chore: add ruff linting, replace RL scanner, and bump dependencies

.github/workflows/publish.yml

@@ -12,17 +12,49 @@ permissions:
 
 jobs:
   rl-scanner:
-    uses: ./.github/workflows/rl-scanner.yml
-    with:
-      python-version: "3.10"
-      artifact-name: "auth0-fastapi-api.tgz"
-    secrets:
-      RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
-      RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
-      SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
-      PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
-      PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
-      PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}
+    if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/'))
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+
+      - name: Configure Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: "3.12"
+
+      - name: Build artifact
+        run: |
+          pip install --user --upgrade pip
+          pip install --user pipx
+          pipx ensurepath
+          pipx install poetry
+          poetry config virtualenvs.in-project true
+          poetry install --with dev
+          poetry build
+          tar -czvf auth0-fastapi-api.tgz *
+
+      - name: Get version
+        id: get_version
+        uses: ./.github/actions/get-version
+
+      - name: Run RL Scanner
+        uses: auth0/devsecops-tooling/.github/actions/rl-scan@main
+        with:
+          artifact-name: "auth0-fastapi-api"
+          artifact-path: "auth0-fastapi-api.tgz"
+          version: ${{ steps.get_version.outputs.version }}
+          RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
+          RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
+          SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
+          SIGNAL_HANDLER_DOMAIN: ${{ secrets.SIGNAL_HANDLER_DOMAIN }}
+          PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}
+          PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
+          PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
+          PRODSEC_PYTHON_TOOLS_REPO: ${{ secrets.PRODSEC_PYTHON_TOOLS_REPO }}
+
   publish-pypi:
     if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/'))
     name: "PyPI"

.github/workflows/test.yml

@@ -67,19 +67,12 @@ jobs:
         run: |
           poetry run pytest
 
-      # - name: Run lint
-      #   run: |
-      #     pipx install black==23.3.0
-      #     pipx install flake8==5.0.4
-      #     pipx install isort==5.11.5
-      #     pipx install pyupgrade==3.3.2
-      #     black . --check
-      #     flake8 . --count --show-source --statistics
-      #     isort .  --diff --profile black
-      #     pyupgrade .  --py37-plus --keep-runtime-typing
+      - name: Run lint
+        run: |
+          poetry run ruff check .
 
       - if: ${{ matrix.python-version == '3.10' }}
         name: Upload coverage
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # pin@5.5.2
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # pin@6.0.0
         with:
           token: ${{ secrets.CODECOV_TOKEN }}

.gitignore

@@ -26,3 +26,5 @@ integration_test*.py
 .coverage
 coverage.xml
 
+# AI Tools
+.claude/

.ruff.toml

@@ -0,0 +1,18 @@
+line-length = 100
+target-version = "py39"
+
+[lint]
+select = [
+    "E",   # pycodestyle errors
+    "W",   # pycodestyle warnings
+    "F",   # pyflakes
+    "I",   # isort
+    "B",   # flake8-bugbear
+    "C4",  # flake8-comprehensions
+    "UP",  # pyupgrade
+    "S",   # bandit (security)
+]
+ignore = ["E501", "B904", "B008"]  # Line too long (handled by formatter), Exception handling without from, Depends() in defaults (FastAPI convention)
+
+[lint.per-file-ignores]
+"tests/*" = ["S101", "S105", "S106", "S107"]  # Allow assert, ignore hardcoded password warnings in test files

fastapi_plugin/__init__.py

@@ -1,4 +1,3 @@
-from .fast_api_client import Auth0FastAPI
 from auth0_api_python import (
     CacheAdapter,
     ConfigurationError,
@@ -8,6 +7,8 @@
     InMemoryCache,
 )
 
+from .fast_api_client import Auth0FastAPI
+
 __all__ = [
     "Auth0FastAPI",
     "CacheAdapter",

fastapi_plugin/fast_api_client.py

@@ -1,11 +1,10 @@
-from typing import Optional, List, Union, Dict, Callable
-from fastapi import Request, HTTPException
-from starlette.responses import Response
-
-from .utils import validate_scopes, http_exception, get_canonical_url
+from typing import Callable, Optional, Union
 
 from auth0_api_python.api_client import ApiClient, ApiClientOptions, BaseAuthError
 from auth0_api_python.cache import CacheAdapter
+from fastapi import Request
+
+from .utils import get_canonical_url, http_exception, validate_scopes
 
 
 class Auth0FastAPI:
@@ -18,7 +17,7 @@ def __init__(
         self,
         domain: Optional[str] = None,
         audience: str = "",
-        domains: Optional[Union[List[str], Callable]] = None,
+        domains: Optional[Union[list[str], Callable]] = None,
         client_id=None,
         client_secret=None,
         custom_fetch=None,
@@ -73,7 +72,7 @@ def __init__(
 
     def require_auth(
         self,
-        scopes: Optional[Union[str, List[str]]] = None
+        scopes: Optional[Union[str, list[str]]] = None
     ):
         """
         Returns an async FastAPI dependency that:
@@ -83,7 +82,7 @@ def require_auth(
          4) Raises HTTPException on error
          5) On success, returns the decoded claims
         """
-        async def _dependency(request: Request) -> Dict:
+        async def _dependency(request: Request) -> dict:
             try:
                 claims = await self.api_client.verify_request(
                     headers=dict(request.headers),
@@ -97,7 +96,7 @@ async def _dependency(request: Request) -> Dict:
                     error_desc=e.get_error_description(),
                     headers=e.get_headers()
                 )
-            except Exception as e:
+            except Exception:
                 # Handle any unexpected errors
                 raise http_exception(
                     status_code=500,