Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve supply chain and publishing security #294

Merged
merged 4 commits into from
Feb 8, 2025
Merged

Improve supply chain and publishing security #294

merged 4 commits into from
Feb 8, 2025

Conversation

lopopolo
Copy link
Member

@lopopolo lopopolo commented Feb 8, 2025

  • Upgrade to Pyton 3.13.
  • Replace black with ruff format.
  • Replace mypy with pyright. pyright is a stricter type checker.
  • Fix pyright errors.
  • Replace rake with invoke.
  • Remove all Ruby dependencies from this repository.
  • Use uv for Python dependency management and locking.
  • Remove requirements.txt and dev-requirements.txt
  • Use uv for setting up python and venvs in CI and nightly publishing flows.
  • Disable caching in nightly workflow to defend against cache poisoning attacks.
  • Lock all actions by SHA, even GitHub and Artichoke owned ones.
  • Always pass persist-credentials: false to actions/checkout
  • Lock yamllint dependency.
  • Drop permissions in all GitHub Actions workflows.
  • Use env substitutions to defend against template injection in GitHub actions job steps.
  • Pass zizmor pedantic level.

@lopopolo
Improve supply chain and publishing security
91dfc1f 
- Upgrade to Pyton 3.13.
- Replace black with `ruff format`.
- Replace mypy with pyright. pyright is a stricter type checker.
- Fix pyright errors.
- Replace rake with invoke.
- Remove all Ruby dependencies from this repository.
- Use `uv` for Python dependency management and locking.
- Remove requirements.txt and dev-requirements.txt
- Use uv for setting up python and venvs in CI and nightly publishing
  flows.
- Disable caching in nightly workflow to defend against cache poisoning
  attacks.
- Lock all actions by SHA, even GitHub and Artichoke owned ones.
- Always pass `persist-credentials: false` to actions/checkout
- Lock `yamllint` dependency.
- Drop permissions in all GitHub Actions workflows.
- Use env substitutions to defend against template injection in GitHub
  actions job steps.
- Pass zizmor pedantic level.
@lopopolo lopopolo added A-deps Area: Source and library dependencies. A-build Area: CI build infrastructure. A-security Area: Security vulnerabilities and unsoundness issues. labels Feb 8, 2025
@lopopolo lopopolo merged commit dfcf7c1 into trunk Feb 8, 2025
6 checks passed
@lopopolo lopopolo deleted the dev/lopopolo-python-3.13 branch February 8, 2025 20:50
@lopopolo lopopolo mentioned this pull request Feb 9, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
A-build Area: CI build infrastructure. A-deps Area: Source and library dependencies. A-security Area: Security vulnerabilities and unsoundness issues.
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@lopopolo