An opinionated Python package/application template repository, with SLSA and SBOM support built in, enabled for security scanners, code linters, typing, testing and code coverage monitoring, and release automation for reproducible builds.
Git allows for signing commits and tags, see also the Signing Your Work chapter. Furthermore, twine upload allows for signing packages when uploading them to a PyPI server.
Git allows for signing commits and tags, see also the Signing Your Work chapter. Furthermore, twine upload allows for signing packages when uploading them to a PyPI server.
Related to PR https://github.com/jenstroeger/python-package-template/pull/306 and issue https://github.com/commitizen-tools/commitizen/issues/575, I wanted to keep the discussion going on signing and verifying signatures in an automated workflow. Signing commits and tags not only generated by a local user (who needs to sign commits locally) but also generated by the
release.yaml
Actionhttps://github.com/jenstroeger/python-package-template/blob/f41b0e6a46061081370253b9ac17a1b62b5c85dc/.github/workflows/release.yaml#L55-L60
and
https://github.com/jenstroeger/python-package-template/blob/f41b0e6a46061081370253b9ac17a1b62b5c85dc/.github/workflows/release.yaml#L140-L145
Read the linked issue for more information, and take a look at the How to use GPG key in github actions? Also related is issue https://github.com/actions/runner/issues/667.