Add schema publishing PoC

Author: arkid15r

.github/workflows/test-schema.yaml renamed to .github/workflows/publish-owasp-schema.yaml

@@ -16,6 +16,7 @@ on:
 
 permissions:
   contents: read
+  id-token: write
 
 concurrency:
   cancel-in-progress: true
@@ -104,7 +105,7 @@ jobs:
             type=registry,ref=owasp/nest:test-schema-cache
           cache-to: |
             type=gha,compression=zstd
-          context: schema
+          context: .
           file: schema/docker/Dockerfile.test
           load: true
           platforms: linux/amd64
@@ -113,3 +114,75 @@ jobs:
       - name: Run schema tests
         run: |
           docker run --rm owasp/nest:test-schema-latest pytest
+
+  publish-schema-package:
+    name: Publish to PyPI
+    needs:
+      - run-schema-tests
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/main'
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Python
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065
+        with:
+          python-version: '3.13'
+
+      - name: Install Poetry
+        run: pipx install poetry
+
+      - name: Install dependencies
+        run: |
+          cd schema
+          poetry install
+
+      - name: Configure Git
+        run: |
+          git config --local user.email "[email protected]"
+          git config --local user.name "GitHub Action"
+
+      - name: Bump version
+        run: |
+          cd schema
+          poetry run bump2version patch --commit --tag --allow-dirty
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Push changes
+        run: |
+          git push
+          git push --tags
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build with new version
+        run: |
+          cd schema
+          poetry build
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          skip-existing: true
+
+      - name: Create GitHub Release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ github.ref_name }}
+          release_name: Release ${{ github.ref_name }}
+          body: |
+            Automated release for OWASP Schema package.
+
+            Changes in this release:
+            - Updated schema files
+            - Automated build and publish
+
+            Package: https://pypi.org/project/owasp-schema/
+          draft: false
+          prerelease: false

.gitignore

@@ -38,5 +38,6 @@ frontend/yarn-debug.log*
 frontend/yarn-error.log*
 logs
 node_modules/
-schema/.venv
+schema/.venv/
+schema/dist/
 TODO

docs/scripts/__init__.py

@@ -0,0 +1 @@
+"""Scripts for documentation generation."""

docs/scripts/generate_schema_docs.py

@@ -1,19 +1,23 @@
-from pathlib import Path
+"""Generate schema documentation from JSON schema files."""
+
+# ruff: noqa: S603 https://docs.astral.sh/ruff/rules/subprocess-without-shell-equals-true/
+# ruff: noqa: S607 https://docs.astral.sh/ruff/rules/start-process-with-partial-path/
+
 import subprocess
+from pathlib import Path
 
 
 def generate_schema_docs():
-    INPUT_DIR = Path("./schema")
-    OUTPUT_DIR = Path("./docs/schema")
+    """Generate documentation from JSON schema files."""
+    input_dir = Path("./schema")
+    output_dir = Path("./docs/schema")
 
-    OUTPUT_DIR.mkdir(parents=True, exist_ok=True)
+    output_dir.mkdir(parents=True, exist_ok=True)
 
-    for schema_file in INPUT_DIR.iterdir():
+    for schema_file in input_dir.iterdir():
         if schema_file.suffix == ".json" and schema_file.name != "common.json":
             base_name = schema_file.stem
-            output_file = OUTPUT_DIR / f"{base_name}.md"
-
-            print(f"Processing {schema_file} -> {output_file}")
+            output_file = output_dir / f"{base_name}.md"
 
             # Generate the schema documentation
             subprocess.run(

pyproject.toml

@@ -0,0 +1,53 @@
+[tool.poetry]
+name = "owasp-schema"
+version = "0.1.0"
+description = "A collection of OWASP schemas"
+authors = ["Arkadii Yakovets <[email protected]>"]
+license = "MIT"
+readme = "README.md"
+homepage = "https://github.com/owasp/nest/schema"
+repository = "https://github.com/owasp/nest/schema"
+keywords = ["owasp", "schema", "json-schema"]
+classifiers = [
+    "Development Status :: 4 - Beta",
+    "Intended Audience :: Developers",
+    "License :: OSI Approved :: MIT License",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.13",
+    "Topic :: Software Development :: Libraries :: Python Modules",
+]
+packages = [{ include = "owasp_schema", from = "src" }]
+
+[tool.poetry.dependencies]
+jsonschema = "^4.23.0"
+pytest = "^8.3.4"
+python = "^3.13"
+pyyaml = "^6.0.2"
+validators = "^0.35.0"
+
+[tool.poetry.group.dev.dependencies]
+bump2version = "^1.0.1"
+pytest = "^8.3.4"
+
+[tool.poetry.build]
+generate-setup-file = false
+
+[tool.ruff]
+line-length = 99
+target-version = "py313"
+
+[tool.ruff.lint]
+extend-select = ["I"]
+ignore = [
+    "ANN",
+    "D103",
+]
+select = ["ALL"]
+
+[tool.ruff.lint.per-file-ignores]
+"**/__init__.py" = ["D104"]
+"**/*.py" = ["S101"]
+
+[build-system]
+requires = ["poetry-core"]
+build-backend = "poetry.core.masonry.api"

schema/.bumpversion.cfg

@@ -0,0 +1,15 @@
+[bumpversion]
+current_version = 0.1.0
+parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)
+serialize = {major}.{minor}.{patch}
+files =
+    pyproject.toml
+    src/owasp_schema/__init__.py
+
+[bumpversion:file:pyproject.toml]
+search = version = "{current_version}"
+replace = version = "{new_version}"
+
+[bumpversion:file:src/owasp_schema/__init__.py]
+search = __version__ = "{current_version}"
+replace = __version__ = "{new_version}"

schema/MANIFEST.in

@@ -0,0 +1,17 @@
+include *.json
+include *.py
+include *.md
+include *.cfg
+include README.md
+include LICENSE
+include src/owasp_schema/*.json
+recursive-exclude tests *
+recursive-exclude docker *
+recursive-exclude utils *
+recursive-exclude .venv *
+recursive-exclude dist *
+recursive-exclude build *
+recursive-exclude __pycache__ *
+recursive-exclude .pytest_cache *
+recursive-exclude .ruff_cache *
+exclude *.lock

schema/Makefile

@@ -1,12 +1,43 @@
+build-owasp-schema-package:
+	cd schema && poetry build
+
+bump-owasp-schema-major:
+	cd schema && poetry run bump2version major --allow-dirty
+
+bump-owasp-schema-minor:
+	cd schema && poetry run bump2version minor --allow-dirty
+
+bump-owasp-schema-patch:
+	cd schema && poetry run bump2version patch --allow-dirty
+
+bump-owasp-schema-major-commit:
+	cd schema && poetry run bump2version major --commit --tag --allow-dirty
+
+bump-owasp-schema-minor-commit:
+	cd schema && poetry run bump2version minor --commit --tag --allow-dirty
+
+bump-owasp-schema-patch-commit:
+	cd schema && poetry run bump2version patch --commit --tag --allow-dirty
+
+clean-package:
+	cd schema && rm -rf dist/ build/ *.egg-info/
+
 clean-schema-dependencies:
 	@rm -rf schema/.venv
 
+install-owasp-schema-package:
+	cd schema && poetry install
+
+publish-package:
+	cd schema && poetry publish
+
 test-schema:
 	@DOCKER_BUILDKIT=1 docker build \
 		--cache-from nest-test-schema \
-		-f schema/docker/Dockerfile.test schema \
+		-f schema/docker/Dockerfile.test . \
 		-t nest-test-schema
 	@docker run --rm nest-test-schema pytest
 
+
 update-schema-dependencies:
 	cd schema && poetry update

schema/README.md

@@ -0,0 +1,39 @@
+# OWASP Schema
+
+A Python package providing JSON schemas for OWASP projects.
+
+## Installation
+
+```bash
+pip install owasp-schema
+```
+
+## Usage
+
+```python
+from owasp_schema import get_schema, list_schemas, chapter_schema
+
+# List all available schemas
+print(list_schemas())
+# Output: ['chapter', 'committee', 'project']
+
+# Get a specific schema
+chapter_schema = get_schema("chapter")
+
+# Or use the pre-loaded schemas
+print(chapter_schema["title"])
+```
+
+## Available Schemas
+
+- `chapter`: Schema for OWASP chapters
+- `committee`: Schema for OWASP committees
+- `project`: Schema for OWASP projects
+
+## Development
+
+This package is automatically published to PyPI when schema files change in the main branch using OIDC authentication.
+
+## License
+
+MIT License - see LICENSE file for details.

schema/docker/Dockerfile.test

@@ -27,13 +27,13 @@ RUN --mount=type=cache,target=${PIP_CACHE_DIR} \
 WORKDIR /home/owasp
 USER owasp
 
-COPY --chmod=444 --chown=root:root poetry.lock pyproject.toml ./
+COPY --chmod=444 --chown=root:root schema/poetry.lock schema/pyproject.toml ./
 RUN --mount=type=cache,target=${POETRY_CACHE_DIR},uid=${OWASP_UID},gid=${OWASP_GID} \
     poetry install --no-root
 
-COPY *.json ./
-COPY tests tests
-COPY utils utils
+COPY schema/src/owasp_schema owasp_schema
+COPY schema/*.json owasp_schema/
+COPY schema/tests tests
 
 FROM python:3.13.5-alpine