vipyrsec · sid-maddy · Oct 20, 2024 · Oct 20, 2024 · Oct 20, 2024 · Oct 20, 2024
diff --git a/.devcontainer/devcontainer-lock.json b/.devcontainer/devcontainer-lock.json
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
@@ -1,33 +1,30 @@
+---
 version: 2
-updates:
-  - package-ecosystem: "devcontainers"
-    directory: "/"
-    schedule:
-      interval: "monthly"
 
-  - package-ecosystem: "github-actions"
-    directory: "/"
+updates:
+  - package-ecosystem: github-actions
+    directory: /
     schedule:
-      interval: "monthly"
+      interval: monthly
     groups:
       ci-dependencies:
         patterns:
-          - "*"
+          - '*'
 
-  - package-ecosystem: "pip"
-    directory: "/"
+  - package-ecosystem: docker
+    directory: /
     schedule:
-      interval: "monthly"
+      interval: monthly
     groups:
-      python-dependencies:
+      docker-dependencies:
         patterns:
-          - "*"
+          - '*'
 
-  - package-ecosystem: "docker"
-    directory: "/"
+  - package-ecosystem: pip
+    directory: /
     schedule:
-      interval: "monthly"
+      interval: monthly
     groups:
-      container-dependencies:
+      python-dependencies:
         patterns:
-          - "*"
+          - '*'
diff --git a/.github/workflows/image-build-push.yaml b/.github/workflows/image-build-push.yaml
@@ -1,4 +1,5 @@
-name: "Image Build and Push"
+---
+name: Image Build and Push
 
 on:
   push:
@@ -8,13 +9,145 @@ on:
       - v*
   pull_request:
 
+defaults:
+  run:
+    shell: bash
+
 permissions:
   contents: read
   packages: write
-
   # This is used to complete the identity challenge with sigstore/fulcio.
   id-token: write
 
+env:
+  # Use docker.io for Docker Hub if empty
+  REGISTRY: ghcr.io
+  # github.repository as <account>/<repo>
+  IMAGE_NAME: ${{ github.repository }}
+
 jobs:
   build-push:
-    uses: darbiadev/.github/.github/workflows/docker-build-push.yaml@29197a38ef3741064f47b623ede0c1ad22402c57 # v13.0.3
+    strategy:
+      fail-fast: false
+      matrix:
+        platform:
+          - linux/amd64
+
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20  # v3.5.0
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db  # v3.6.1
+        with:
+          platforms: ${{ matrix.platform }}
+
+      - name: Log in to container registry (${{ env.REGISTRY }})
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567  # v3.3.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract Docker metadata
+        id: docker_meta
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81  # v5.5.1
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=edge
+            # FIXME: Remove explicit `latest` tag once we start tagging releases
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=ref,event=tag
+            type=sha,format=long
+
+      - name: Build and push Docker image
+        id: docker_build_push
+        uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445  # v6.5.0
+        with:
+          builder: ${{ steps.buildx.outputs.name }}
+          build-args: |
+            git_sha=${{ github.sha }}
+          cache-from: type=gha,scope=${{ matrix.platform }}
+          cache-to: type=gha,mode=max,scope=${{ matrix.platform }}
+          labels: ${{ steps.docker_meta.outputs.labels }}
+          platforms: ${{ matrix.platform }}
+          push: ${{ github.ref == 'refs/heads/main' || startswith(github.event.ref, 'refs/tags/v') }}
+          tags: ${{ steps.docker_meta.outputs.tags }}
+
+      # Sign the resulting Docker image digest.
+      # This will only write to the public Rekor transparency log when the Docker repository is public to avoid leaking
+      # data. If you would like to publish transparency data even for private images, pass --force to cosign below.
+      # https://github.com/sigstore/cosign
+      - name: Sign the published Docker image
+        if: ${{ github.ref == 'refs/heads/main' || startswith(github.event.ref, 'refs/tags/v') }}
+        # This step uses the identity token to provision an ephemeral certificate against the sigstore community Fulcio
+        # instance.
+        run: cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.docker_build_push.outputs.digest }}
+
+      - name: Export digest
+        if: ${{ github.ref == 'refs/heads/main' || startswith(github.event.ref, 'refs/tags/v') }}
+        run: |
+          mkdir -p /tmp/digests
+          digest='${{ steps.docker_build_push.outputs.digest }}'
+          touch "/tmp/digests/${digest#sha256:}"
+
+      - name: Upload digest
+        if: ${{ github.ref == 'refs/heads/main' || startswith(github.event.ref, 'refs/tags/v') }}
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b  # v4.3.4
+        with:
+          if-no-files-found: error
+          name: digests
+          path: /tmp/digests/*
+          retention-days: 1
+
+  merge:
+    if: ${{ github.ref == 'refs/heads/main' || startswith(github.event.ref, 'refs/tags/v') }}
+    needs:
+      - build-push
+
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16  # v4.1.8
+        with:
+          name: digests
+          path: /tmp/digests
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db  # v3.6.1
+
+      - name: Log in to container registry (${{ env.REGISTRY }})
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567  # v3.3.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract Docker metadata
+        id: docker_meta
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81  # v5.5.1
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=edge
+            # FIXME: Remove explicit `latest` tag once we start tagging releases
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=ref,event=tag
+            type=sha,format=long
+
+      - name: Create manifest list and push
+        working-directory: /tmp/digests
+        run: >
+          docker buildx imagetools create \
+            $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "${DOCKER_METADATA_OUTPUT_JSON}") \
+            $(printf ' ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@sha256:%s ' *)
+
+      - name: Inspect image
+        run: >-
+          docker buildx imagetools inspect \
+            '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.docker_meta.outputs.version }}'
diff --git a/.github/workflows/lint-test.yaml b/.github/workflows/lint-test.yaml
@@ -1,30 +1,35 @@
-name: "Lint and Test"
+---
+name: Lint & Test
 
 on:
-  workflow_dispatch:
   push:
     branches:
       - main
+    tags:
+      - v*
   pull_request:
 
+defaults:
+  run:
+    shell: bash
+
 jobs:
   lint_test:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
-      - name: "Checkout repository"
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
 
-      - name: "Setup PDM"
-        uses: pdm-project/setup-pdm@568ddd69406b30de1774ec0044b73ae06e716aa4 # v4
+      - name: Setup PDM
+        uses: pdm-project/setup-pdm@568ddd69406b30de1774ec0044b73ae06e716aa4  # v4.1
         with:
-          python-version: "3.11"
+          python-version: '3.11'
           cache: true
 
-      - name: "Install dependencies"
-        run: pdm sync --dev
+      - name: Install dependencies
+        run: pdm install --no-self
 
-      - name: "Run precommit"
+      - name: Run pre-commit
         run: pdm pre-commit
 
-      - name: "Run tests"
+      - name: Run tests
         run: pdm test
diff --git a/.markdownlint.yaml b/.markdownlint.yaml
@@ -0,0 +1,5 @@
+---
+MD013:
+  line_length: 120
+
+MD024: false
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,26 +1,98 @@
+---
+default_language_version:
+  python: python3
+  node: system
+
 repos:
+  - repo: meta
+    hooks:
+      - id: check-hooks-apply
+      - id: check-useless-excludes
+
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.5.0
+    rev: cef0300fd0fc4d2a87a85fa2093c6b283ea36f4b # frozen: v5.0.0
     hooks:
-      - id: check-case-conflict
+      - id: check-added-large-files
       - id: check-merge-conflict
-      - id: check-toml
-      - id: check-yaml
-      - id: check-json
-      - id: trailing-whitespace
-        args: [--markdown-linebreak-ext=md]
-      - id: mixed-line-ending
-        args: [--fix=lf]
       - id: end-of-file-fixer
-        exclude: .devcontainer/devcontainer-lock.json
+      - id: name-tests-test
+        args:
+          - --pytest-test-first
+      - id: trailing-whitespace
+        args:
+          - --markdown-linebreak-ext=md
+        exclude: \.gitignore
 
-  - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.3.0
+  - repo: local
     hooks:
-      - id: ruff
       - id: ruff-format
+        name: Ruff (Format)
+        description: Format Python files
+        language: system
+        entry: pdm run format
+        types_or:
+          - python
+          - pyi
+
+      - id: ruff-lint
+        name: Ruff (Lint)
+        description: Lint Python files
+        language: system
+        entry: pdm run lint
+        args:
+          - --exit-non-zero-on-fix
+        types_or:
+          - python
+          - pyi
 
-  - repo: https://github.com/RobertCraigie/pyright-python
-    rev: v1.1.352
-    hooks:
       - id: pyright
+        name: Pyright
+        description: Type-check Python files
+        language: system
+        entry: pdm run type-check
+        types_or:
+          - python
+          - pyi
+        pass_filenames: false
+
+  - repo: https://github.com/python-jsonschema/check-jsonschema
+    rev: 37cd56d9d154dfb0648eaee8efc1040512700c47 # frozen: 0.29.4
+    hooks:
+      - id: check-github-workflows
+
+  - repo: https://github.com/lyz-code/yamlfix
+    rev: 8072181c0f2eab9f2dd8db2eb3b9556d7cd0bd74 # frozen: 1.17.0
+    hooks:
+      - id: yamlfix
+        args:
+          - --config-file
+          - .yamlfix.toml
+
+  - repo: https://github.com/adrienverge/yamllint
+    rev: 81e9f98ffd059efe8aa9c1b1a42e5cce61b640c6 # frozen: v1.35.1
+    hooks:
+      - id: yamllint
+        args:
+          - --strict
+
+  - repo: https://github.com/igorshubovych/markdownlint-cli
+    rev: aa975a18c9a869648007d33864034dbc7481fe5e # frozen: v0.42.0
+    hooks:
+      - id: markdownlint-fix
+
+  - repo: https://github.com/ComPWA/taplo-pre-commit
+    rev: 23eab0f0eedcbedebff420f5fdfb284744adc7b3 # frozen: v0.9.3
+    hooks:
+      - id: taplo-format
+      - id: taplo-lint
+
+  - repo: https://github.com/sirwart/ripsecrets
+    rev: 033ec5192b738b6712701be920cba545c2775050 # frozen: v0.1.8
+    hooks:
+      - id: ripsecrets
+
+  - repo: https://github.com/crate-ci/typos
+    rev: 515e0fc2601a0905af8ad0800975c861be1074f1 # frozen: v1.26.0
+    hooks:
+      - id: typos
+        args: []