feat: add ⚡ Ruff linter job

| ---------------- | ----------------------------------------------------------------------- | ----------------- |

| `isort-enabled` / `PYTHON_ISORT_ENABLED` | Set to `true` to enable isort job               | _none_ (disabled) |

### `py-ruff` job

This job **disabled by default** and runs [Ruff](https://docs.astral.sh/ruff/) on the repo. It is bound to the build stage.

| Input / Variable | Description                                                             | Default value     |

| ---------------- | ----------------------------------------------------------------------- | ----------------- |

| `ruff-enabled` / `RUFF_ENABLED` | Set to `true` to enable ruff job                  | _none_ (disabled) |

| `ruff-args` / `RUFF_ARGS` | Additional [Ruff Linter CLI options](https://docs.astral.sh/ruff/configuration/#full-command-line-interface)     | _none_           |

| `ruff-ext-exclude` / `RUFF_EXT_EXCLUDE` | Define [extend-exclude](https://docs.astral.sh/ruff/settings/#extend-exclude) files                             | _.venv,.cache_   |

:warning: Ruff can replace isort, Black, Bandit, Pylint and much more. [More info](https://github.com/astral-sh/ruff/blob/main/docs/faq.md#which-tools-does-ruff-replace). 

### SonarQube analysis

| Input / Variable | Description                            | Default value     |

| ----------------- | -------------------------------------- | ----------------- |

| `gcp-oidc-aud` / `GCP_OIDC_AUD` | The `aud` claim for the JWT token      | `$CI_SERVER_URL` |

| `gcp-oidc-aud` / `GCP_OIDC_AUD` | The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/))_ | `$CI_SERVER_URL` |

| `gcp-oidc-provider` / `GCP_OIDC_PROVIDER` | Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) | _none_ |

| `gcp-oidc-account` / `GCP_OIDC_ACCOUNT` | Default Service Account to which impersonate with OpenID Connect authentication | _none_ |

      "name": "isort",

      "description": "Check imports order with [isort](https://pycqa.github.io/isort)",

      "enable_with": "PYTHON_ISORT_ENABLED"

    },

    {

      "id": "ruff",

      "name": "Ruff",

      "description": "An extremely fast Python linter and code formatter, written in Rust. [Ruff](https://docs.astral.sh/ruff/)",

      "enable_with": "RUFF_ENABLED",

      "variables": [

        {

          "name": "RUFF_ARGS",

          "description": "Additional [Ruff Linter CLI options](https://docs.astral.sh/ruff/configuration/#full-command-line-interface)",

          "advanced": true

        },

        {

          "name": "RUFF_EXT_EXCLUDE",

          "description": "Define [extend-exclude](https://docs.astral.sh/ruff/settings/#extend-exclude) files",

          "advanced": true

        }

      ]

    }

  ],

  "variants": [

      "variables": [

        {

          "name": "GCP_OIDC_AUD",

          "description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_",

          "description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/))_",

          "default": "$CI_SERVER_URL",

          "advanced": true

        },

      description: Enable isort

      type: boolean

      default: false

    ruff-enabled:

      description: Enable Ruff

      type: boolean

      default: false

    ruff-args:

      description: Additional [Ruff Linter CLI options](https://docs.astral.sh/ruff/configuration/#full-command-line-interface)

      default: ""

    ruff-ext-exclude:

      description: Define [extend-exclude](https://docs.astral.sh/ruff/settings/#extend-exclude) files

      default: ""

---

# default workflow rules: Merge Request pipelines

workflow:

  PYTHON_BLACK_ENABLED: $[[ inputs.black-enabled ]]

  PYTHON_ISORT_ENABLED: $[[ inputs.isort-enabled ]]

  RUFF_ENABLED: $[[ inputs.ruff-enabled ]]

  RUFF_ARGS: $[[ inputs.ruff-args ]]

  RUFF_EXT_EXCLUDE: $[[ inputs.ruff-ext-exclude ]]

.python-scripts: &python-scripts |

      when: never

    - !reference [.test-policy, rules]

py-ruff:

  extends: .python-base

  stage: build

  script:

    - mkdir -p -m 777 reports

    - |  

      if [[  ${BANDIT_ENABLED} == "true" || ${PYLINT_ENABLED} == "true" || ${PYTHON_ISORT_ENABLED} == "true" || ${PYTHON_BLACK_ENABLED} == "true" ]]; then

        log_warn "Ruff can replace isort, Black, Bandit, Pylint"

      fi

    # Ruff is self dependent tool (written in Rust), so is can be install alone without project dependency (so not need _pip and _run)

    - pip install ${PIP_OPTS} ruff

    - ruff check . ${RUFF_ARGS} ${RUFF_EXCLUDE:---extend-exclude .venv,.cache} --output-format gitlab --output-file reports/ruff.gitlab.json || ruff check . ${RUFF_ARGS} ${RUFF_EXCLUDE:---extend-exclude .venv,.cache} --output-format grouped 

  artifacts:

    name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"

    expire_in: 1 day

    when: always

    reports:

      codequality: $PYTHON_PROJECT_DIR/reports/ruff.gitlab.json

    paths:

      - "$PYTHON_PROJECT_DIR/reports/ruff.gitlab.json"

  rules:

    # exclude if $RUFF_ENABLED not set

    - if: '$RUFF_ENABLED != "true"'

      when: never

    - !reference [.test-policy, rules]

###############################################################################################

#                                      test stage                                             #

###############################################################################################