feat!: upgrate to Python 3.12, clean up code, add type hints, replace pipenv for uv

.editorconfig

@@ -12,20 +12,11 @@ indent_size = 4
 indent_style = space
 indent_size = 2
 
-[*.cfg]
-indent_style = space
-indent_size = 2
-
 [*.sh]
-indent_style = space
 indent_size = 4
 
-[Makefile]
-end_of_line = lf
-charset = utf-8
-trim_trailing_whitespace = true
-insert_final_newline = false
-indent_style = tab
+[justfile]
+indent_size = 2
 
 [*.md]
 trim_trailing_whitespace = false

.github/workflows/api-quality.tpl.yml

@@ -0,0 +1,144 @@
+---
+name: "Template: Run code checks on Python project"
+
+on:
+  workflow_call:
+    inputs:
+      ## General
+      working-directory:
+        required: true
+        type: string
+        description: |
+          "Directory in which the terraform project is located"
+      python-version:
+        required: false
+        default: "3.12"
+        type: string
+        description: |
+          "Python version to use"
+      run-tests:
+        required: false
+        type: boolean
+        description: |
+          "Run tests before zipping the lambda"
+        default: true
+
+permissions:
+  id-token: write
+  contents: read
+  pull-requests: write
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+
+    defaults:
+      run:
+        working-directory: ${{ inputs.working-directory }}
+
+    services:
+      postgres:
+        image: postgres:17.5
+        env:
+          POSTGRES_DB: app
+          POSTGRES_PASSWORD: postgres
+          POSTGRES_USER: postgres
+          POSTGRES_PORT: 5432
+        options: >-
+          --health-cmd "pg_isready --dbname=app --username=postgres"
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+        ports:
+          - 5432:5432
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+        id: setup-python
+        with:
+          version: 0.7.5
+          python-version: ${{ inputs.python-version }}
+          enable-cache: true
+          cache-dependency-glob: |
+            **/uv.lock
+            **/pyproject.toml
+
+      - name: Cache hit
+        run: echo '${{ steps.setup-python.outputs.cache-hit }}' # true if cache-hit occured on the primary key
+
+      - name: Install CI dependencies
+        run: uv sync --all-extras
+
+      - name: Run migrations
+        run: uv run app database upgrade head --no-prompt
+
+      - name: pytest
+        id: pytest
+        if: ${{ inputs.run-tests }}
+        run: uv run pytest
+        continue-on-error: true
+
+      - name: PyTest Failure
+        if: inputs.run-tests && steps.pytest.outcome == 'failure'
+        uses: mshick/add-pr-comment@v2
+        with:
+          message-id: check-zip-lambda-pytest-${{ inputs.working-directory }}
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          message: |
+            #### PyTest failed for **${{ inputs.working-directory }}**:
+
+            ```
+            ${{ steps.pytest.outputs.stdout }}
+            ```
+
+      - name: mypy
+        id: mypy
+        run: uv run mypy .
+        continue-on-error: true
+
+      - name: Mypy Failure
+        if: steps.mypy.outcome == 'failure'
+        uses: mshick/add-pr-comment@v2
+        with:
+          message-id: check-zip-lambda-mypy-${{ inputs.working-directory }}
+          allow-repeats: true
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          message: |
+            #### Mypy failed for **${{ inputs.working-directory }}**:
+            ```
+            ${{ steps.mypy.outputs.stdout }}
+            ```
+            ```
+            ${{ steps.mypy.outputs.stderr }}
+            ```
+
+      - name: ruff check
+        id: ruff
+        run: uv run ruff check --output-format=github --fix .
+        continue-on-error: true
+
+      - name: Ruff Failure
+        if: steps.ruff.outcome == 'failure'
+        uses: mshick/add-pr-comment@v2
+        with:
+          message-id: check-zip-lambda-ruff-${{ inputs.working-directory }}
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          message: |
+            #### Ruff failed for **${{ inputs.working-directory }}**:
+            ```
+            ${{ steps.ruff.outputs.stdout }}
+            ```
+            ```
+            ${{ steps.ruff.outputs.stderr }}
+            ```
+
+      - name: Errors Found
+        if: >-
+          steps.pytest.outcome == 'failure' ||
+          steps.mypy.outcome == 'failure' ||
+          steps.ruff.outcome == 'failure'
+        run: exit 1

.github/workflows/deployment.tpl.yml

@@ -0,0 +1,43 @@
+---
+name: "Template: deployment"
+
+on:
+  workflow_call:
+    inputs:
+      dry-run:
+        required: false
+        type: boolean
+        description: |
+          "Run the workflow in dry-run mode"
+        default: true
+
+jobs:
+  # We do it this way to avoid checking for changes in each job
+  changes:
+    name: "Check for changes"
+    runs-on: ubuntu-latest
+    # Set job outputs to values from filter step
+    outputs:
+      api: ${{ steps.filter.outputs.api }}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: dorny/paths-filter@v3
+        id: filter
+        with:
+          base: main
+          filters: >-
+            api:
+              - api/**/*
+              - .github/workflows/python-*
+
+  api-quality:
+    name: "API: Quality"
+    needs: changes
+    if: >-
+      needs.changes.outputs.api == 'true'
+    uses: ./.github/workflows/api-quality.tpl.yml
+    secrets: inherit
+    with:
+      working-directory: api

.github/workflows/main.yml

@@ -0,0 +1,25 @@
+---
+name: Development branch
+
+concurrency:
+  group: ${{ github.ref }}-development
+  cancel-in-progress: false
+
+permissions:
+  id-token: write
+  contents: read
+  pull-requests: write
+  packages: write
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+
+jobs:
+  deploy:
+    uses: ./.github/workflows/deployment.tpl.yml
+    secrets: inherit
+    with:
+      dry-run: false

.github/workflows/pull_request.yml

@@ -0,0 +1,25 @@
+---
+name: Pull request checks
+
+concurrency:
+  group: ${{ github.ref }}-pull-request
+  cancel-in-progress: false
+
+permissions:
+  id-token: write
+  contents: read
+  pull-requests: write
+  packages: write
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  deploy:
+    uses: ./.github/workflows/deployment.tpl.yml
+    secrets: inherit
+    with:
+      dry-run: true

.github/workflows/python-quality.tpl.yml

@@ -0,0 +1,124 @@
+---
+name: "Template: Run code checks on Python project"
+
+on:
+  workflow_call:
+    inputs:
+      ## General
+      working-directory:
+        required: true
+        type: string
+        description: |
+          "Directory in which the terraform project is located"
+      python-version:
+        required: false
+        default: "3.12"
+        type: string
+        description: |
+          "Python version to use"
+      run-tests:
+        required: false
+        type: boolean
+        description: |
+          "Run tests before zipping the lambda"
+        default: true
+
+permissions:
+  id-token: write
+  contents: read
+  pull-requests: write
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ${{ inputs.working-directory }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+        id: setup-python
+        with:
+          version: 0.7.5
+          python-version: ${{ inputs.python-version }}
+          enable-cache: true
+          cache-dependency-glob: |
+            **/uv.lock
+            **/pyproject.toml
+
+      - name: Cache hit
+        run: echo '${{ steps.setup-python.outputs.cache-hit }}' # true if cache-hit occured on the primary key
+
+      - name: Install CI dependencies
+        run: uv sync --all-extras
+
+      - name: pytest
+        id: pytest
+        if: ${{ inputs.run-tests }}
+        run: uv run pytest --cov -vvv
+        continue-on-error: true
+
+      - name: PyTest Failure
+        if: inputs.run-tests && steps.pytest.outcome == 'failure'
+        uses: mshick/add-pr-comment@v2
+        with:
+          message-id: check-zip-lambda-pytest-${{ inputs.working-directory }}
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          message: |
+            #### PyTest failed for **${{ inputs.working-directory }}**:
+
+            ```
+            ${{ steps.pytest.outputs.stdout }}
+            ```
+
+      - name: mypy
+        id: mypy
+        run: uv run mypy .
+        continue-on-error: true
+
+      - name: Mypy Failure
+        if: steps.mypy.outcome == 'failure'
+        uses: mshick/add-pr-comment@v2
+        with:
+          message-id: check-zip-lambda-mypy-${{ inputs.working-directory }}
+          allow-repeats: true
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          message: |
+            #### Mypy failed for **${{ inputs.working-directory }}**:
+            ```
+            ${{ steps.mypy.outputs.stdout }}
+            ```
+            ```
+            ${{ steps.mypy.outputs.stderr }}
+            ```
+
+      - name: ruff check
+        id: ruff
+        run: uv run ruff check --output-format=github --fix .
+        continue-on-error: true
+
+      - name: Ruff Failure
+        if: steps.ruff.outcome == 'failure'
+        uses: mshick/add-pr-comment@v2
+        with:
+          message-id: check-zip-lambda-ruff-${{ inputs.working-directory }}
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          message: |
+            #### Ruff failed for **${{ inputs.working-directory }}**:
+            ```
+            ${{ steps.ruff.outputs.stdout }}
+            ```
+            ```
+            ${{ steps.ruff.outputs.stderr }}
+            ```
+
+      - name: Errors Found
+        if: >-
+          steps.pytest.outcome == 'failure' ||
+          steps.mypy.outcome == 'failure' ||
+          steps.ruff.outcome == 'failure'
+        run: exit 1

.gitignore

@@ -70,3 +70,6 @@ devdoc/
 *~
 *#
 *retry
+
+.env*
+.python-version