diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml index ee183a6..a35f9d6 100644 --- a/.github/workflows/actionlint.yml +++ b/.github/workflows/actionlint.yml @@ -30,9 +30,17 @@ jobs: runs-on: ubuntu-latest steps: - name: "Harden Runner" - uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2 + uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + egress-policy: block + allowed-endpoints: > + auth.docker.io:443 + cdn.fwupd.org:443 + github.com:443 + objects.githubusercontent.com:443 + production.cloudflare.docker.com:443 + raw.githubusercontent.com:443 + registry-1.docker.io:443 - name: "Checkout" uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index e81f262..b2b638d 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -33,9 +33,12 @@ jobs: runs-on: ubuntu-latest steps: - name: "Harden Runner" - uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2 + uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + disable-sudo-and-containers: true + egress-policy: block + allowed-endpoints: > + github.com:443 - name: "Checkout" uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index fa8fb48..e1cdd76 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -59,9 +59,15 @@ jobs: tox -e mypy steps: - name: "Harden Runner" - uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2 + uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + disable-sudo-and-containers: true + egress-policy: block + allowed-endpoints: > + files.pythonhosted.org:443 + github.com:443 + json-schema.org:443 + pypi.org:443 - name: "Checkout" uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml index 8694de5..ed35af4 100644 --- a/.github/workflows/pypi.yml +++ b/.github/workflows/pypi.yml @@ -34,20 +34,27 @@ jobs: name: Build and check packages runs-on: ubuntu-latest steps: - - name: "Harden Runner" - uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2 - with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - - - name: "Checkout" - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - # for setuptools-scm - fetch-depth: 0 - - - name: "Build and Inspect" - uses: hynek/build-and-inspect-python-package@c52c3a4710070b50470d903818a7b25115dcd076 # v2.13.0 + - name: "Harden Runner" + uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + with: + disable-sudo-and-containers: true + egress-policy: block + allowed-endpoints: > + astral.sh:443 + files.pythonhosted.org:443 + github.com:443 + objects.githubusercontent.com:443 + pypi.org:443 + release-assets.githubusercontent.com:443 + + - name: "Checkout" + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + # for setuptools-scm + fetch-depth: 0 + + - name: "Build and Inspect" + uses: hynek/build-and-inspect-python-package@c52c3a4710070b50470d903818a7b25115dcd076 # v2.13.0 # push to Test PyPI on # - a new GitHub release is published @@ -64,21 +71,29 @@ jobs: needs: build-package steps: - - name: "Harden Runner" - uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2 - with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - - name: "Download build artifacts" - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 - with: - name: Packages - path: dist - - - name: "Upload to Test PyPI" - uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4 - with: - repository-url: https://test.pypi.org/legacy/ + - name: "Harden Runner" + uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + with: + disable-sudo-and-containers: true + egress-policy: block + allowed-endpoints: > + fulcio.sigstore.dev:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + rekor.sigstore.dev:443 + test.pypi.org:443 + tuf-repo-cdn.sigstore.dev:443 + + - name: "Download build artifacts" + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + with: + name: Packages + path: dist + + - name: "Upload to Test PyPI" + uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4 + with: + repository-url: https://test.pypi.org/legacy/ # push to Production PyPI on # - a new GitHub release is published @@ -96,36 +111,44 @@ jobs: needs: build-package steps: - - name: "Harden Runner" - uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2 - with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - - name: "Download build artifacts" - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 - with: - name: Packages - path: dist - - - name: "Sigstore sign package" - uses: sigstore/gh-action-sigstore-python@f7ad0af51a5648d09a20d00370f0a91c3bdf8f84 # v3.0.1 - with: - inputs: | - ./dist/*.tar.gz - ./dist/*.whl - release-signing-artifacts: false - - - name: "Upload artifacts and signatures to GitHub release" - run: | - gh release upload '${{ github.ref_name }}' dist/* --repo '${{ github.repository }}' - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - # PyPI does not accept .sigstore artifacts and - # gh-action-pypi-publish has no option to ignore them. - - name: "Remove sigstore signatures before uploading to PyPI" - run: | - rm ./dist/*.sigstore.json - - - name: "Upload to PyPI" - uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4 + - name: "Harden Runner" + uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + with: + disable-sudo-and-containers: true + egress-policy: block + allowed-endpoints: > + fulcio.sigstore.dev:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + rekor.sigstore.dev:443 + pypi.org:443 + tuf-repo-cdn.sigstore.dev:443 + + - name: "Download build artifacts" + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + with: + name: Packages + path: dist + + - name: "Sigstore sign package" + uses: sigstore/gh-action-sigstore-python@f7ad0af51a5648d09a20d00370f0a91c3bdf8f84 # v3.0.1 + with: + inputs: | + ./dist/*.tar.gz + ./dist/*.whl + release-signing-artifacts: false + + - name: "Upload artifacts and signatures to GitHub release" + run: | + gh release upload '${{ github.ref_name }}' dist/* --repo '${{ github.repository }}' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + # PyPI does not accept .sigstore artifacts and + # gh-action-pypi-publish has no option to ignore them. + - name: "Remove sigstore signatures before uploading to PyPI" + run: | + rm ./dist/*.sigstore.json + + - name: "Upload to PyPI" + uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 01f0f87..4b25081 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -48,9 +48,14 @@ jobs: - "ubuntu-latest" steps: - name: "Harden Runner" - uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2 + uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + disable-sudo-and-containers: true + egress-policy: block + allowed-endpoints: > + files.pythonhosted.org:443 + github.com:443 + pypi.org:443 - name: "Checkout" uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/src/instructlab/schema/taxonomy.py b/src/instructlab/schema/taxonomy.py index fe927ac..e24fa44 100644 --- a/src/instructlab/schema/taxonomy.py +++ b/src/instructlab/schema/taxonomy.py @@ -321,7 +321,7 @@ def _schema_validate(self, text: str, taxonomy: Taxonomy) -> None: validator_cls = validator_for(schema) # mypy doesn't understand attrs classes fields, see: https://github.com/python/mypy/issues/5406 registry: SchemaRegistry = Registry(retrieve=retrieve) # type: ignore[call-arg] - validator: Validator = validator_cls(schema, registry=registry) + validator: Validator = validator_cls(schema, registry=registry) # type: ignore[arg-type] for validation_error in validator.iter_errors(taxonomy.contents): yaml_path = validation_error.json_path[1:]