Skip to content

Add PEP 740 and pin GitHub actions#891

Merged
bouwew merged 7 commits into
mainfrom
pep740
Jul 5, 2026
Merged

Add PEP 740 and pin GitHub actions#891
bouwew merged 7 commits into
mainfrom
pep740

Conversation

@CoMPaTech

@CoMPaTech CoMPaTech commented Jul 5, 2026

Copy link
Copy Markdown
Member

Summary by CodeRabbit

  • New Features

    • Published releases now include PEP 740 digital attestations to improve supply-chain verification.
  • Chores

    • Updated CI/CD workflows to use pinned action references for more deterministic runs.
    • Adjusted caching versioning to align with the updated workflow restore behavior.
    • Bumped the project to version 1.12.1a0.
  • Documentation

    • Added a changelog entry for v1.12.1 describing the attestations and workflow updates.

@CoMPaTech CoMPaTech requested a review from a team as a code owner July 5, 2026 10:37
@coderabbitai

coderabbitai Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@CoMPaTech, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 18 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4fa2cc69-d100-48ed-af58-1091590bbedc

📥 Commits

Reviewing files that changed from the base of the PR and between 1f77909 and 7137dfb.

📒 Files selected for processing (3)
  • .github/workflows/merge.yml
  • .github/workflows/verify.yml
  • CHANGELOG.md
📝 Walkthrough

Walkthrough

This PR pins GitHub Actions in merge and verify workflows, adjusts cache version values, adds gated PEP 740 attestation generation steps, and updates release metadata in CHANGELOG.md and pyproject.toml.

Changes

CI workflow hardening and release metadata

Layer / File(s) Summary
merge.yml cache version, checkout pinning, attestation step
.github/workflows/merge.yml
CACHE_VERSION changes from 11 to 1, actions/checkout is pinned to a commit SHA, and a gated PEP 740 attestation step is added before PyPI publish.
verify.yml cache version and early job action pinning
.github/workflows/verify.yml
CACHE_VERSION changes from 3 to 2, and checkout, Python setup, and internal workflow actions are pinned across the cache, prepare, ruff, and commitcheck jobs.
verify.yml pytest, mypy, shellcheck, dependencies_check action pinning
.github/workflows/verify.yml
Checkout, setup-python, restore-venv, and upload-artifact are pinned across the pytest, mypy, shellcheck, and dependencies_check jobs.
verify.yml coverage, publishing, and complexity job pinning plus attestation
.github/workflows/verify.yml
Coverage and complexity jobs pin checkout, restore-venv, download-artifact, and codecov-action; test-publishing adds a gated PEP 740 attestation step.
Changelog and version bump
CHANGELOG.md, pyproject.toml
CHANGELOG.md adds a v1.12.1 entry, and pyproject.toml updates the project version to 1.12.1a0.

Estimated code review effort: 2 (Simple) | ~12 minutes

Sequence Diagram(s)

sequenceDiagram
  participant GitHubActionsWorkflow as GitHub Actions workflow
  participant CheckPackage as check_package
  participant AttestAction as astral-sh/attest-action
  participant PyPI as PyPI publish step

  GitHubActionsWorkflow->>CheckPackage: read should_publish output
  CheckPackage-->>GitHubActionsWorkflow: true
  GitHubActionsWorkflow->>AttestAction: generate PEP 740 attestations
  AttestAction-->>GitHubActionsWorkflow: attestations ready
  GitHubActionsWorkflow->>PyPI: publish package
Loading

Possibly related PRs

Suggested labels: enhancement, dependencies, github_actions

Suggested reviewers: bouwew

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main changes: PEP 740 attestations and pinning GitHub Actions.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch pep740

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot requested a review from bouwew July 5, 2026 10:37
@coderabbitai coderabbitai Bot added dependencies Pull requests that update a dependency file enhancement New feature or request labels Jul 5, 2026
@CoMPaTech CoMPaTech marked this pull request as draft July 5, 2026 10:40

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/verify.yml:
- Around line 191-194: Update the shellcheck workflow to match the other
hardened checkout steps: add persist-credentials: false to the checkout used by
the shellcheck job, and also to the dependencies_check and test-publishing
checkouts. While you’re in the shellcheck job, replace
ludeeus/action-shellcheck@master with a pinned SHA reference so it is no longer
a floating branch. Use the existing checkout/action names to locate the affected
steps and keep the rollout consistent with the ruff and mypy jobs.
- Around line 283-285: The Generate PEP 740 Attestations step is missing the
required paths input for astral-sh/attest-action, so the attestation job cannot
find artifacts automatically. Update the workflow step that uses
astral-sh/attest-action in verify.yml to pass an explicit distribution glob via
paths, using the existing should_publish gate to keep the behavior unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6c1c8432-a6c5-4b12-9a69-3e074f67e147

📥 Commits

Reviewing files that changed from the base of the PR and between e9e558f and 92222cc.

📒 Files selected for processing (4)
  • .github/workflows/merge.yml
  • .github/workflows/verify.yml
  • CHANGELOG.md
  • pyproject.toml

Comment thread .github/workflows/verify.yml Outdated
Comment thread .github/workflows/verify.yml
Comment thread CHANGELOG.md Outdated
@@ -1,5 +1,11 @@
# Changelog

## v1.12.1

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why a version-bump? There are no changes to the functional code?

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or is that to test the release-related update?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes as the attestation needs to be published on PyPi

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seeing the intent for 1.13 - I can just drop the version increase so we only have testpypi checked and 1.13 being the guinea pig for attestation on release?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Requires rebasing the others though

@bouwew bouwew left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM besides the version-bump :)

@coderabbitai coderabbitai Bot requested a review from bouwew July 5, 2026 12:03
@coderabbitai coderabbitai Bot added the github_actions Pull requests that update Github_actions code label Jul 5, 2026
Comment thread .github/workflows/verify.yml Fixed
@codecov

codecov Bot commented Jul 5, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (e9e558f) to head (7137dfb).

Additional details and impacted files
@@            Coverage Diff            @@
##              main      #891   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           21        21           
  Lines         3484      3484           
=========================================
  Hits          3484      3484           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@CoMPaTech

Copy link
Copy Markdown
Member Author

Attestation completed for test PyPI (https://test.pypi.org/project/plugwise/1.12.1a1/#plugwise-1.12.1a1.tar.gz), dropping version in changelog and pyproject

@sonarqubecloud

sonarqubecloud Bot commented Jul 5, 2026

Copy link
Copy Markdown

@CoMPaTech CoMPaTech marked this pull request as ready for review July 5, 2026 12:44
@bouwew bouwew merged commit af974b3 into main Jul 5, 2026
18 checks passed
@bouwew bouwew deleted the pep740 branch July 5, 2026 13:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file enhancement New feature or request github_actions Pull requests that update Github_actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants