Merge pull request #4949 from pallets/publish-workflow

Publish workflow

.flake8

@@ -0,0 +1,25 @@
+[flake8]
+extend-select =
+    # bugbear
+    B
+    # bugbear opinions
+    B9
+    # implicit str concat
+    ISC
+extend-ignore =
+    # slice notation whitespace, invalid
+    E203
+    # line length, handled by bugbear B950
+    E501
+    # bare except, handled by bugbear B001
+    E722
+    # zip with strict=, requires python >= 3.10
+    B905
+    # string formatting opinion, B028 renamed to B907
+    B028
+    B907
+# up to 88 allowed by bugbear B950
+max-line-length = 80
+per-file-ignores =
+    # __init__ exports names
+    src/flask/__init__.py: F401

.github/workflows/lock.yaml

@@ -1,18 +1,25 @@
-# This does not automatically close "stale" issues. Instead, it locks closed issues after 2 weeks of no activity.
-# If there's a new issue related to an old one, we've found it's much easier to work on as a new issue.
-
 name: 'Lock threads'
+# Lock closed issues that have not received any further activity for
+# two weeks. This does not close open issues, only humans may do that.
+# We find that it is easier to respond to new issues with fresh examples
+# rather than continuing discussions on old issues.
 
 on:
   schedule:
     - cron: '0 0 * * *'
 
+permissions:
+  issues: write
+  pull-requests: write
+
+concurrency:
+  group: lock
+
 jobs:
   lock:
     runs-on: ubuntu-latest
     steps:
-      - uses: dessant/lock-threads@v3
+      - uses: dessant/lock-threads@c1b35aecc5cdb1a34539d14196df55838bb2f836
         with:
-          github-token: ${{ github.token }}
           issue-inactive-days: 14
           pr-inactive-days: 14

.github/workflows/publish.yaml

@@ -0,0 +1,72 @@
+name: Publish
+on:
+  push:
+    tags:
+      - '*'
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    outputs:
+      hash: ${{ steps.hash.outputs.hash }}
+    steps:
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
+      - uses: actions/setup-python@5ccb29d8773c3f3f653e1705f474dfaa8a06a912
+        with:
+          python-version: '3.x'
+          cache: 'pip'
+          cache-dependency-path: 'requirements/*.txt'
+      - run: pip install -r requirements/build.txt
+      # Use the commit date instead of the current date during the build.
+      - run: echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV
+      - run: python -m build
+      # Generate hashes used for provenance.
+      - name: generate hash
+        id: hash
+        run: cd dist && echo "hash=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
+      - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce
+        with:
+          path: ./dist
+  provenance:
+    needs: ['build']
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+    # Can't pin with hash due to how this workflow works.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0
+    with:
+      base64-subjects: ${{ needs.build.outputs.hash }}
+  create-release:
+    # Upload the sdist, wheels, and provenance to a GitHub release. They remain
+    # available as build artifacts for a while as well.
+    needs: ['provenance']
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a
+      - name: create release
+        run: >
+          gh release create --draft --repo ${{ github.repository }}
+          ${{ github.ref_name }}
+          *.intoto.jsonl/* artifact/*
+        env:
+          GH_TOKEN: ${{ github.token }}
+  publish-pypi:
+    needs: ['provenance']
+    # Wait for approval before attempting to upload to PyPI. This allows reviewing the
+    # files in the draft release.
+    environment: 'publish'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a
+      # Try uploading to Test PyPI first, in case something fails.
+      - uses: pypa/gh-action-pypi-publish@c7f29f7adef1a245bd91520e94867e5c6eedddcc
+        with:
+          password: ${{ secrets.TEST_PYPI_TOKEN }}
+          repository_url: https://test.pypi.org/legacy/
+          packages_dir: artifact/
+      - uses: pypa/gh-action-pypi-publish@c7f29f7adef1a245bd91520e94867e5c6eedddcc
+        with:
+          password: ${{ secrets.PYPI_TOKEN }}
+          packages_dir: artifact/

.github/workflows/tests.yaml

@@ -35,10 +35,10 @@ jobs:
           - {name: 'PyPy', python: 'pypy-3.9', os: ubuntu-latest, tox: pypy39}
           - {name: 'Pallets Minimum Versions', python: '3.11', os: ubuntu-latest, tox: py311-min}
           - {name: 'Pallets Development Versions', python: '3.7', os: ubuntu-latest, tox: py37-dev}
-          - {name: Typing, python: '3.10', os: ubuntu-latest, tox: typing}
+          - {name: Typing, python: '3.11', os: ubuntu-latest, tox: typing}
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
+      - uses: actions/setup-python@5ccb29d8773c3f3f653e1705f474dfaa8a06a912
         with:
           python-version: ${{ matrix.python }}
           cache: 'pip'
@@ -49,7 +49,7 @@ jobs:
           pip install -U setuptools
           python -m pip install -U pip
       - name: cache mypy
-        uses: actions/cache@v3.2.2
+        uses: actions/cache@58c146cc91c5b9e778e71775dfe9bf1442ad9a12
         with:
           path: ./.mypy_cache
           key: mypy|${{ matrix.python }}|${{ hashFiles('setup.cfg') }}

examples/javascript/js_example/__init__.py

@@ -2,4 +2,4 @@ from flask import Flask
 
 app = Flask(__name__)
 
-from js_example import views  # noqa: F401
+from js_example import views  # noqa: E402, F401

requirements/build.in

@@ -0,0 +1 @@
+build

requirements/build.txt

@@ -0,0 +1,17 @@
+# SHA1:80754af91bfb6d1073585b046fe0a474ce868509
+#
+# This file is autogenerated by pip-compile-multi
+# To update, run:
+#
+#    pip-compile-multi
+#
+build==0.9.0
+    # via -r requirements/build.in
+packaging==23.0
+    # via build
+pep517==0.13.0
+    # via build
+tomli==2.0.1
+    # via
+    #   build
+    #   pep517

setup.cfg

@@ -61,33 +61,6 @@ source =
     src
     */site-packages
 
-[flake8]
-# B = bugbear
-# E = pycodestyle errors
-# F = flake8 pyflakes
-# W = pycodestyle warnings
-# B9 = bugbear opinions
-# ISC = implicit str concat
-select = B, E, F, W, B9, ISC
-ignore =
-    # slice notation whitespace, invalid
-    E203
-    # import at top, too many circular import fixes
-    E402
-    # line length, handled by bugbear B950
-    E501
-    # bare except, handled by bugbear B001
-    E722
-    # bin op line break, invalid
-    W503
-    # requires Python 3.10
-    B905
-# up to 88 allowed by bugbear B950
-max-line-length = 80
-per-file-ignores =
-    # __init__ exports names
-    src/flask/__init__.py: F401
-
 [mypy]
 files = src/flask, tests/typing
 python_version = 3.7

tests/test_appctx.py

@@ -120,14 +120,14 @@ def test_app_tearing_down_with_unhandled_exception(app, client):
 
     @app.route("/")
     def index():
-        raise Exception("dummy")
+        raise ValueError("dummy")
 
-    with pytest.raises(Exception, match="dummy"):
+    with pytest.raises(ValueError, match="dummy"):
         with app.app_context():
             client.get("/")
 
     assert len(cleanup_stuff) == 1
-    assert isinstance(cleanup_stuff[0], Exception)
+    assert isinstance(cleanup_stuff[0], ValueError)
     assert str(cleanup_stuff[0]) == "dummy"
 
 

tests/test_apps/blueprintapp/__init__.py

@@ -2,8 +2,8 @@ from flask import Flask
 
 app = Flask(__name__)
 app.config["DEBUG"] = True
-from blueprintapp.apps.admin import admin
-from blueprintapp.apps.frontend import frontend
+from blueprintapp.apps.admin import admin  # noqa: E402
+from blueprintapp.apps.frontend import frontend  # noqa: E402
 
 app.register_blueprint(admin)
 app.register_blueprint(frontend)

tests/test_basic.py

@@ -1472,11 +1472,11 @@ def test_static_route_with_host_matching():
         rv = flask.url_for("static", filename="index.html", _external=True)
         assert rv == "http://example.com/static/index.html"
     # Providing static_host without host_matching=True should error.
-    with pytest.raises(Exception):
+    with pytest.raises(AssertionError):
         flask.Flask(__name__, static_host="example.com")
     # Providing host_matching=True with static_folder
     # but without static_host should error.
-    with pytest.raises(Exception):
+    with pytest.raises(AssertionError):
         flask.Flask(__name__, host_matching=True)
     # Providing host_matching=True without static_host
     # but with static_folder=None should not error.