Attest build provenance of artifacts (#219)

Author: hugovk

.github/workflows/deploy.yml

@@ -14,6 +14,9 @@ on:
 permissions:
   contents: read
 
+env:
+  FORCE_COLOR: 1
+
 jobs:
   # Always build & lint package.
   build-package:
@@ -38,6 +41,7 @@ jobs:
     needs: build-package
 
     permissions:
+      attestations: write
       id-token: write
 
     steps:
@@ -47,6 +51,11 @@ jobs:
           name: Packages
           path: dist
 
+      - name: Attest build provenance
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: "dist/*"
+
       - name: Upload package to Test PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
@@ -62,6 +71,7 @@ jobs:
     needs: build-package
 
     permissions:
+      attestations: write
       id-token: write
 
     steps:
@@ -71,5 +81,10 @@ jobs:
           name: Packages
           path: dist
 
+      - name: Attest build provenance
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: "dist/*"
+
       - name: Upload package to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1

.github/workflows/lint.yml

@@ -4,6 +4,7 @@ on: [push, pull_request, workflow_dispatch]
 
 env:
   FORCE_COLOR: 1
+  PIP_DISABLE_PIP_VERSION_CHECK: 1
 
 permissions:
   contents: read

.github/workflows/test.yml

@@ -2,21 +2,20 @@ name: Test
 
 on: [push, pull_request, workflow_dispatch]
 
+permissions:
+  contents: read
+
 env:
   FORCE_COLOR: 1
+  PIP_DISABLE_PIP_VERSION_CHECK: 1
 
 jobs:
   test:
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
       matrix:
-        # Will be fixed in 3.13.0a6: Tuesday, 2024-04-09
-        #   qs = bytes(qs)
-        #        ~~~~~^^^^
-        #   TypeError: cannot convert 'NoneType' object to bytes
-        python-version:
-          ["pypy3.10", "3.8", "3.9", "3.10", "3.11", "3.12", "3.13.0-alpha.4"]
+        python-version: ["pypy3.10", "3.8", "3.9", "3.10", "3.11", "3.12", "3.13"]
         os: [windows-latest, macos-latest, ubuntu-latest]
 
     steps:
@@ -32,7 +31,6 @@ jobs:
       - name: Install dependencies
         run: |
           python -m pip install -U pip
-          python -m pip install -U wheel
           python -m pip install -U tox
 
       - name: Tox tests

.pre-commit-config.yaml

@@ -32,6 +32,11 @@ repos:
       - id: check-github-workflows
       - id: check-renovate
 
+  - repo: https://github.com/rhysd/actionlint
+    rev: v1.7.1
+    hooks:
+      - id: actionlint
+
   #  - repo: https://github.com/pre-commit/mirrors-mypy
   #    rev: v1.7.0
   #    hooks:

pyproject.toml

@@ -78,20 +78,27 @@ lint.select = [
   "EM",     # flake8-errmsg
   "F",      # pyflakes errors
   "I",      # isort
+  "ICN",    # flake8-import-conventions
   "ISC",    # flake8-implicit-str-concat
   "LOG",    # flake8-logging
   "PGH",    # pygrep-hooks
+  "PYI",    # flake8-pyi
+  "RUF022", # unsorted-dunder-all
   "RUF100", # unused noqa (yesqa)
   "UP",     # pyupgrade
   "W",      # pycodestyle warnings
   "YTT",    # flake8-2020
 ]
-lint.extend-ignore = [
+lint.ignore = [
   "E203", # Whitespace before ':'
   "E221", # Multiple spaces before operator
   "E226", # Missing whitespace around arithmetic operator
   "E241", # Multiple spaces after ','
 ]
+lint.flake8-import-conventions.aliases.datetime = "dt"
+lint.flake8-import-conventions.banned-from = [
+  "datetime",
+]
 lint.isort.known-first-party = [
   "norwegianblue",
 ]
@@ -104,3 +111,10 @@ max_supported_python = "3.13"
 
 [tool.pytest.ini_options]
 addopts = "--color=yes"
+filterwarnings = [
+  # Python <= 3.11
+  "ignore:sys.monitoring isn't available, using default core:coverage.exceptions.CoverageWarning",
+]
+testpaths = [
+  "tests",
+]

tox.ini

@@ -11,6 +11,8 @@ env_list =
 [testenv]
 extras =
     tests
+set_env =
+    COVERAGE_CORE = sysmon
 commands =
     {envpython} -m pytest \
       --cov norwegianblue \