Initial split from sigstore-python

.github/dependabot.yml

@@ -0,0 +1,24 @@
+version: 2
+
+updates:
+  - package-ecosystem: pip
+    directory: "/install"
+    schedule:
+      interval: daily
+    open-pull-requests-limit: 99
+    allow:
+    - dependency-type: direct
+    - dependency-type: indirect
+    rebase-strategy: "disabled"
+
+  - package-ecosystem: pip
+    directory: /
+    schedule:
+      interval: daily
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+    open-pull-requests-limit: 99
+    rebase-strategy: "disabled"

.github/workflows/ci.yml

@@ -0,0 +1,57 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+  schedule:
+    - cron: '0 12 * * *'
+
+jobs:
+  test:
+    permissions:
+      # Needed to access the workflow's OIDC identity.
+      id-token: write
+    strategy:
+      matrix:
+        conf:
+          - { py: "3.7", os: "ubuntu-latest" }
+          - { py: "3.8", os: "ubuntu-latest" }
+          - { py: "3.9", os: "ubuntu-latest" }
+          - { py: "3.10", os: "ubuntu-latest" }
+          - { py: "3.11", os: "ubuntu-latest" }
+          # NOTE: We only test Windows and macOS on the latest Python;
+          # these primarily exist to ensure that we don't accidentally
+          # introduce Linux-isms into the development tooling.
+          - { py: "3.11", os: "windows-latest" }
+          - { py: "3.11", os: "macos-latest" }
+    runs-on: ${{ matrix.conf.os }}
+    steps:
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+
+      - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435
+        with:
+          python-version: ${{ matrix.conf.py }}
+          cache: "pip"
+          cache-dependency-path: pyproject.toml
+
+      - name: deps
+        run: make dev ID_EXTRA=test
+
+      - name: test
+        run: make test TEST_ARGS="-vv --showlocals"
+
+  all-tests-pass:
+    if: always()
+
+    needs:
+    - test
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: check test jobs
+        uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
+        with:
+          jobs: ${{ toJSON(needs) }}

.github/workflows/lint.yml

@@ -0,0 +1,74 @@
+name: Lint
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+
+      # NOTE: We intentionally lint against our minimum supported Python.
+      - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435
+        with:
+          python-version: "3.7"
+          cache: "pip"
+          cache-dependency-path: pyproject.toml
+
+      - name: deps
+        run: make dev ID_EXTRA=lint
+
+      - name: lint
+        run: make lint
+
+  check-readme:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+
+      # NOTE: We intentionally check `--help` rendering against our minimum Python,
+      # since it changes slightly between Python versions.
+      - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435
+        with:
+          python-version: "3.7"
+          cache: "pip"
+          cache-dependency-path: pyproject.toml
+
+      - name: deps
+        run: make dev
+
+      - name: check-readme
+        run: make check-readme
+
+  licenses:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+      # adapted from Warehouse's bin/licenses
+      - run: |
+          for fn in $(find . -type f -name "*.py"); do
+            if [[ ! "$(head -5 $fn | grep "^ *\(#\|\*\|\/\/\) .* License\(d*\)")" ]]; then
+              echo "${fn} is missing a license"
+              exit 1
+            fi
+          done
+
+  all-lints-pass:
+    if: always()
+
+    needs:
+    - lint
+    - check-readme
+    - licenses
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: check lint jobs
+        uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
+        with:
+          jobs: ${{ toJSON(needs) }}

.github/workflows/release.yml

@@ -0,0 +1,125 @@
+name: Release
+
+on:
+  release:
+    types:
+      - published
+
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
+jobs:
+  build:
+    name: Build and sign artifacts
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+    steps:
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+
+      - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435
+        with:
+          python-version: "3.x"
+          cache: "pip"
+          cache-dependency-path: pyproject.toml
+
+      - name: deps
+        run: python -m pip install -U build sigstore
+
+      - name: build
+        run: python -m build
+
+      - name: sign
+        run: |
+          mkdir -p signing-artifacts
+
+          # Sign using the ambient OIDC identity
+          for dist in dist/*; do
+            dist_base="$(basename "${dist}")"
+
+            # NOTE: signing artifacts currently go in a separate directory,
+            # to avoid confusing the package uploader (which otherwise tries
+            # to upload them to PyPI and fails). Future versions of twine
+            # and the gh-action-pypi-publish action should support these artifacts.
+            python -m sigstore sign "${dist}" \
+              --output-signature signing-artifacts/"${dist_base}.sig" \
+              --output-certificate signing-artifacts/"${dist_base}.crt"
+
+          done
+
+      - name: Generate hashes for provenance
+        shell: bash
+        id: hash
+        run: |
+          # sha256sum generates sha256 hash for all artifacts.
+          # base64 -w0 encodes to base64 and outputs on a single line.
+          # sha256sum artifact1 artifact2 ... | base64 -w0
+          echo "hashes=$(sha256sum ./dist/* | base64 -w0)" >> $GITHUB_OUTPUT
+
+      - name: Upload built packages
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        with:
+          name: built-packages
+          path: ./dist/
+          if-no-files-found: warn
+
+      - name: Upload signing-artifacts
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        with:
+          name: signing-artifacts
+          path: signing-artifacts/
+          if-no-files-found: warn
+
+  generate-provenance:
+    needs: [build]
+    name: Generate build provenance
+    permissions:
+      actions: read   # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
+    # Currently this action needs to be referred by tag. More details at:
+    # https://github.com/slsa-framework/slsa-github-generator#verification-of-provenance
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.1
+    with:
+      attestation-name: provenance-sigstore-${{ github.event.release.tag_name }}.intoto.jsonl
+      base64-subjects: "${{ needs.build.outputs.hashes }}"
+      compile-generator: true # Workaround for https://github.com/slsa-framework/slsa-github-generator/issues/1163
+      upload-assets: true
+
+  release-pypi:
+    needs: [build, generate-provenance]
+    runs-on: ubuntu-latest
+    permissions: {}
+    steps:
+      - name: Download artifacts directories # goes to current working directory
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+
+      - name: publish
+        uses: pypa/gh-action-pypi-publish@c7f29f7adef1a245bd91520e94867e5c6eedddcc
+        with:
+          user: __token__
+          password: ${{ secrets.PYPI_TOKEN }}
+          packages_dir: built-packages/
+
+  release-github:
+    needs: [build, generate-provenance]
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload release assets.
+      contents: write
+    steps:
+      - name: Download artifacts directories # goes to current working directory
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+
+      - name: Upload artifacts to GitHub
+        # Confusingly, this action also supports updating releases, not
+        # just creating them. This is what we want here, since we've manually
+        # created the release that triggered the action.
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
+        with:
+          # signing-artifacts/ contains the signatures and certificates.
+          files: |
+            built-packages/*
+            signing-artifacts/*

.github/workflows/scorecards-analysis.yml

@@ -0,0 +1,57 @@
+name: Scorecards supply-chain security
+on:
+  # Only the default branch is supported.
+  workflow_dispatch: # Manual
+  branch_protection_rule:
+  schedule:
+    - cron: '30 4 * * 0'
+  push:
+    branches: [ main ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecards analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      actions: read
+      contents: read
+      # Needed to access GitHub's OIDC token which ensures the uploaded results integrity.
+      id-token: write
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # Read-only PAT token. To create it,
+          # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation.
+          repo_token: ${{ secrets.SCORECARD_TOKEN }}
+          # Publish the results to enable scorecard badges. For more details, see
+          # https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories, `publish_results` will automatically be set to `false`,
+          # regardless of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional).
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v2.3.1
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@515828d97454b8354517688ddc5b48402b723750 # v1.0.26
+        with:
+          sarif_file: results.sarif

.gitignore

@@ -0,0 +1,9 @@
+env/
+pip-wheel-metadata/
+*.egg-info/
+__pycache__/
+.coverage*
+html/
+dist/
+.python-version
+build

CHANGELOG.md

@@ -0,0 +1,12 @@
+# Changelog
+
+All notable changes to `id` will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
+
+## [Unreleased]
+
+* Initial split from https://github.com/sigstore/sigstore-python
+
+<!--Release URLs -->
+[Unreleased]: https://github.com/di/sigstore-python/compare/v1.0.0...HEAD