feat: add support for slim and alpine Python images + change default base image

  - component: gitlab.com/to-be-continuous/python/gitlab-ci-python@6.11.1

    # 2: set/override component inputs

    inputs:

      image: registry.hub.docker.com/library/python:3.10

      image: registry.hub.docker.com/library/python:3.12-slim

      pytest-enabled: true

```

variables:

  # 2: set/override template variables

  PYTHON_IMAGE: registry.hub.docker.com/library/python:3.10

  PYTHON_IMAGE: registry.hub.docker.com/library/python:3.12-slim

  PYTEST_ENABLED: "true"

```

| Input / Variable     | Description                                                                           | Default value      |

| -------------------- | ------------------------------------------------------------------------------------- | ------------------ |

| `image` / `PYTHON_IMAGE` | The Docker image used to run Python <br/>:warning: **set the version required by your project** | `registry.hub.docker.com/library/python:3` |

| `image` / `PYTHON_IMAGE` | The Docker image used to run Python <br/>:warning: **set the version required by your project** | `registry.hub.docker.com/library/python:3-slim` |

| `project-dir` / `PYTHON_PROJECT_DIR` | Python project root directory                                                         | `.`                |

| `build-system` / `PYTHON_BUILD_SYSTEM`| Python build-system to use to install dependencies, build and package the project (see below) | `auto` (auto-detect) |

| `PIP_INDEX_URL`      | Python repository url                                                                 | _none_             |

| Input / Variable | Description                                                             | Default value     |

| ---------------- | ----------------------------------------------------------------------- | ----------------- |

| `trivy-enabled` / `PYTHON_TRIVY_ENABLED` | Set to `true` to enable Trivy job                                 | _none_ (disabled) |

| `trivy-dist-url` / `PYTHON_TRIVY_DIST_URL` | Url to the `tar.gz` package for `linux_amd64` of Trivy to use (ex: `https://github.com/aquasecurity/trivy/releases/download/v0.51.1/trivy_0.51.1_Linux-64bit.tar.gz`)<br/>_When unset, the latest version will be used_ | _none_ |

| `trivy-args` / `PYTHON_TRIVY_ARGS`       | Additional [Trivy CLI options](https://aquasecurity.github.io/trivy/v0.21.1/getting-started/cli/fs/) | `--vuln-type library`   |

In addition to a textual report in the console, this job produces the following reports, kept for one day:

  - component: gitlab.com/to-be-continuous/python/gitlab-ci-python@6.11.1

    # 2: set/override component inputs

    inputs:

      image: registry.hub.docker.com/library/python:3.10

      image: registry.hub.docker.com/library/python:3.12-slim

      pytest-enabled: true

  - component: gitlab.com/to-be-continuous/python/gitlab-ci-python-gcp@6.11.1

    {

      "name": "PYTHON_IMAGE",

      "description": "The Docker image used to run Python - **set the version required by your project**",

      "default": "registry.hub.docker.com/library/python:3"

      "default": "registry.hub.docker.com/library/python:3-slim"

    },

    {

      "name": "PYTHON_PROJECT_DIR",

      "enable_with": "PYTHON_TRIVY_ENABLED",

      "variables": [

        {

          "name": "PYTHON_TRIVY_IMAGE",

          "description": "The Docker image used to run Trivy",

          "default": "registry.hub.docker.com/aquasec/trivy:latest",

          "name": "PYTHON_TRIVY_DIST_URL",

          "description": "Url to the `tar.gz` package for `linux_amd64` of Trivy to use\n\n_When unset, the latest version will be used_",

          "advanced": true

        },

        {

  inputs:

    image:

      description: The Docker image used to run Python - **set the version required by your project**

      default: registry.hub.docker.com/library/python:3

      default: registry.hub.docker.com/library/python:3-slim

    project-dir:

      description: Python project root directory

      default: .

      description: Enable Trivy

      type: boolean

      default: false

    trivy-image:

      description: The Docker image used to run Trivy

      default: registry.hub.docker.com/aquasec/trivy:latest

    trivy-dist-url:

      description: |-

        Url to the `tar.gz` package for `linux_amd64` of Trivy to use

        _When unset, the latest version will be used_

      default: ''

    trivy-args:

      description: Additional [Trivy CLI options](https://aquasecurity.github.io/trivy/v0.21.1/getting-started/cli/fs/)

      default: --vuln-type library

  # Trivy tool

  PYTHON_TRIVY_ENABLED: $[[ inputs.trivy-enabled ]]

  PYTHON_TRIVY_IMAGE: $[[ inputs.trivy-image ]]

  PYTHON_TRIVY_DIST_URL: $[[ inputs.trivy-dist-url ]]

  PYTHON_TRIVY_ARGS: $[[ inputs.trivy-args ]]

  PYTHON_SBOM_NAME: $[[ inputs.sbom-name ]]

        else

          log_warn "Failed getting secret \\e[33;1m${name}\\e[0m:\\n$(sed 's/^/... /g' "${errors}")"

        fi

      elif command -v python3 > /dev/null

      then

        decoded=$(mktemp)

        errors=$(mktemp)

        # shellcheck disable=SC2086

        if python3 -c "import urllib.request ; urllib.request.urlretrieve(\"$url\",\"${decoded}\")" > "${errors}" 2>&1 

        then

          export ${name}="$(cat ${decoded})" 

          log_info "Successfully fetched secret \\e[33;1m${name}\\e[0m"

        else

          log_warn "Failed getting secret \\e[33;1m${name}\\e[0m:\\n$(sed 's/^/... /g' "${errors}")"

        fi

      else

        log_warn "Couldn't get secret \\e[33;1m${name}\\e[0m: no http client found"

      fi

      if ! dpkg --status "$@" > /dev/null

      then

        apt-get update

        apt-get install --yes --quiet "$@"

        apt-get install --no-install-recommends --yes --quiet "$@"

      fi

    elif command -v apk > /dev/null

    then

  }

  function maybe_install_poetry() {

    if [[ "$PYTHON_BUILD_SYSTEM" == poetry* ]] && ! command -v poetry > /dev/null

    if [[ "$PYTHON_BUILD_SYSTEM" =~ ^poetry.* ]] && ! command -v poetry > /dev/null

    then

      # shellcheck disable=SC2086

      pip install ${PIP_OPTS} "$PYTHON_BUILD_SYSTEM"

  # force no dependencies

  dependencies: []

  script:

    - maybe_install_packages wget apt-transport-https gnupg lsb-release

    - mkdir -p -m 777 reports

    - install_requirements

    - wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | apt-key add -

    - echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | tee -a /etc/apt/sources.list.d/trivy.list

    - apt-get update

    - apt-get install trivy

    - |

      if [[ -z "$PYTHON_TRIVY_DIST_URL" ]]

      then

        log_info "Trivy version unset: retrieve latest version..."

        trivy_version=$(python3 -c 'import urllib.request;url="https://github.com/aquasecurity/trivy/releases/latest";opener=urllib.request.build_opener(type("NoRedirection", (urllib.request.HTTPErrorProcessor,), {"http_response": lambda self, req, resp: resp, "https_response": lambda self, req, resp: resp})());req=urllib.request.Request(url, method="HEAD");print(opener.open(req).headers.get("Location").split("/tag/v")[1])')

        PYTHON_TRIVY_DIST_URL="https://github.com/aquasecurity/trivy/releases/download/v${trivy_version}/trivy_${trivy_version}_Linux-64bit.tar.gz"

        log_info "... use latest Trivy version: \\e[32m$PYTHON_TRIVY_DIST_URL\\e[0m"

      fi

      python_trivy="$XDG_CACHE_HOME/trivy-$(echo "$PYTHON_TRIVY_DIST_URL" | md5sum | cut -d" " -f1)"

      if [[ -f $python_trivy ]]

      then

        log_info "Trivy found in cache (\\e[32m$PYTHON_TRIVY_DIST_URL\\e[0m): reuse"

      else

        log_info "Trivy not found in cache (\\e[32m$PYTHON_TRIVY_DIST_URL\\e[0m): download"

        python3 -c 'import urllib.request;urllib.request.urlretrieve("'$PYTHON_TRIVY_DIST_URL'","trivy.tar.gz")'

        tar zxf trivy.tar.gz trivy

        mkdir -p $XDG_CACHE_HOME

        mv ./trivy $python_trivy

      fi  

    - |

      if [[ "$PYTHON_BUILD_SYSTEM" == poetry* ]]

      then

          log_warn "The ./requirements.txt file does not match the ./reports/requirements.txt file generated via pip freeze. Make sure to include all dependencies with pinned versions in ./requirements.txt and re-commit the file."

        fi

      fi

      if [ $(trivy fs ${PYTHON_TRIVY_ARGS} --format table --exit-code 0 ./reports/ | grep -c "Number of language-specific files: 0") -eq 1 ]; then

      if [ $($python_trivy fs ${PYTHON_TRIVY_ARGS} --format table --exit-code 0 ./reports/ | grep -c "Number of language-specific files: 0") -eq 1 ]; then

        log_error "Could not find a file listing all dependencies with their versions."

        exit 1

      fi

      if [[ "$DEFECTDOJO_TRIVY_REPORTS" ]]

      then

        trivy fs ${PYTHON_TRIVY_ARGS} --exit-code 0 --list-all-pkgs --format json --output reports/py-trivy.trivy.json ./reports/

        $python_trivy fs ${PYTHON_TRIVY_ARGS} --exit-code 0 --list-all-pkgs --format json --output reports/py-trivy.trivy.json ./reports/

      fi

      trivy fs ${PYTHON_TRIVY_ARGS} --format table ./reports/

      $python_trivy fs ${PYTHON_TRIVY_ARGS} --format table ./reports/

  artifacts:

    name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"

    expire_in: 1 day

      if [[ -z "$PYTHON_SBOM_SYFT_URL" ]]

      then

        log_info "Syft version unset: retrieve latest version..."

        syft_version=$(curl -Ls -o /dev/null -w %{url_effective} https://github.com/anchore/syft/releases/latest | grep -o '[^/v]*$')

        syft_version=$(python3 -c 'import urllib.request;print(urllib.request.urlopen("https://github.com/anchore/syft/releases/latest").url)' | grep -o '[^/v]*$')

        PYTHON_SBOM_SYFT_URL="https://github.com/anchore/syft/releases/download/v${syft_version}/syft_${syft_version}_linux_amd64.tar.gz"

        log_info "... use latest Syft version: \\e[32m$PYTHON_SBOM_SYFT_URL\\e[0m"

      fi

py-release:

  extends: .python-base

  stage: publish

  before_script:

    - !reference [.python-base, before_script]

    # install git and OpenSSH

    - maybe_install_packages git openssh-client

  script:

    - apt-get update

    - apt-get install -y git openssh-client

    - git config --global user.email "$GITLAB_USER_EMAIL"

    - git config --global user.name "$GITLAB_USER_LOGIN"

    - git checkout -B $CI_COMMIT_REF_NAME

py-publish:

  extends: .python-base

  stage: publish

  before_script:

    - !reference [.python-base, before_script]

    # install curl (to decode @url@ variables)

    - maybe_install_packages curl

  script:

    - py_publish

  artifacts: