Skip to content

Add PEP 740 and pin GitHub actions#235

Merged
CoMPaTech merged 7 commits into
mainfrom
pep740
Jul 5, 2026
Merged

Add PEP 740 and pin GitHub actions#235
CoMPaTech merged 7 commits into
mainfrom
pep740

Conversation

@CoMPaTech

@CoMPaTech CoMPaTech commented Jul 5, 2026

Copy link
Copy Markdown
Owner

Summary by CodeRabbit

  • New Features

    • Release publishing now includes digital attestations for distributed packages.
  • Changes

    • Updated Python support to require Python 3.14.
    • Test and release workflows now run against Python 3.14.
    • Version updated to the next pre-release build.

@dosubot dosubot Bot added size:S This PR changes 10-29 lines, ignoring generated files. enhancement New feature or request labels Jul 5, 2026
@coderabbitai

coderabbitai Bot commented Jul 5, 2026

Copy link
Copy Markdown

Review Change Stack

Walkthrough

Adds PEP 740 attestation generation steps to the merge and verify GitHub Actions workflows using astral-sh/attest-action@v1, restricts the pytest matrix and package requirement to Python 3.14, bumps the package version to 0.6.10a0, and documents the change in the changelog.

Changes

CI Attestation and Version Updates

Layer / File(s) Summary
PEP 740 attestation steps
.github/workflows/merge.yml, .github/workflows/verify.yml
Adds conditional "Generate PEP 740 Attestations" steps using astral-sh/attest-action@v1 against dist/, gated on should_publish == 'true'.
Python 3.14-only support and version bump
.github/workflows/verify.yml, pyproject.toml, CHANGELOG.md
Reduces the pytest matrix to ["3.14"], updates requires-python and classifiers to drop 3.13, bumps version to 0.6.10a0, and adds a changelog entry for 0.6.10.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related PRs

  • CoMPaTech/python-airos#18: Modifies the same publish gating logic around the should_publish output that this PR extends with attestation steps.

Poem

A rabbit hops through YAML fields so neat,
Stamping builds with PEP 740's seal complete,
3.13 hops away, 3.14 takes the lead,
Version 0.6.10 planted like a seed,
Changelog updated — hop hop, all's clean! 🐇✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title clearly reflects the main change: adding PEP 740 attestations, with the GitHub Actions pinning as a secondary detail.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch pep740

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

♻️ Duplicate comments (1)
CHANGELOG.md (1)

5-10: 🗄️ Data Integrity & Integration | 🟡 Minor | ⚡ Quick win

Version mismatch with pyproject.toml.

This section is titled [0.6.10], but pyproject.toml sets version = "0.6.10a0" (a PEP 440 pre-release). Align the changelog title with the actual package version, or drop the alpha suffix in pyproject.toml if this is meant to be a final release.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@CHANGELOG.md` around lines 5 - 10, The changelog header and package version
are mismatched: the release note in CHANGELOG.md is labeled as a final 0.6.10
release while pyproject.toml still uses the 0.6.10a0 pre-release version. Update
the version identifiers so they match, either by changing the changelog entry to
the alpha version or by removing the alpha suffix in pyproject.toml if this is
intended to be a final release; use the version fields in pyproject.toml and the
top-level changelog release heading as the symbols to align.
🧹 Nitpick comments (2)
.github/workflows/verify.yml (1)

228-228: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Pin the action to a full commit SHA.

Same supply-chain concern flagged by SonarCloud as in merge.yml — astral-sh/attest-action@v1 should be pinned to a commit SHA.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/verify.yml at line 228, The workflow step using
astral-sh/attest-action@v1 is not pinned tightly enough; replace the version tag
with a full commit SHA in the verify workflow. Update the attestation step to
reference the exact commit for astral-sh/attest-action, matching the pinning
approach used elsewhere in the repo for security consistency.

Source: Linters/SAST tools

.github/workflows/merge.yml (1)

75-75: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Pin the action to a full commit SHA.

astral-sh/attest-action@v1 is a floating tag; SonarCloud flags this as a supply-chain risk. Pin to the commit SHA (with a version comment) for reproducibility and to guard against tag re-pointing.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/merge.yml at line 75, The workflow currently uses
astral-sh/attest-action@v1, which is a floating tag and should be replaced with
a full commit SHA for supply-chain safety. Update the action reference in
merge.yml to pin it to an exact commit, and keep the version comment alongside
it so the intended release remains clear. Use the astral-sh/attest-action step
as the location to make this change.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/merge.yml:
- Around line 73-77: The Generate PEP 740 Attestations step is using an invalid
step output reference, so it will always be skipped. Update the publishing job’s
attestation step to remove the redundant condition or reference the correct
output source from the job context, since `check_package` is not defined in this
job; use the existing `determine_version`/job-level publish gate and the
`Generate PEP 740 Attestations` step to locate the change.

In `@pyproject.toml`:
- Line 7: Version metadata is inconsistent between the release config and
changelog: pyproject.toml uses the pre-release version 0.6.10a0 while the
release entry is labeled as 0.6.10. Update the version fields to match the
intended release type by either removing the alpha suffix in the pyproject.toml
version if this is a stable release, or changing the changelog title to 0.6.10a0
if this is intentionally a pre-release; check the version string in
pyproject.toml and the release heading in CHANGELOG.md so they align.

---

Duplicate comments:
In `@CHANGELOG.md`:
- Around line 5-10: The changelog header and package version are mismatched: the
release note in CHANGELOG.md is labeled as a final 0.6.10 release while
pyproject.toml still uses the 0.6.10a0 pre-release version. Update the version
identifiers so they match, either by changing the changelog entry to the alpha
version or by removing the alpha suffix in pyproject.toml if this is intended to
be a final release; use the version fields in pyproject.toml and the top-level
changelog release heading as the symbols to align.

---

Nitpick comments:
In @.github/workflows/merge.yml:
- Line 75: The workflow currently uses astral-sh/attest-action@v1, which is a
floating tag and should be replaced with a full commit SHA for supply-chain
safety. Update the action reference in merge.yml to pin it to an exact commit,
and keep the version comment alongside it so the intended release remains clear.
Use the astral-sh/attest-action step as the location to make this change.

In @.github/workflows/verify.yml:
- Line 228: The workflow step using astral-sh/attest-action@v1 is not pinned
tightly enough; replace the version tag with a full commit SHA in the verify
workflow. Update the attestation step to reference the exact commit for
astral-sh/attest-action, matching the pinning approach used elsewhere in the
repo for security consistency.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f256da0c-4846-448a-b017-ffcb6856b073

📥 Commits

Reviewing files that changed from the base of the PR and between 6b07778 and 81f780c.

📒 Files selected for processing (4)
  • .github/workflows/merge.yml
  • .github/workflows/verify.yml
  • CHANGELOG.md
  • pyproject.toml

Comment thread .github/workflows/merge.yml Outdated
Comment thread pyproject.toml Outdated
Comment thread .github/workflows/merge.yml Fixed
Comment thread .github/workflows/verify.yml Fixed
@codecov

codecov Bot commented Jul 5, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 0% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 85.29%. Comparing base (6b07778) to head (54a587d).

Files with missing lines Patch % Lines
airos/helpers.py 0.00% 1 Missing ⚠️
Additional details and impacted files
@@           Coverage Diff           @@
##             main     #235   +/-   ##
=======================================
  Coverage   85.29%   85.29%           
=======================================
  Files           8        8           
  Lines         775      775           
=======================================
  Hits          661      661           
  Misses        114      114           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@sonarqubecloud

sonarqubecloud Bot commented Jul 5, 2026

Copy link
Copy Markdown

@CoMPaTech CoMPaTech changed the title Add PEP 740 Add PEP 740 and pin GitHub actions Jul 5, 2026
@CoMPaTech CoMPaTech merged commit 3bd0f70 into main Jul 5, 2026
13 of 14 checks passed
@CoMPaTech CoMPaTech deleted the pep740 branch July 5, 2026 10:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request size:S This PR changes 10-29 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants