alliander-opensource · rflinnenbank · Mar 28, 2026 · Jul 19, 2025 · Jul 19, 2025 · Jul 19, 2025
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,43 @@
+---
+name: Bug Report
+about: Help us improve by reporting a bug
+title: ''
+labels: ''
+assignees: ''
+---
+
+## **Describe the Bug**
+
+Provide a clear and concise description of the issue.
+
+## **To Reproduce**
+
+Steps to reproduce the behavior:
+
+1. Go to '...'
+2. Click on '...'
+3. Scroll down to '...'
+4. See the error.
+
+## **Expected Behavior**
+
+Describe what you expected to happen.
+
+## **Screenshots**
+
+If applicable, add screenshots to help explain the problem.
+
+## **Desktop (please complete the following information):**
+
+- **OS**: [e.g., iOS]
+- **Project Version**: [e.g., 22]
+
+## **Smartphone (please complete the following information):**
+
+- **Device**: [e.g., iPhone 6]
+- **OS**: [e.g., iOS 8.1]
+- **Project Version**: [e.g., 22]
+
+## **Additional Context**
+
+Add any other context about the problem here.
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,23 @@
+---
+name: Feature Request
+about: Suggest an idea to improve this project
+title: ''
+labels: ''
+assignees: ''
+---
+
+## **Is Your Feature Request Related to a Problem? Please Describe**
+
+Provide a clear and concise description of the problem. For example: "I'm frustrated when [...]"
+
+## **Describe the Solution You'd Like**
+
+Explain what you want to happen in a clear and concise manner.
+
+## **Describe Alternatives You've Considered**
+
+List any alternative solutions or features you’ve thought about.
+
+## **Additional Context**
+
+Add any other context, screenshots, or examples to support your request.
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
@@ -0,0 +1,24 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    reviewers:
+      - "rflinnenbank"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      package-updates:
+        applies-to: version-updates
+        patterns: [ "*" ]
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    reviewers:
+      - "rflinnenbank"
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/allowed-pr-sources-dev-release.yaml b/.github/workflows/allowed-pr-sources-dev-release.yaml
@@ -0,0 +1,29 @@
+name: Check if PR source branch is allowed for development or release branches
+
+
+on:
+  pull_request:
+    types: [ opened, reopened, synchronize, edited, ready_for_review ]
+    branches:
+      - development
+      - release/**
+
+jobs:
+  enforce:
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check PR source branch
+        env:
+          HEAD_REF: ${{ github.head_ref }}
+        run: |
+          echo "Head branch: $HEAD_REF"
+          if [[ "$HEAD_REF" =~ ^feature/ || "$HEAD_REF" =~ ^dev/feature/ ]]; then
+            echo "✔ Allowed source branch."
+            exit 0
+          else
+            echo "❌ Disallowed source branch: $HEAD_REF"
+            echo "Only 'feature/*' or 'dev/feature/*' may open PRs into 'development' or 'release/*'."
+            exit 1
+          fi
diff --git a/.github/workflows/allowed-pr-sources-main.yaml b/.github/workflows/allowed-pr-sources-main.yaml
@@ -0,0 +1,28 @@
+name: Check if PR source branch is allowed for main branch
+
+on:
+  pull_request:
+    types: [ opened, reopened, synchronize, edited, ready_for_review ]
+    branches:
+      - main
+
+jobs:
+  enforce:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+    steps:
+      - name: Check PR source branch
+        env:
+          HEAD_REF: ${{ github.head_ref }}
+        run: |
+          echo "Head branch: $HEAD_REF"
+          if [[ "$HEAD_REF" == "development" || "$HEAD_REF" =~ ^release/ || "$HEAD_REF" =~ ^hotfix/ ]]; then
+            echo "✔ Allowed source branch."
+            exit 0
+          else
+            echo "❌ Disallowed source branch: $HEAD_REF"
+            echo "Only 'development', 'release/*', or 'hotfix/*' may open PRs into 'main'."
+            exit 1
+          fi
diff --git a/.github/workflows/openssf-scorecard.yml b/.github/workflows/openssf-scorecard.yml
@@ -0,0 +1,79 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '37 7 * * 1'
+  push:
+    branches: [ "main" ]
+
+# Declare default permissions as read only (minimal for Scorecard).
+permissions:
+  contents: read
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    # `publish_results: true` only works when run from the default branch. conditional can be removed if disabled.
+    if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request'
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+          # (Optional) Uncomment file_mode if you have a .gitattributes with files marked export-ignore
+          # file_mode: git
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
diff --git a/.github/workflows/pr-quality-gate.yaml.yml b/.github/workflows/pr-quality-gate.yaml.yml
@@ -0,0 +1,79 @@
+name: "PR Quality Gate: rc & main"
+
+on:
+  pull_request:
+    branches: [ rc, main ]
+    types: [ opened, synchronize, reopened, ready_for_review ]
+
+
+concurrency:
+  group: pr-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  precommit:
+    permissions:
+      contents: read
+      pull-requests: write
+    name: pre-commit
+    if: ${{ !github.event.pull_request.draft }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      # NOTE: point "uses:" to the DIRECTORY that contains action.yaml
+      # If your composite is at ./pre-commit/action.yaml, use "./pre-commit"
+      - name: Run pre-commit composite
+        uses: ./.github/workflows/pre-commit
+        with:
+          python-version: ${{ env.MAIN_PYTHON_VERSION }}
+
+  pytest:
+    permissions:
+      contents: read
+      pull-requests: write
+    name: pytest
+    if: ${{ !github.event.pull_request.draft }}
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ${{ fromJSON(env.SUPPORTED_PYTHON_VERSIONS) }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run pytest composite
+        uses: ./.github/workflows/pytest
+        with:
+          python-version: ${{ matrix.python-version }}
+
+  pytest-windows:
+    permissions:
+      contents: read
+      pull-requests: write
+    name: pytest (Windows, non-blocking)
+    if: ${{ !github.event.pull_request.draft }}
+    runs-on: windows-latest
+    continue-on-error: true
+    strategy:
+      matrix:
+        python-version: ${{ fromJSON(env.SUPPORTED_PYTHON_VERSIONS) }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run pytest composite
+        uses: ./.github/workflows/pytest
+        with:
+          python-version: ${{ matrix.python-version }}
+
+  sonarqube:
+    permissions:
+      contents: read
+      pull-requests: write
+    name: SonarQube
+    if: ${{ !github.event.pull_request.draft }}
+    runs-on: ubuntu-latest
+    needs: [ pytest ]        # starts only after pytest completes
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run SonarCloud composite
+        uses: ./.github/workflows/sonar
+        with:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
diff --git a/.github/workflows/pre-commit/action.yaml b/.github/workflows/pre-commit/action.yaml
@@ -0,0 +1,47 @@
+name: Pre-commit
+description: Sets up Python and Poetry and runs pre-commit
+
+inputs:
+  python-version:
+    required: true
+    description: Python version used
+
+runs:
+  using: "composite"
+  steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    - name: Setup Python
+      if: ${{ hashFiles('.pre-commit-config.yaml') != '' }}
+      uses: actions/setup-python@v3
+      with:
+        python-version: ${{ inputs.python-version }}
+
+
+    - name: Validate Python version
+      if: ${{ hashFiles('.pre-commit-config.yaml') != '' }}
+      run: |
+        ALLOWED_VERSIONS="3.14 3.15"
+        if ! echo "$ALLOWED_VERSIONS" | grep -wq "${{ inputs.python-version }}"; then
+          echo "Error: python-version ${{ inputs.python-version }} is not allowed. Allowed: $ALLOWED_VERSIONS"
+          exit 1
+        fi
+      shell: bash
+
+    - name: Install Poetry
+      if: ${{ hashFiles('.pre-commit-config.yaml') != '' }}
+      run: pipx install --python "python${{ inputs.python-version }}" poetry
+      shell: bash
+
+    - name: Install pre-commit
+      if: ${{ hashFiles('.pre-commit-config.yaml') != '' }}
+      run: |
+        pip install pre-commit
+        pre-commit install
+      shell: bash
+
+    - name: Run pre-commit
+      if: ${{ hashFiles('.pre-commit-config.yaml') != '' }}
+      run: pre-commit run -a
+      shell: bash
diff --git a/.github/workflows/pytest/action.yaml b/.github/workflows/pytest/action.yaml
@@ -0,0 +1,28 @@
+name: 'PyTest'
+description: 'Run pytest with Poetry'
+inputs:
+  python-version:
+    required: true
+    description: 'Python version used.'
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+    - name: Set up Python
+      uses: actions/setup-python@v3
+      with:
+        python-version: ${{ inputs.python-version }}
+    - name: Install Poetry
+      run: pipx install poetry
+    - name: Install dependencies
+      run: poetry install --with dev
+    - name: Run tests
+      run: poetry run pytest -m "not unstable and not online"
+    - name: Upload coverage.xml as artifact
+      uses: actions/upload-artifact@v3
+      if: ${{ hashFiles('coverage.xml') != '' }}
+      with:
+        name: coverage.xml
+        path: ./coverage.xml