1
0
mirror of https://github.com/pypa/gh-action-pypi-publish synced 2024-11-30 21:22:28 +08:00

Misc lint fixes

Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
This commit is contained in:
Facundo Tuesca 2024-05-16 19:43:17 +02:00
parent b526ff8902
commit f267787a9d

View File

@ -9,11 +9,11 @@ from sigstore.oidc import IdentityError, IdentityToken, detect_credential
from sigstore.sign import Signer, SigningContext
# Be very verbose.
sigstore_logger = logging.getLogger("sigstore")
sigstore_logger = logging.getLogger('sigstore')
sigstore_logger.setLevel(logging.DEBUG)
sigstore_logger.addHandler(logging.StreamHandler())
_GITHUB_STEP_SUMMARY = Path(os.getenv("GITHUB_STEP_SUMMARY"))
_GITHUB_STEP_SUMMARY = Path(os.getenv('GITHUB_STEP_SUMMARY'))
# The top-level error message that gets rendered.
# This message wraps one of the other templates/messages defined below.
@ -40,46 +40,52 @@ permissions:
```
Learn more at https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings.
"""
""" # noqa: S105; not a password
def die(msg: str) -> NoReturn:
with _GITHUB_STEP_SUMMARY.open("a", encoding="utf-8") as io:
with _GITHUB_STEP_SUMMARY.open('a', encoding='utf-8') as io:
print(_ERROR_SUMMARY_MESSAGE.format(message=msg), file=io)
# HACK: GitHub Actions' annotations don't work across multiple lines naively;
# translating `\n` into `%0A` (i.e., HTML percent-encoding) is known to work.
# See: https://github.com/actions/toolkit/issues/193
msg = msg.replace("\n", "%0A")
print(f"::error::Attestation generation failure: {msg}", file=sys.stderr)
msg = msg.replace('\n', '%0A')
print(f'::error::Attestation generation failure: {msg}', file=sys.stderr)
sys.exit(1)
def debug(msg: str):
print(f"::debug::{msg}", file=sys.stderr)
print(f'::debug::{msg}', file=sys.stderr)
# pylint: disable=redefined-outer-name
def attest_dist(dist: Path, signer: Signer) -> None:
# We are the publishing step, so there should be no pre-existing publish
# attestation. The presence of one indicates user confusion.
attestation_path = Path(f"{dist}.publish.attestation")
attestation_path = Path(f'{dist}.publish.attestation')
if attestation_path.is_file():
die(f"{dist} already has a publish attestation: {attestation_path}")
die(f'{dist} already has a publish attestation: {attestation_path}')
payload = AttestationPayload.from_dist(dist)
attestation = payload.sign(signer)
attestation_path.write_text(attestation.model_dump_json(), encoding="utf-8")
debug(f"saved publish attestation: {dist=} {attestation_path=}")
attestation_path.write_text(attestation.model_dump_json(), encoding='utf-8')
debug(f'saved publish attestation: {dist=} {attestation_path=}')
def get_identity_token() -> IdentityToken:
# Will raise `sigstore.oidc.IdentityError` if it fails to get the token
# from the environment or if the token is malformed.
# NOTE: audience is always sigstore.
oidc_token = detect_credential()
return IdentityToken(oidc_token)
packages_dir = Path(sys.argv[1])
try:
# NOTE: audience is always sigstore.
oidc_token = detect_credential()
identity = IdentityToken(oidc_token)
identity = get_identity_token()
except IdentityError as identity_error:
# NOTE: We only perform attestations in trusted publishing flows, so we
# don't need to re-check for the "PR from fork" error mode, only
@ -88,8 +94,8 @@ except IdentityError as identity_error:
die(cause)
# Collect all sdists and wheels.
dists = [sdist.absolute() for sdist in packages_dir.glob("*.tar.gz")]
dists.extend(whl.absolute() for whl in packages_dir.glob("*.whl"))
dists = [sdist.absolute() for sdist in packages_dir.glob('*.tar.gz')]
dists.extend(whl.absolute() for whl in packages_dir.glob('*.whl'))
with SigningContext.production().signer(identity, cache=True) as signer:
for dist in dists:
@ -97,6 +103,6 @@ with SigningContext.production().signer(identity, cache=True) as signer:
# download-artifact will create a subdirectory with the same name
# as the artifact being downloaded, e.g. `dist/foo.whl/foo.whl`.
if not dist.is_file():
die(f"Path looks like a distribution but is not a file: {dist}")
die(f'Path looks like a distribution but is not a file: {dist}')
attest_dist(dist, signer)