Merge branch 'main' into rstuf-add-targets

.github/workflows/ci.yml

@@ -8,7 +8,6 @@ on:
     types: [checks_requested]
   workflow_dispatch:  # generally only for the "combine-prs" workflow
 permissions:
-  id-token: write
   contents: read
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
@@ -19,9 +18,13 @@ jobs:
     runs-on: depot-ubuntu-22.04-arm
     outputs:
       buildId: ${{ steps.build.outputs.build-id}}
+    permissions:
+      id-token: write
     steps:
       - name: Check out repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up Depot CLI
         uses: depot/setup-action@v1
       - name: Build image
@@ -59,6 +62,8 @@ jobs:
       image: registry.depot.dev/rltf7cln5v:${{ needs.build.outputs.buildId }}
       env:
         BILLING_BACKEND: warehouse.subscriptions.services.MockStripeBillingService api_base=http://stripe:12111 api_version=2020-08-27
+    permissions:
+      id-token: write
     services:
       postgres:
         image: ${{ (matrix.name == 'Tests') && 'postgres:16.1' || '' }}
@@ -81,6 +86,8 @@ jobs:
     steps:
       - name: Check out repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Cache mypy results
         if: ${{ (matrix.name == 'Lint') }}
         uses: actions/cache@v4
@@ -98,6 +105,8 @@ jobs:
     continue-on-error: true
     container:
       image: registry.depot.dev/rltf7cln5v:${{ needs.build.outputs.buildId }}
+    permissions:
+      id-token: write
     services:
       postgres:
         image: postgres:16.1
@@ -112,6 +121,8 @@ jobs:
     steps:
       - name: Check out repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Dotenv Action
         # We need to load the environment variables to run the CLI
         id: dotenv

.github/workflows/codeql-analysis.yml

@@ -39,6 +39,8 @@ jobs:
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Set up Python
       if: matrix.language == 'python'

.github/workflows/combine-prs.yml

@@ -11,23 +11,22 @@ on:
         required: true
         default: 'blocked'
 
-# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
-permissions:
-  contents: write
-  pull-requests: write
-  checks: read
-  actions: write
-
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   # This workflow contains a single job called "combine-prs"
   combine-prs:
+    # https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
+    permissions:
+      contents: write
+      pull-requests: write
+      checks: read
+      actions: write
     # The type of runner that the job will run on
     runs-on: ubuntu-latest
 
     steps:
       - name: Use GitHub App Token
-        uses: wow-actions/use-app-token@v2.0.2
+        uses: wow-actions/use-app-token@v2.1.1
         id: generate_token
         with:
           app_id: ${{ secrets.COMBINE_PRS_APP_ID }}
@@ -36,7 +35,7 @@ jobs:
 
       - name: combine-prs
         id: combine-prs
-        uses: github/combine-prs@v5.1.0
+        uses: github/combine-prs@v5.2.0
         with:
           github_token: ${{ steps.generate_token.outputs.BOT_TOKEN }}
           ignore_label: ${{ github.event.inputs.ignoreLabel || 'blocked' }}

.github/workflows/dev-env-test.yml

@@ -11,6 +11,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - run: make build
       - run: docker compose up -d
       - run: docker compose ps

.github/workflows/node-ci.yml

@@ -28,9 +28,11 @@ jobs:
     steps:
       - name: Check out repository
         uses: actions/checkout@v4
+        with:
+            persist-credentials: false
       - uses: actions/setup-node@v4
         with:
-          node-version: 22.3.0
+          node-version: 23.1.0
           cache: 'npm'
       - name: Install Node dependencies
         run: npm ci

.github/workflows/zizmor.yml

@@ -0,0 +1,39 @@
+# https://github.com/woodruffw/zizmor
+name: GitHub Actions Security Analysis with Zizmor
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["*"]
+
+jobs:
+  zizmor:
+    # Advanced Security is not enabled on private repositories
+    if: github.repository == 'pypi/warehouse'
+    name: Zizmor latest via Cargo
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      # required for workflows in private repositories
+      contents: read
+      actions: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Setup Rust
+        uses: actions-rust-lang/setup-rust-toolchain@v1
+      - name: Get zizmor
+        run: cargo install zizmor
+      - name: Run zizmor
+        run: zizmor --format sarif . > results.sarif
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          # Path to SARIF file relative to the root of the repository
+          sarif_file: results.sarif
+          # Optional category for the results
+          # Used to differentiate multiple results for one commit
+          category: zizmor

.python-version

@@ -1 +1 @@
-3.12.6
+3.12.7

.readthedocs.yml

@@ -6,7 +6,7 @@
 version: 2
 
 build:
-  os: ubuntu-22.04
+  os: ubuntu-24.04
   tools:
     python: "3.12"
   commands:

.stylelintrc.json

@@ -6,8 +6,6 @@
     "stylelint-selector-bem-pattern"
   ],
   "ignoreFiles": [
-    "warehouse/static/sass/tools/bourbon/**/*",
-    "warehouse/static/sass/tools/neat/**/*",
     "warehouse/static/sass/resets/_boxsizing.scss",
     "warehouse/static/sass/resets/_reset.scss"
   ],

Dockerfile

@@ -1,13 +1,13 @@
 # First things first, we build an image which is where we're going to compile
 # our static assets with. We use this stage in development.
-FROM node:22.9.0-bookworm AS static-deps
+FROM node:23.3.0-bookworm AS static-deps
 
 WORKDIR /opt/warehouse/src/
 
 # However, we do want to trigger a reinstall of our node.js dependencies anytime
 # our package.json changes, so we'll ensure that we're copying that into our
 # static container prior to actually installing the npm dependencies.
-COPY package.json package-lock.json .babelrc /opt/warehouse/src/
+COPY package.json package-lock.json babel.config.js /opt/warehouse/src/
 
 # Installing npm dependencies is done as a distinct step and *prior* to copying
 # over our static files so that, you guessed it, we don't invalidate the cache
@@ -36,7 +36,7 @@ RUN NODE_ENV=production npm run build
 
 
 # We'll build a light-weight layer along the way with just docs stuff
-FROM python:3.12.6-slim-bookworm AS docs
+FROM python:3.12.7-slim-bookworm AS docs
 
 # By default, Docker has special steps to avoid keeping APT caches in the layers, which
 # is good, but in our case, we're going to mount a special cache volume (kept between
@@ -105,7 +105,7 @@ USER docs
 
 # Now we're going to build our actual application, but not the actual production
 # image that it gets deployed into.
-FROM python:3.12.6-slim-bookworm AS build
+FROM python:3.12.7-slim-bookworm AS build
 
 # Define whether we're building a production or a development image. This will
 # generally be used to control whether or not we install our development and
@@ -189,7 +189,7 @@ RUN --mount=type=cache,target=/root/.cache/pip \
 
 # Now we're going to build our actual application image, which will eventually
 # pull in the static files that were built above.
-FROM python:3.12.6-slim-bookworm
+FROM python:3.12.7-slim-bookworm
 
 # Setup some basic environment variables that are ~never going to change.
 ENV PYTHONUNBUFFERED 1

Makefile

@@ -46,7 +46,7 @@ default:
 	mkdir -p .state
 	touch .state/docker-build-base
 
-.state/docker-build-static: Dockerfile package.json package-lock.json .babelrc
+.state/docker-build-static: Dockerfile package.json package-lock.json babel.config.js
 	# Build our static container for this project.
 	docker compose build --force-rm static
 

warehouse/static/sass/tools/bourbon/settings/_px-to-em.scss → babel.config.js

@@ -1,5 +1,4 @@
-/*!
- * Licensed under the Apache License, Version 2.0 (the "License");
+/* Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
@@ -12,5 +11,6 @@
  * limitations under the License.
  */
 
-
-$em-base: 16px !default;
+module.exports = {
+  presets: [['@babel/preset-env', {targets: {node: 'current'}}]],
+};

docker-compose.yml

@@ -221,7 +221,7 @@ services:
     volumes:
       - ./warehouse:/opt/warehouse/src/warehouse:z
       - ./webpack.config.js:/opt/warehouse/src/webpack.config.js:z
-      - ./.babelrc:/opt/warehouse/src/.babelrc:z
+      - ./babel.config.js:/opt/warehouse/src/babel.config.js:z
       - ./.stylelintrc.json:/opt/warehouse/src/.stylelintrc.json:z
       - ./tests/frontend:/opt/warehouse/src/tests/frontend:z
       - ./bin:/opt/warehouse/src/bin:z

docs/blog/posts/2024-11-14-pypi-now-supports-digital-attestations.md

@@ -0,0 +1,123 @@
+---
+title: PyPI now supports digital attestations
+description: Announcing support for PEP 740 on the Python Package Index
+authors:
+  - di
+date: 2024-11-14
+tags:
+  - publishing
+  - security
+  - oidc
+---
+
+PyPI package maintainers can now publish signed digital attestations when
+publishing, in order to further increase trust in the supply-chain security of
+their projects. Additionally, a new API is available for consumers and
+installers to verify published attestations.
+
+Many projects have already begun publishing attestations, with more than 20,000
+attestations already published.
+
+This finalizes PyPI's support for [PEP 740], and follows directly from previous
+work to add support for [Trusted Publishing], as well as the [deprecation and
+removal of PGP signatures].
+
+<!-- more -->
+
+### Why not plain signatures?
+
+PyPI's support for digital attestations has three key advantages over regular
+cryptographic signatures, such as those provided by PGP:
+
+* **Attestations are signed by an identity, not a key pair:**
+  Similar to our recent support for Trusted Publishing, PyPI's support for
+  digital attestations relies upon Open ID Connect (OIDC) identities. By signing
+  attestations with identities, and not a public/private key pair, we mitigate the
+  potential for an individual's key loss or compromise, one of the most common failure cases for
+  PGP signing.
+* **Attestations provide a verifiable link to an upstream source repository:**
+  By signing with the identity of the upstream source repository, such as in the
+  case of an upload of a project built with GitHub Actions, PyPI's support for
+  digital attestations defines a strong and verifiable association between a file
+  on PyPI and the source repository, workflow, and even the commit hash that
+  produced and uploaded the file. Additionally, publishing attestations to a
+  transparency log helps mitigate against both compromise of PyPI and compromise
+  of the projects themselves.
+* **Attestations are verified when uploaded, and must be verifiable to be uploaded:**
+  Upon review of the state of historical PGP signatures published to PyPI, [we
+  found that many signatures were not verifiable], either by PyPI or by end
+  users. With support for PEP 740, PyPI only permits attestations with a
+  verifiable signature to be uploaded and redistributed by the index. This
+  ensures that all attestations are verifiable and useful for all PyPI users.
+
+Much more detail is provided in a corresponding blog post by Trail of Bits:
+[Attestations: a new generation of signatures on PyPI].
+
+### How to view a file's attestations
+For consumers and package installers wanting to perform verification, PyPI
+currently provides two ways to access digital attestations associated with a
+given file on PyPI:
+
+* **A new Integrity API for PyPI**
+  The [Integrity API](https://docs.pypi.org/api/integrity/) provides programmatic
+  access to PyPI's implementation of PEP 740. Operating on individual files, it
+  collects all published attestations for a given file and returns them as a
+  single response.
+
+* **A new web UI for viewing per-file attributes**
+  Similarly, we have introduced a new page on PyPI's web UI, displaying details
+  for individual files, including the presence of any attestations about the
+  file. You can see an example here:
+  <https://pypi.org/project/sampleproject/#sampleproject-4.0.0.tar.gz>
+
+### Get started today
+
+The generation and publication of attestations happens by default, and no
+changes are necessary for projects that meet all of these conditions:
+
+1. publish from GitHub Actions;
+2. via [Trusted Publishing]; and
+3. use the [pypa/gh-action-pypi-publish] action to publish.
+
+Support for automatic attestation generation and publication from other Trusted
+Publisher environments [is planned]. While not recommended, maintainers can also
+[manually generate and publish attestations].
+
+### Acknowledgements
+
+Support for work on PEP 740's authoring and design was provided by the
+[Sovereign Tech Agency] and the Google Open Source Security Team.
+
+Funding for the implementation of PEP 740 was provided by the Google Open
+Source Security Team, and much of the development work on PyPI and related
+tools was performed by [Trail of Bits], with special thanks to contributors
+[William Woodruff], [Facundo Tuesca], and [Alexis Challande].
+
+Thanks to the the [Sigstore project] for their work popularizing identity-based signing, hosting a public-good transparency log, and continued support of the [Python client for Sigstore].
+
+Many thanks to [Sviatoslav Sydorenko] as well for his support and ongoing
+maintenence of the [pypa/gh-action-pypi-publish] action, as well his support
+for implementing PEP 740 in the action.
+
+---
+
+_Dustin Ingram is a maintainer of the Python Package Index._
+
+[PEP 740]: https://peps.python.org/pep-0740/
+[Trusted Publishing]: https://docs.pypi.org/trusted-publishers/
+[deprecation and removal of PGP signatures]: https://blog.pypi.org/posts/2023-05-23-removing-pgp/
+[pypa/gh-action-pypi-publish]: https://github.com/pypa/gh-action-pypi-publish
+[Attestations: a new generation of signatures on PyPI]: https://blog.trailofbits.com/2024/11/14/attestations-a-new-generation-of-signatures-on-pypi/
+[Integrity API]: https://docs.pypi.org/api/integrity/
+[we announced last year]: 2023-04-20-introducing-trusted-publishers.md
+[we found that many signatures were not verifiable]: https://blog.yossarian.net/2023/05/21/PGP-signatures-on-PyPI-worse-than-useless
+[manually generate and publish attestations]: https://docs.pypi.org/attestations/producing-attestations/#the-manual-way
+[Sovereign Tech Agency]: https://www.sovereign.tech/tech/python-package-index
+[is planned]: https://github.com/pypi/warehouse/issues/17001
+[Trail of Bits]: https://www.trailofbits.com/
+[William Woodruff]: https://github.com/woodruffw
+[Facundo Tuesca]: https://github.com/facutuesca
+[Alexis Challande]: https://github.com/DarkaMaul
+[Sigstore project]: https://www.sigstore.dev/
+[Python client for Sigstore]: https://pypi.org/project/sigstore/
+[Sviatoslav Sydorenko]: https://github.com/webknjaz