Attest build provenance of artifacts (#140)

hugovk · Jun 24, 2024 · bc95761 · bc95761
2 parents c2b1faf + 27e9bbc
commit bc95761
Show file tree

Hide file tree

Showing 5 changed files with 59 additions and 21 deletions.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -14,6 +14,9 @@ on:
 permissions:
  contents: read
 
+env:
+ FORCE_COLOR: 1
+
 jobs:
  # Always build & lint package.
  build-package:
@@ -38,6 +41,7 @@ jobs:
  needs: build-package
 
  permissions:
+ attestations: write
  id-token: write
 
  steps:
@@ -47,6 +51,11 @@ jobs:
  name: Packages
  path: dist
 
+ - name: Attest build provenance
+ uses: actions/attest-build-provenance@v1
+ with:
+ subject-path: "dist/*"
+
  - name: Upload package to Test PyPI
  uses: pypa/gh-action-pypi-publish@release/v1
  with:
@@ -62,6 +71,7 @@ jobs:
  needs: build-package
 
  permissions:
+ attestations: write
  id-token: write
 
  steps:
@@ -71,5 +81,10 @@ jobs:
  name: Packages
  path: dist
 
+ - name: Attest build provenance
+ uses: actions/attest-build-provenance@v1
+ with:
+ subject-path: "dist/*"
+
  - name: Upload package to PyPI
  uses: pypa/gh-action-pypi-publish@release/v1
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -4,6 +4,7 @@ on: [push, pull_request, workflow_dispatch]
 
 env:
  FORCE_COLOR: 1
+ PIP_DISABLE_PIP_VERSION_CHECK: 1
 
 permissions:
  contents: read
@@ -17,4 +18,5 @@ jobs:
  - uses: actions/setup-python@v5
  with:
  python-version: "3.x"
+ cache: pip
  - uses: pre-commit/action@v3.0.1
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -2,8 +2,12 @@ name: Test
 
 on: [push, pull_request, workflow_dispatch]
 
+permissions:
+ contents: read
+
 env:
  FORCE_COLOR: 1
+ PIP_DISABLE_PIP_VERSION_CHECK: 1
 
 jobs:
  test:
@@ -27,7 +31,6 @@ jobs:
  - name: Install dependencies
  run: |
  python -m pip install -U pip
- python -m pip install -U wheel
  python -m pip install -U tox
 
  - name: Tox tests
@@ -52,7 +55,7 @@ jobs:
  uses: codecov/codecov-action@v3.1.5
  with:
  flags: ${{ matrix.os }}
- name: ${{ matrix.os }} Python ${{ matrix.python-version }}
+ name: "${{ matrix.os }} Python ${{ matrix.python-version }}"
 
  success:
  needs: test

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,18 +1,19 @@
 repos:
  - repo: https://github.com/astral-sh/ruff-pre-commit
- rev: v0.3.5
+ rev: v0.4.10
  hooks:
  - id: ruff
- args: [--fix, --exit-non-zero-on-fix]
+ args: [--exit-non-zero-on-fix]
 
  - repo: https://github.com/psf/black-pre-commit-mirror
- rev: 24.3.0
+ rev: 24.4.2
  hooks:
  - id: black
 
  - repo: https://github.com/pre-commit/pre-commit-hooks
- rev: v4.5.0
+ rev: v4.6.0
  hooks:
+ - id: check-added-large-files
  - id: check-case-conflict
  - id: check-executables-have-shebangs
  - id: check-merge-conflict
@@ -22,16 +23,28 @@ repos:
  - id: debug-statements
  - id: end-of-file-fixer
  exclude: ^src/em_keyboard/emojis.json$
+ - id: forbid-submodules
  - id: trailing-whitespace
 
+ - repo: https://github.com/python-jsonschema/check-jsonschema
+ rev: 0.28.5
+ hooks:
+ - id: check-github-workflows
+ - id: check-renovate
+
+ - repo: https://github.com/rhysd/actionlint
+ rev: v1.7.1
+ hooks:
+ - id: actionlint
+
  - repo: https://github.com/tox-dev/pyproject-fmt
- rev: 1.7.0
+ rev: 1.8.0
  hooks:
  - id: pyproject-fmt
  additional_dependencies: [tox]
 
  - repo: https://github.com/abravalheri/validate-pyproject
- rev: v0.16
+ rev: v0.18
  hooks:
  - id: validate-pyproject
 

diff --git a/pyproject.toml b/pyproject.toml
@@ -61,27 +61,32 @@ version.source = "vcs"
 local_scheme = "no-local-version"
 
 [tool.ruff]
+fix = true
+
+[tool.ruff.lint]
 select = [
- "C4", # flake8-comprehensions
- "E", # pycodestyle errors
- "EM", # flake8-errmsg
- "F", # pyflakes errors
- "I", # isort
- "ISC", # flake8-implicit-str-concat
- "PGH", # pygrep-hooks
+ "C4", # flake8-comprehensions
+ "E", # pycodestyle errors
+ "EM", # flake8-errmsg
+ "F", # pyflakes errors
+ "I", # isort
+ "ISC", # flake8-implicit-str-concat
+ "LOG", # flake8-logging
+ "PGH", # pygrep-hooks
+ "PYI", # flake8-pyi
  "RUF100", # unused noqa (yesqa)
- "UP", # pyupgrade
- "W", # pycodestyle warnings
- "YTT", # flake8-2020
- # "LOG", # TODO: enable flake8-logging when it's not in preview anymore
+ "RUF022", # unsorted-dunder-all
+ "UP",  # pyupgrade
+ "W",  # pycodestyle warnings
+ "YTT",  # flake8-2020
 ]
-extend-ignore = [
+ignore = [
  "E203", # Whitespace before ':'
  "E221", # Multiple spaces before operator
  "E226", # Missing whitespace around arithmetic operator
  "E241", # Multiple spaces after ','
 ]
 
-[tool.ruff.isort]
+[tool.ruff.lint.isort]
 known-first-party = ["em_keyboard"]
 required-imports = ["from __future__ import annotations"]