {
-        settings+: { 
+        settings+: {
             blog: "https://adoptium.net",
             default_repository_permission: "none",
             description: "The Adoptium Working Group ...",

docs/reference/organization/workflow-settings.md

@@ -22,7 +22,7 @@ Definition of workflow settings on organization level, the following properties
 === "jsonnet"
     ``` jsonnet
     orgs.newOrg('adoptium') {
-        settings+: { 
+        settings+: {
             blog: "https://adoptium.net",
             default_repository_permission: "none",
             description: "The Adoptium Working Group ...",

docs/reference/resource-format.md

@@ -14,7 +14,7 @@ The following example illustrates the basic structure used by otterdog:
 local orgs = import 'vendor/otterdog-defaults/otterdog-defaults.libsonnet'; // (1)!
 
 orgs.newOrg('adoptium') { // (2)!
-  settings+: { 
+  settings+: {
     blog: "https://adoptium.net", // (3)!
     ...
   },
@@ -59,7 +59,7 @@ local newOrg(id) = {
 }
 ```
 
-It defines a json object with various properties and their respective values, e.g. `.settings.name` = `null`. 
+It defines a json object with various properties and their respective values, e.g. `.settings.name` = `null`.
 
 ### Concatenation
 
@@ -68,13 +68,13 @@ properties that are already defined by a function while inheriting every other o
 
 ``` jsonnet linenums="1" hl_lines="2"
 orgs.newOrg('adoptium') {
-  settings+: { 
+  settings+: {
     name: "Eclipse Adoptium",
   }
 }
 ```
 
-The resulting json object will inherit all properties defined by the function `orgs.newOrg`, but will override 
+The resulting json object will inherit all properties defined by the function `orgs.newOrg`, but will override
 the specific property `.settings.name` to the value `Eclipse Adoptium`.
 
 ``` jsonnet
@@ -96,13 +96,13 @@ On the contrary, if we would not use the `+` operator but instead use the functi
 
 ``` jsonnet linenums="1" hl_lines="2"
 orgs.newOrg('adoptium') {
-  settings: { 
+  settings: {
     name: "Eclipse Adoptium",
   }
 }
 ```
 
-the resulting json object would not include any properties in `.settings` as the whole nested 
+the resulting json object would not include any properties in `.settings` as the whole nested
 structure was replaced:
 
 ``` jsonnet
@@ -120,4 +120,3 @@ structure was replaced:
     Otterdog will use the `+` operator by default when importing the current live configuration
     of a GitHub organization. In general it is strongly discouraged to remove the `+` operator
     as it might lead to incomplete configurations due to missing properties.
-