use uv and githubkit

.env.example

@@ -0,0 +1,6 @@
+GH_CLIENT_ID="123456"
+GH_CLIENT_PRIVATE_KEY="base64...your...pem...keyfile"
+GH_AUTH_TOKEN="ghp_123456"
+CVE_USERNAME="user@example.org"
+CVE_API_KEY="123456"
+CVE_ENV="testproddev"

.github/workflows/ci.yml

@@ -0,0 +1,63 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Run ruff lint
+        uses: astral-sh/ruff-action@v3
+
+      - name: Run ruff format check
+        uses: astral-sh/ruff-action@v3
+        with:
+          args: "format --check --diff"
+
+  test:
+    name: Test on Python ${{ matrix.python-version }}
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ["3.14"]
+
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Set up uv
+        uses: astral-sh/setup-uv@v6
+        with:
+          enable-cache: true
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install dependencies
+        run: uv sync --locked --dev --no-editable
+
+      - name: Install Playwright browsers
+        run: uv run playwright install --with-deps chromium
+
+      - name: Run tests
+        run: uv run pytest tests/ -v --tb=short
+
+      - name: Upload coverage reports
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: test-results-${{ matrix.python-version }}
+          path: |
+            .coverage
+            htmlcov/
+          retention-days: 30

.github/workflows/cron.yml

@@ -1,24 +1,32 @@
 name: "PSRT GHSA Bot"
+
 on:
   workflow_dispatch:
   schedule:
     - cron: "0 * * * *"
+
 jobs:
   cron:
     runs-on: ubuntu-latest
-    name: "Cron"
+    name: "Run PSRT Advisory Bot"
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
-      - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4
+      - uses: actions/checkout@v5
+
+      - name: Set up uv
+        uses: astral-sh/setup-uv@v6
         with:
-          python-version: 3.12
-          cache: pip
-          cache-dependency-path: |
-            requirements.txt
-      - run: |
-          python -m pip install -r requirements.txt
-      - run: |
-          python app.py
+          enable-cache: true
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version-file: "pyproject.toml"
+
+      - name: Install dependencies
+        run: uv sync --locked --no-editable --no-dev
+
+      - name: Run bot
+        run: uv run python src/psrt_ghsa_bot/app.py
         env:
           GH_CLIENT_ID: ${{ vars.GH_CLIENT_ID }}
           GH_CLIENT_SECRET: ${{ secrets.GH_CLIENT_SECRET }}

.gitignore

@@ -160,3 +160,8 @@ cython_debug/
 #  and can be added to the global gitignore or merged into this file.  For a more nuclear
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
 #.idea/
+
+# Playwright authentication state
+playwright/.auth/
+playwright-state/
+**/playwright-state/

.python-version

@@ -0,0 +1 @@
+3.14

Makefile

@@ -0,0 +1,29 @@
+.DEFAULT_GOAL:=help
+.ONESHELL:
+
+help: ## Display this help text for Makefile
+	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z0-9_-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
+
+upgrade: ## Upgrade all dependencies to the latest stable versions
+	@uv lock --upgrade
+	@echo "=> Dependencies Updated"
+
+lint:  ## Lint the code
+	@uv run ruff check --fix --unsafe-fixes .
+
+fmt:  ## Format the code
+	@uv run ruff format .
+
+mt-check:  ## Runs Ruff format in check mode (no changes)
+	@uv run --no-sync ruff format --check .
+
+type-check:  ## Run type-checking
+	@uv run ty check
+
+test:  ## Run tests
+	@uv run pytest
+
+ci: lint fmt type-check test  ## Run everything
+
+app:  ## Run the app
+	@uv run python app.py

pyproject.toml

@@ -0,0 +1,42 @@
+[project]
+name = "psrt-ghsa-bot"
+version = "0.1.0"
+description = "GitHub bot for PSRT activities on GHSA"
+readme = "README.md"
+requires-python = ">=3.14.0"
+dependencies = [
+    "cvelib>=1.4.0",
+    "githubkit[auth-app]>=0.13.5",
+    "playwright>=1.55.0",
+    "python-dotenv>=1.0.0",
+]
+
+[dependency-groups]
+dev = [
+    "mock>=5.2.0",
+    "pytest>=8.4.2",
+    "pytest-playwright>=0.7.1",
+    "pytest-sugar>=1.1.1",
+    "ruff>=0.14.3",
+    "ty>=0.0.1a25",
+]
+
+[build-system]
+requires = ["uv_build>=0.9.6,<0.10.0"]
+build-backend = "uv_build"
+
+[tool.ruff]
+target-version = "py314"
+src = ["src", "tests"]
+line-length = 120
+indent-width = 4
+
+[tool.ruff.lint]
+ignore = ["D203", "D213", "COM812"]
+
+[tool.ruff.format]
+quote-style = "double"
+indent-style = "space"
+
+[tool.ruff.lint.pydocstyle]
+convention = "google"