update project files (#5457)

* update pre-commit hook * upgrade pip with venv * update description and version * show url in publish environment * update versions * update versions, separate typing job * use dependabot grouped updates ignore upload/download-artifact until slsa updates * use sphinx.ext.extlinks instead of sphinx-issues * update dev dependencies * update editorconfig * update gitignore * update .readthedocs.yaml * license is txt, readme is md * update pyproject.toml add typed classifier add pyright config simplify urls * tox builds docs in place * update min test py version * add tox env to update all dev dependencies * update issue and pr templates * rename security docs page to not conflict with org policy file * simplify matrix
2024-04-07 10:24:40 -07:00 · 2024-04-07 10:24:40 -07:00 · 87d5f5b9a9
commit 87d5f5b9a9
parent d5e321b792
35 changed files with 382 additions and 322 deletions
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@ -9,8 +9,8 @@ jobs:
    outputs:
      hash: ${{ steps.hash.outputs.hash }}
    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
-      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
        with:
          python-version: '3.x'
          cache: pip
@ -23,9 +23,8 @@ jobs:
      - name: generate hash
        id: hash
        run: cd dist && echo "hash=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
-      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
+      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
        with:
-          name: dist
          path: ./dist
  provenance:
    needs: [build]
@ -34,7 +33,7 @@ jobs:
      id-token: write
      contents: write
    # Can't pin with hash due to how this workflow works.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0
    with:
      base64-subjects: ${{ needs.build.outputs.hash }}
  create-release:
@ -45,25 +44,30 @@ jobs:
    permissions:
      contents: write
    steps:
-      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a
+      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
      - name: create release
        run: >
          gh release create --draft --repo ${{ github.repository }}
          ${{ github.ref_name }}
-          *.intoto.jsonl/* dist/*
+          *.intoto.jsonl/* artifact/*
        env:
          GH_TOKEN: ${{ github.token }}
  publish-pypi:
    needs: [provenance]
    # Wait for approval before attempting to upload to PyPI. This allows reviewing the
    # files in the draft release.
-    environment: publish
+    environment:
+      name: publish
+      url: https://pypi.org/project/Flask/${{ github.ref_name }}
    runs-on: ubuntu-latest
    permissions:
      id-token: write
    steps:
-      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a
-      - uses: pypa/gh-action-pypi-publish@f946db0f765b9ae754e44bfd5ae5b8b91cfb37ef
+      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+      - uses: pypa/gh-action-pypi-publish@68e62d4871ad9d14a9d55f114e6ac71f0b408ec0 # v1.8.14
        with:
          repository-url: https://test.pypi.org/legacy/
-      - uses: pypa/gh-action-pypi-publish@f946db0f765b9ae754e44bfd5ae5b8b91cfb37ef
+          packages-dir: artifact/
+      - uses: pypa/gh-action-pypi-publish@68e62d4871ad9d14a9d55f114e6ac71f0b408ec0 # v1.8.14
+        with:
+          packages-dir: artifact/