pants.toml

[GLOBAL]
pants_version = "2.14.0"
backend_packages = [
  "pants.backend.build_files.fmt.black",
  "pants.backend.codegen.protobuf.lint.buf",
  "pants.backend.codegen.protobuf.python",
  "pants.backend.docker",
  "pants.backend.docker.lint.hadolint",
  "pants.backend.experimental.python.lint.autoflake",
  "pants.backend.experimental.python.lint.pyupgrade",
  "pants.backend.plugin_development",
  "pants.backend.python",
  "pants.backend.python.lint.black",
  "pants.backend.python.lint.flake8",
  "pants.backend.python.lint.isort",
  "pants.backend.python.typecheck.mypy",
  "pants.backend.shell",
  "pants.backend.shell.lint.shellcheck",
  "pants.backend.shell.lint.shfmt"
]

pants_ignore=[
    "!.buildkite",
    "/src/proto/google"
]

plugins = [
  "toolchain.pants.plugin==0.25.0"
]

remote_cache_read = true
remote_cache_write = true
remote_store_address = "grpcs://cache.toolchain.com:443"

[toolchain-setup]
org = "grapl-security"
repo = "grapl"

[buildsense]
enable = true

# See https://www.pantsbuild.org/docs/anonymous-telemetry
[anonymous-telemetry]
enabled = true
# Randomly generated with `uuidgen --random`
repo_id = "f416be7b-e109-4915-8eba-940bcfa310c1"

# Given how our code is currently structured, with package and test
# code for every project in their own directory, I believe we have to
# list each of those top-level containing directories here in order
# for all the resolution to work out correctly.
#
# The '/' roots these at the same directory this `pants.toml` file is
# in.
[source]
root_patterns = [
  "/3rdparty",
  "/build-support",
  "/devbox",
  "/etc",  # Some of our tests use sample data from here
  "/pulumi",
  "/src/proto",
  "/src/python/grapl-plugin-sdk",
  "/src/python/grapl-common",
  "/src/python/graplctl",
  "/src/python/grapl-tests-common",
  "/src/python/provisioner",
  "/src/python/python-proto",
  "/src/python/repl",
  "src/python/suspicious_svchost",
]

[python]
lockfile_generator = "pex"
# Use this as a lockfile; speeds up installation of dependencies
# To update it, see build-support/manage_virtualenv.sh
requirement_constraints = "3rdparty/python/constraints.txt"
# If you update these constraints, also update the ones in the
# `[black]` section below; see there for further background.
interpreter_constraints = ["==3.10.*"]
tailor_pex_binary_targets = false

[python-bootstrap]
search_path = ["<PYENV_LOCAL>", "<PYENV>", "<PATH>"]

[python-protobuf]
mypy_plugin = true

[autoflake]
lockfile = "3rdparty/python/autoflake.lockfile"
# prelude is a file that has only imports. Other code then imports the imports from prelude.
args = ["--exclude", "prelude.py"]

[black]
lockfile = "3rdparty/python/black.lockfile"
# Version specified due to https://github.com/psf/black/issues/2964
# Not entirely clear how we triggered this, given that we are on Click
# < 8.1.0, but updating allows Black to run again.
version = "black>=22.3.0"
config = "pyproject.toml"
# This should mirror the same global constraints above. This is a
# work-around for https://github.com/pantsbuild/pants/issues/14912.
interpreter_constraints = ["==3.10.*"]

[isort]
lockfile = "3rdparty/python/isort.lockfile"
config = "pyproject.toml"
# This option is required to ensure the `skip_globs` configuration is
# honored for how Pants calls isort. If we ever get to the point where
# we can remove `skip_globs` from the `tool.isort` entry in
# `pyproject.toml`, then we can remove this argument as well.
args = [ "--filter-files" ]
version = "isort==5.6.4"

[pytest]
lockfile = "3rdparty/python/pytest.lockfile"
extra_requirements = [
  "pytest-custom_exit_code",
  "pytest-cov"
]
# This comes from the pytest-custom_exit_code plugin, and is
# specifically for running tests with Pytest filtering, like:
#
#   -m 'not integration_test'
#
# Because of how Pants runs tests, we can get failures for test files
# that only contain integration tests. Longer term, we should think of
# other ways to divide tests into classes (unit, integration, etc.) so
# we can target things better with Pants tags.
args = [ "--suppress-no-test-exit-code" ]

[mypy]
version = "mypy==0.960"
lockfile = "3rdparty/python/mypy.lockfile"
config = "src/python/mypy.ini"
# read this section of the mypy docs:
#
# https://mypy.readthedocs.io/en/stable/command_line.html#cmdoption-mypy-namespace-packages
#
# for the raison d'être for "--namespace-packages". Tl;dr: it makes mypy work
# with our protobuf stubs.
args = [ "--show-error-codes", "--namespace-packages" ] #, "--verbose" ]

extra_type_stubs = [
  "grpc-stubs",
  "mypy_boto3_cloudwatch==1.20.35.post1",
  "mypy_boto3_dynamodb==1.20.35.post1",
  "mypy_boto3_ec2==1.20.35.post1",
  "mypy_boto3_lambda==1.20.35.post1",
  "mypy_boto3_route53==1.20.35.post1",
  "mypy_boto3_s3==1.20.35.post1",
  "mypy_boto3_sagemaker==1.20.35.post1",
  "mypy_boto3_secretsmanager==1.20.35.post1",
  "mypy_boto3_sns==1.20.35.post1",
  "mypy_boto3_sqs==1.20.35.post1",
  "mypy_boto3_ssm==1.20.35.post1",

  "types-click==7.1.8",
  "types-protobuf==3.19.6",
  "types-redis==4.1.11",
  "types-requests==2.27.7",
  "types-toml==0.10.3",
]

[ipython]
lockfile = "3rdparty/python/ipython.lockfile"
version = "ipython==7.20.0"

[flake8]
lockfile = "3rdparty/python/flake8.lockfile"
config = ".flake8"

[shfmt]
# Indent with 4 spaces
# Indent switch cases
# Redirect operators are followed by a space
args = ["-i 4", "-ci", "-sr"]

[test]
output = "all"
use_coverage = "true"

[coverage-py]
lockfile = "3rdparty/python/coveragepy.lockfile"
report = ["xml"]
# coverage.py only reports statistics based on the files it
# encounters, not on all the files in the repository; this counteracts
# that.
global_report = "true"
# This should mirror the same global constraints above.
interpreter_constraints = ["==3.10.*"]

[hadolint]
version = "v2.10.0"
known_versions = [
  # The real Hadolint known versions can be seen here, for comparison:
  # https://github.com/pantsbuild/pants/blob/39d0a77ec5c9a7b1e1864b70ba782d52dc33ebaa/src/python/pants/backend/docker/lint/hadolint/subsystem.py#L13
  # This version line was generated via the rules documented here
  # https://github.com/pantsbuild/pants/blob/1d828786c3c0f352e7811e29dd80f7877f5e170c/src/python/pants/core/util_rules/external_tool.py#L131
  "v2.10.0|linux_x86_64|8ee6ff537341681f9e91bae2d5da451b15c575691e33980893732d866d3cefc4|2301804"
]

[pyupgrade]
lockfile = "3rdparty/python/pyupgrade.lockfile"
# keep-runtime-typing is enabled because CallCredentials in grapl_client.py doesn't support CallCredentials | None syntax.
# For keep-runtime-typing to work we also can't use py30-plus
args = ["--py39-plus", "--keep-runtime-typing"]

[protoc]
# While this is the current default value for Pants (as of Pants
# 2.13.0), we're going to explicitly list it. We programmatically read
# this value in `build-support/protoc_version.sh` in order to use the
# same version in our Rust build process. That script can find out
# what version Pants would use even if we didn't explicitly list it
# here, but being explicit here makes it very easy to find out what
# version we're using, without having to run any script.
#
# As such, there's nothing magical or special about this value, and
# you should feel no compunctions about updating it if you need to, or
# when Pants updates its defaults.
version = "3.20.1"

[tailor]
ignore_paths = [
  # TODO: We need to find a better way to manage our docs
  # generation. For now, we don't need Pants to update this BUILD
  # file.
  "docs/BUILD",
]
ignore_adding_targets = [
  # We don't currently run the `editor_setup.py` file through Pants,
  # so we don't need to generate a `pex_binary` target for it.
  "build-support:editor_setup",
  # TODO: I suspect this can be deleted now.
  "etc/build_scripts:check_pypi_version",
  # We don't run Pulumi through Pants, so we don't need to create
  # `pex_binary` targets for our `__main__.py` files.
  "pulumi/grapl:__main__",
  "pulumi/integration_tests:__main__",
  "pulumi/policies/grapl:__main__",
  "devbox/provision:__main__",
]

[cli.alias]
bk-run = "run build-support/bk-run.py --"
dump-artifacts = "run etc/ci_scripts/dump_artifacts/cli.py --"