Misc lint fixes

Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
This commit is contained in:
Facundo Tuesca 2024-05-16 19:43:17 +02:00
parent b526ff8902
commit f267787a9d
1 changed files with 23 additions and 17 deletions

View File

@ -9,11 +9,11 @@ from sigstore.oidc import IdentityError, IdentityToken, detect_credential
from sigstore.sign import Signer, SigningContext from sigstore.sign import Signer, SigningContext
# Be very verbose. # Be very verbose.
sigstore_logger = logging.getLogger("sigstore") sigstore_logger = logging.getLogger('sigstore')
sigstore_logger.setLevel(logging.DEBUG) sigstore_logger.setLevel(logging.DEBUG)
sigstore_logger.addHandler(logging.StreamHandler()) sigstore_logger.addHandler(logging.StreamHandler())
_GITHUB_STEP_SUMMARY = Path(os.getenv("GITHUB_STEP_SUMMARY")) _GITHUB_STEP_SUMMARY = Path(os.getenv('GITHUB_STEP_SUMMARY'))
# The top-level error message that gets rendered. # The top-level error message that gets rendered.
# This message wraps one of the other templates/messages defined below. # This message wraps one of the other templates/messages defined below.
@ -40,46 +40,52 @@ permissions:
``` ```
Learn more at https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings. Learn more at https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings.
""" """ # noqa: S105; not a password
def die(msg: str) -> NoReturn: def die(msg: str) -> NoReturn:
with _GITHUB_STEP_SUMMARY.open("a", encoding="utf-8") as io: with _GITHUB_STEP_SUMMARY.open('a', encoding='utf-8') as io:
print(_ERROR_SUMMARY_MESSAGE.format(message=msg), file=io) print(_ERROR_SUMMARY_MESSAGE.format(message=msg), file=io)
# HACK: GitHub Actions' annotations don't work across multiple lines naively; # HACK: GitHub Actions' annotations don't work across multiple lines naively;
# translating `\n` into `%0A` (i.e., HTML percent-encoding) is known to work. # translating `\n` into `%0A` (i.e., HTML percent-encoding) is known to work.
# See: https://github.com/actions/toolkit/issues/193 # See: https://github.com/actions/toolkit/issues/193
msg = msg.replace("\n", "%0A") msg = msg.replace('\n', '%0A')
print(f"::error::Attestation generation failure: {msg}", file=sys.stderr) print(f'::error::Attestation generation failure: {msg}', file=sys.stderr)
sys.exit(1) sys.exit(1)
def debug(msg: str): def debug(msg: str):
print(f"::debug::{msg}", file=sys.stderr) print(f'::debug::{msg}', file=sys.stderr)
# pylint: disable=redefined-outer-name # pylint: disable=redefined-outer-name
def attest_dist(dist: Path, signer: Signer) -> None: def attest_dist(dist: Path, signer: Signer) -> None:
# We are the publishing step, so there should be no pre-existing publish # We are the publishing step, so there should be no pre-existing publish
# attestation. The presence of one indicates user confusion. # attestation. The presence of one indicates user confusion.
attestation_path = Path(f"{dist}.publish.attestation") attestation_path = Path(f'{dist}.publish.attestation')
if attestation_path.is_file(): if attestation_path.is_file():
die(f"{dist} already has a publish attestation: {attestation_path}") die(f'{dist} already has a publish attestation: {attestation_path}')
payload = AttestationPayload.from_dist(dist) payload = AttestationPayload.from_dist(dist)
attestation = payload.sign(signer) attestation = payload.sign(signer)
attestation_path.write_text(attestation.model_dump_json(), encoding="utf-8") attestation_path.write_text(attestation.model_dump_json(), encoding='utf-8')
debug(f"saved publish attestation: {dist=} {attestation_path=}") debug(f'saved publish attestation: {dist=} {attestation_path=}')
def get_identity_token() -> IdentityToken:
# Will raise `sigstore.oidc.IdentityError` if it fails to get the token
# from the environment or if the token is malformed.
# NOTE: audience is always sigstore.
oidc_token = detect_credential()
return IdentityToken(oidc_token)
packages_dir = Path(sys.argv[1]) packages_dir = Path(sys.argv[1])
try: try:
# NOTE: audience is always sigstore. identity = get_identity_token()
oidc_token = detect_credential()
identity = IdentityToken(oidc_token)
except IdentityError as identity_error: except IdentityError as identity_error:
# NOTE: We only perform attestations in trusted publishing flows, so we # NOTE: We only perform attestations in trusted publishing flows, so we
# don't need to re-check for the "PR from fork" error mode, only # don't need to re-check for the "PR from fork" error mode, only
@ -88,8 +94,8 @@ except IdentityError as identity_error:
die(cause) die(cause)
# Collect all sdists and wheels. # Collect all sdists and wheels.
dists = [sdist.absolute() for sdist in packages_dir.glob("*.tar.gz")] dists = [sdist.absolute() for sdist in packages_dir.glob('*.tar.gz')]
dists.extend(whl.absolute() for whl in packages_dir.glob("*.whl")) dists.extend(whl.absolute() for whl in packages_dir.glob('*.whl'))
with SigningContext.production().signer(identity, cache=True) as signer: with SigningContext.production().signer(identity, cache=True) as signer:
for dist in dists: for dist in dists:
@ -97,6 +103,6 @@ with SigningContext.production().signer(identity, cache=True) as signer:
# download-artifact will create a subdirectory with the same name # download-artifact will create a subdirectory with the same name
# as the artifact being downloaded, e.g. `dist/foo.whl/foo.whl`. # as the artifact being downloaded, e.g. `dist/foo.whl/foo.whl`.
if not dist.is_file(): if not dist.is_file():
die(f"Path looks like a distribution but is not a file: {dist}") die(f'Path looks like a distribution but is not a file: {dist}')
attest_dist(dist, signer) attest_dist(dist, signer)