fix(sdk): make okta SDK an optional extra to avoid downstream resolution conflicts

[AdriiiPRodri]

Context

The new Okta provider added in #11079 pulls okta==3.4.2. That PyPI name is shared with a legacy okta 0.0.x package that downstream consumers (e.g. cartography==0.135.0, used by prowler-cloud/prowler-cloud) still pin transitively as okta<1.0.0. As soon as #11079 hit master, every Docker build of prowler-cloud/prowler-cloud/api (which pulls prowler @ git+...@master) started failing with:

Because prowler depends on okta (3.4.2)
 and cartography (0.135.0) depends on okta (<1.0.0),
 prowler is incompatible with cartography (0.135.0).

Description

Move okta==3.4.2 out of the core [project.dependencies] into a new [project.optional-dependencies] okta = ["okta==3.4.2"] extra so consumers that do not need the Okta provider can opt out and avoid the resolution conflict. The Okta SDK imports are already isolated to prowler/providers/okta/okta_provider.py and prowler/providers/okta/lib/service/service.py, both of which are only loaded when the Okta provider is actually instantiated, so omitting the extra does not break import-time behavior elsewhere in the SDK.

To keep CI, the SDK image and end-user installs working with the provider enabled, install everywhere the provider is exercised:

• Dockerfile: poetry install --compile --all-extras.
• New extras input on .github/actions/setup-python-poetry/action.yml (accepts a CSV list or all), threaded through to poetry install as -E ... / --all-extras.
• sdk-tests.yml, sdk-security.yml, sdk-code-quality.yml: pass extras: all so vulture/pylint/pytest can still import okta_provider.py.
• poetry.lock regenerated: okta and its transitive deps (aenum, jwcrypto, pycryptodomex, pydash, xmltodict) marked optional with markers = "extra == \"okta\"".

End users now need pip install prowler[okta] (or poetry install --all-extras) to enable the Okta provider.

Steps to review

1. Confirm pyproject.toml move: okta==3.4.2 is gone from [project.dependencies] and present under [project.optional-dependencies] okta.
2. Confirm the resolution behaviour:
   • poetry install --no-root --dry-run -> okta skipped.
   • poetry install --no-root --all-extras --dry-run -> okta installed.
3. Confirm the Dockerfile builds the SDK image with the Okta provider present (--all-extras).
4. Confirm the three CI workflows pass extras: all so the Okta tests (tests/providers/okta) still resolve from okta.client import Client.
5. Confirm poetry.lock only changes okta and its transitive deps (optional + extra marker), no other version bumps.

Checklist

• Review if the code is being covered by tests. (No new code; existing tests under tests/providers/okta still run via extras: all.)
• Review if code is being documented following the project style guide.
• Review if backport is needed.
• Review if is needed to change the README.md (documenting pip install prowler[okta] for end users).
• Ensure new entries are added to prowler/CHANGELOG.md (Changed section under 5.27.0).

SDK/CLI

• Are there new checks included in this PR? No.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[github-actions]

🔒 Container Security Scan

Image: prowler:17e37c2
Last scan: 2026-05-13 15:05:54 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	5
Total	5

5 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 88.70%. Comparing base (4dd5baa) to head (8bc2dd7).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #11159      +/-   ##
==========================================
+ Coverage   84.95%   88.70%   +3.75%     
==========================================
  Files        1752     1398     -354     
  Lines       58077    42429   -15648     
==========================================
- Hits        49338    37637   -11701     
+ Misses       8739     4792    -3947     

Flag	Coverage Δ
prowler-py3.10-aws	90.08% <ø> (+0.01%)	⬆️
prowler-py3.10-azure	89.45% <ø> (+0.01%)	⬆️
prowler-py3.10-config	?
prowler-py3.10-gcp	89.80% <ø> (+<0.01%)	⬆️
prowler-py3.10-github	89.10% <ø> (+<0.01%)	⬆️
prowler-py3.10-googleworkspace	?
prowler-py3.10-iac	?
prowler-py3.10-kubernetes	89.46% <ø> (+<0.01%)	⬆️
prowler-py3.10-lib	?
prowler-py3.10-m365	?
prowler-py3.10-mongodbatlas	?
prowler-py3.10-nhn	89.09% <ø> (+<0.01%)	⬆️
prowler-py3.10-okta	89.15% <ø> (+<0.01%)	⬆️
prowler-py3.10-openstack	?
prowler-py3.10-oraclecloud	?
prowler-py3.10-vercel	?
prowler-py3.11-aws	90.10% <ø> (+0.02%)	⬆️
prowler-py3.11-azure	89.46% <ø> (+0.01%)	⬆️
prowler-py3.11-config	?
prowler-py3.11-gcp	89.81% <ø> (+0.01%)	⬆️
prowler-py3.11-github	89.11% <ø> (+0.01%)	⬆️
prowler-py3.11-googleworkspace	?
prowler-py3.11-iac	88.70% <ø> (+0.02%)	⬆️
prowler-py3.11-kubernetes	89.47% <ø> (+0.01%)	⬆️
prowler-py3.11-lib	?
prowler-py3.11-m365	88.94% <ø> (+0.02%)	⬆️
prowler-py3.11-mongodbatlas	?
prowler-py3.11-nhn	89.10% <ø> (+0.01%)	⬆️
prowler-py3.11-okta	89.15% <ø> (+0.01%)	⬆️
prowler-py3.11-openstack	?
prowler-py3.11-oraclecloud	?
prowler-py3.11-vercel	?
prowler-py3.12-aws	90.08% <ø> (+0.01%)	⬆️
prowler-py3.12-azure	?
prowler-py3.12-config	?
prowler-py3.12-gcp	?
prowler-py3.12-github	?
prowler-py3.12-googleworkspace	?
prowler-py3.12-iac	?
prowler-py3.12-kubernetes	?
prowler-py3.12-lib	?
prowler-py3.12-m365	?
prowler-py3.12-mongodbatlas	?
prowler-py3.12-nhn	?
prowler-py3.12-okta	?
prowler-py3.12-openstack	?
prowler-py3.12-oraclecloud	?
prowler-py3.12-vercel	?

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	88.70% <ø> (+3.75%)	⬆️
api	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.