Merge branch 'main' into model

.github/actionlint.yml

@@ -0,0 +1,5 @@
+self-hosted-runner:
+  labels:
+    - ledgerhq-shared-small
+    - ledgerhq-shared-medium
+    - ledgerhq-shared-large

.github/actions/pdm/action.yml

@@ -0,0 +1,29 @@
+name: 'Setup python / PDM'
+description: 'Setup python / PDM'
+
+inputs:
+  python-version:
+    description: 'Python version'
+    required: true
+    default: '3.12.3'
+
+runs:
+  using: "composite"
+  steps:
+
+    - name: Setup python
+      uses: actions/setup-python@v5
+      with:
+        python-version: ${{ inputs.python-version }}
+        cache: pip
+
+    - name: Install PDM
+      uses: pdm-project/setup-pdm@v4
+      with:
+        python-version: ${{ inputs.python-version }}
+        cache: true
+
+    - name: Setup PDM
+      shell: bash
+      run: |
+        pdm config install.cache true

.github/dependabot.yml

@@ -0,0 +1,43 @@
+version: 2
+
+updates:
+
+  - package-ecosystem: "gitsubmodule"
+    directory: "/"
+    target-branch: "next"
+    schedule:
+      interval: "daily"
+    commit-message:
+      prefix: "[submodules] "
+    labels:
+      - "assets"
+    assignees:
+      - "LedgerHQ/backend-core"
+    reviewers:
+      - "LedgerHQ/backend-core"
+
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "[dependencies] "
+    labels:
+      - "dependencies"
+    assignees:
+      - "LedgerHQ/backend-core"
+    reviewers:
+      - "LedgerHQ/backend-core"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "[ci] "
+    labels:
+      - "ci"
+    assignees:
+      - "LedgerHQ/backend-core"
+    reviewers:
+      - "LedgerHQ/backend-core"

.github/labeler.yml

@@ -0,0 +1,15 @@
+documentation:
+  - changed-files:
+      - any-glob-to-any-file: ['docs/**', 'README.md']
+
+ci:
+  - changed-files:
+      - any-glob-to-any-file: ['.github/**']
+
+sources:
+  - changed-files:
+      - any-glob-to-any-file: ['src/**', 'test/**', 'pyproject.toml']
+
+dependencies:
+  - changed-files:
+      - any-glob-to-any-file: ['pdm.lock']

.github/release-drafter.yml

@@ -0,0 +1,55 @@
+name-template: 'v$RESOLVED_VERSION'
+tag-template: 'v$RESOLVED_VERSION'
+categories:
+  - title: '️⚠️ Breaking changes'
+    labels:
+      - 'breaking'
+  - title: '🚀 Features'
+    labels:
+      - 'feat'
+      - 'feature'
+      - 'enhancement'
+  - title: '🐛 Bug Fixes'
+    labels:
+      - 'fix'
+      - 'bugfix'
+      - 'bug'
+  - title: '🌈 Tech improvements'
+    labels:
+      - 'chore'
+      - 'tech'
+      - 'refactor'
+      - 'refactoring'
+      - 'ci'
+      - 'test'
+      - 'documentation'
+  - title: '🛠️ Dependency updates'
+    collapse-after: 3
+    labels:
+      - 'deps'
+      - 'dependencies'
+  - title: '🏗️ Infrastructure changes'
+    collapse-after: 3
+    labels:
+      - 'infra'
+      - 'deploy'
+change-template: '- $TITLE @$AUTHOR (#$NUMBER)'
+change-title-escapes: '\<*_&'
+exclude-labels:
+  - 'skip-changelog'
+version-resolver:
+  major:
+    labels:
+      - 'major'
+  minor:
+    labels:
+      - 'minor'
+      - 'feat'
+      - 'feature'
+      - 'enhancement'
+  patch:
+    labels:
+      - 'patch'
+  default: patch
+template: |
+  $CHANGES

.github/release.yaml

@@ -0,0 +1,31 @@
+changelog:
+
+  exclude:
+    labels:
+      # custom labels
+      - ci
+      - refactoring
+      - temp
+
+  categories:
+    - title: Features
+      labels:
+        - enhancement # standard github label
+    - title: Fixes
+      labels:
+        - bug # standard github label
+    - title: ! Breaking changes !
+      labels:
+        - breaking change # custom label
+    - title: Tech improvements
+      labels:
+        - tech # custom label
+    - title: Dependency updates
+      labels:
+        - dependencies # standard github label
+    - title: Documentation
+      labels:
+        - documentation # standard github label
+    - title: Other changes
+      labels:
+        - "*"

.github/workflows/ci.yml

@@ -0,0 +1,127 @@
+name: continuous integration
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+permissions:
+  id-token: write
+  contents: write
+  actions: write
+  pull-requests: write
+  pages: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  ci:
+    name: continuous integration
+    runs-on: ledgerhq-shared-small
+    timeout-minutes: 60
+    steps:
+
+      - name: Checkout
+        timeout-minutes: 10
+        uses: actions/checkout@v4
+        with:
+          submodules: "true"
+
+      - name: Check skippable steps
+        timeout-minutes: 10
+        id: skip
+        uses: fkirc/skip-duplicate-actions@v5
+        with:
+          cancel_others: true
+          skip_after_successful_duplicate: true
+          do_not_skip: '["workflow_dispatch", "schedule"]'
+          paths_filter: |
+            project:
+              paths:
+                - '*.lock'
+                - 'pyproject.toml'
+            ci:
+              paths:
+                - '.github/**'
+            docs:
+              paths:
+                - 'docs/**'
+            sources:
+              paths:
+                - 'src/**'
+                - 'tests/**'
+
+      - name: Pull request | Add author
+        timeout-minutes: 5
+        if: github.event_name == 'pull_request'
+        uses: toshimaru/[email protected]
+
+      - name: Pull request | Add labels
+        timeout-minutes: 30
+        if: github.event_name == 'pull_request'
+        uses: actions/labeler@v5
+
+      - name: Pull request | Enforce labels
+        timeout-minutes: 5
+        if: github.event_name == 'pull_request'
+        uses: mheap/github-action-required-labels@v5
+        with:
+          mode: minimum
+          count: 1
+          labels: |
+            documentation
+            ci
+            sources
+            dependencies
+          add_comment: true
+
+      - name: Setup pre-commit cache
+        timeout-minutes: 10
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/pre-commit
+          key: pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}
+
+      - name: Setup python / PDM
+        timeout-minutes: 10
+        uses: ./.github/actions/pdm
+
+      - name: Install dependencies
+        timeout-minutes: 10
+        run: pdm install --dev --check --frozen-lockfile
+        env:
+          FURY_TOKEN: ${{ secrets.PYPI_DEPLOY_TOKEN}}
+
+      - name: Lint
+        timeout-minutes: 10
+        if: |
+          !steps.skip.outputs.should_skip ||
+          !fromJSON(steps.skip.outputs.paths_result).project.should_skip ||
+          !fromJSON(steps.skip.outputs.paths_result).ci.should_skip ||
+          !fromJSON(steps.skip.outputs.paths_result).sources.should_skip
+        run: pdm run lint
+        env:
+          PRE_COMMIT_COLOR: always
+
+      - name: Test
+        timeout-minutes: 20
+        if: |
+          !steps.skip.outputs.should_skip ||
+          !fromJSON(steps.skip.outputs.paths_result).project.should_skip ||
+          !fromJSON(steps.skip.outputs.paths_result).ci.should_skip ||
+          !fromJSON(steps.skip.outputs.paths_result).sources.should_skip
+        run: pdm run test
+
+      - name: Publish test reports
+        timeout-minutes: 10
+        if: always()
+        uses: pmeier/[email protected]
+        with:
+          path: tests/.tests.xml
+          title: Test results
+          summary: true
+          display-options: fEX
+          fail-on-empty: false

.github/workflows/release-drafter.yml

@@ -0,0 +1,23 @@
+name: release drafter
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    types: [opened, reopened, synchronize]
+
+permissions:
+  contents: read
+
+jobs:
+  update_release_draft:
+    permissions:
+      contents: write
+      pull-requests: write
+    runs-on: ledgerhq-shared-small
+    steps:
+      - name: update release draft
+        uses: release-drafter/release-drafter@v6
+        env:
+          GITHUB_TOKEN: ${{ secrets.CI_BOT_TOKEN }}

.github/workflows/release.yml

@@ -0,0 +1,59 @@
+name: release
+
+on:
+  release:
+    types: [published]
+
+permissions:
+  contents: read
+  id-token: write
+  attestations: write
+
+jobs:
+  publish:
+    name: publish python library
+    timeout-minutes: 60
+    runs-on: ledgerhq-shared-small
+    steps:
+      - name: Login to Ledger Artifactory
+        timeout-minutes: 10
+        id: jfrog-login
+        uses: LedgerHQ/actions-security/actions/jfrog-login@actions/jfrog-login-1
+
+      - name: Checkout
+        timeout-minutes: 10
+        uses: actions/checkout@v4
+
+      - name: Setup python / PDM
+        timeout-minutes: 10
+        uses: ./.github/actions/pdm
+
+      - name: Install dependencies
+        timeout-minutes: 10
+        run: pdm install --dev --check --frozen-lockfile
+        env:
+          FURY_TOKEN: ${{ secrets.PYPI_DEPLOY_TOKEN}}
+
+      - name: Build distribution artifacts
+        timeout-minutes: 10
+        run: pdm build
+
+      - name: Generate build attestations
+        timeout-minutes: 10
+        uses: LedgerHQ/actions-security/actions/attest@actions/attest-1
+        with:
+          subject-path: dist/*
+
+      - name: Sign distribution artifacts
+        timeout-minutes: 10
+        uses: LedgerHQ/actions-security/actions/sign-blob@actions/sign-blob-1
+        with:
+          path: dist
+
+      - name: Upload distribution artifacts to Ledger Artifactory repository
+        timeout-minutes: 10
+        env:
+          PDM_PUBLISH_REPO: https://jfrog.ledgerlabs.net/artifactory/api/pypi/vault-pypi-prod-green
+          PDM_PUBLISH_USERNAME: ${{ steps.jfrog-login.outputs.oidc-user }}
+          PDM_PUBLISH_PASSWORD: ${{ steps.jfrog-login.outputs.oidc-token }}
+        run: pdm publish --no-build