himitsubako 0.3.1__tar.gz

himitsubako-0.3.1/.github/workflows/ci.yml

@@ -0,0 +1,130 @@
+# HMB-S014: Continuous integration pipeline.
+#
+# Supply-chain notes
+# ------------------
+# - Every `uses:` reference is pinned to a commit SHA, not a tag
+#   (Obsidian/code/supply-chain-protection.md). Tag pointers below
+#   the SHA are documentation only and are the version at the time of
+#   pinning; the SHA is what GitHub resolves and the version can drift.
+# - `sops` and `age` are installed from upstream GitHub releases and
+#   verified by SHA256, not `apt-get install`. The apt version in
+#   Ubuntu LTS lags the upstream release train by multiple versions
+#   and would not carry the v3.8+ `--filename-override` flag that
+#   `SopsBackend._encrypt` depends on (see HMB-S013).
+#
+# Action pins (tag at pinning time → commit SHA)
+#   actions/checkout            v4.3.0   08eba0b27e820071cde6df949e0beb9ba4906955
+#   astral-sh/setup-uv          v5.4.1   0c5e2b8115b80b4c7c5ddf6ffdd634974642d182
+#   actions/upload-artifact     v4.6.2   ea165f8d65b6e75b540449e92b4886f43607fa02
+#
+# Binary pins (version → linux amd64 SHA256)
+#   sops v3.12.2   14e2e1ba3bef31e74b70cf0b674f6443c80f6c5f3df15d05ffc57c34851b4998
+#   age  v1.3.1    bdc69c09cbdd6cf8b1f333d372a1f58247b3a33146406333e30c0f26e8f51377
+#
+# To bump a pin, edit both the SHA (line that GitHub actually reads)
+# and the comment (human-readable version), re-resolve via
+# `git ls-remote` / release checksums, and commit in a dedicated PR.
+
+name: ci
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  SOPS_VERSION: v3.12.2
+  SOPS_LINUX_AMD64_SHA256: 14e2e1ba3bef31e74b70cf0b674f6443c80f6c5f3df15d05ffc57c34851b4998
+  AGE_VERSION: v1.3.1
+  AGE_LINUX_AMD64_SHA256: bdc69c09cbdd6cf8b1f333d372a1f58247b3a33146406333e30c0f26e8f51377
+
+jobs:
+  test:
+    name: test (py${{ matrix.python-version }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ["3.12", "3.13"]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955  # v4.3.0
+        with:
+          fetch-depth: 0
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@0c5e2b8115b80b4c7c5ddf6ffdd634974642d182  # v5.4.1
+        with:
+          python-version: ${{ matrix.python-version }}
+          enable-cache: true
+
+      - name: Install sops (pinned + SHA256 verified)
+        run: |
+          set -euo pipefail
+          mkdir -p "$HOME/.local/bin"
+          url="https://github.com/getsops/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.linux.amd64"
+          curl -fsSL -o sops-bin "$url"
+          echo "${SOPS_LINUX_AMD64_SHA256}  sops-bin" | sha256sum -c -
+          install -m 0755 sops-bin "$HOME/.local/bin/sops"
+          rm -f sops-bin
+          echo "$HOME/.local/bin" >> "$GITHUB_PATH"
+          "$HOME/.local/bin/sops" --version
+
+      - name: Install age (pinned + SHA256 verified)
+        run: |
+          set -euo pipefail
+          mkdir -p "$HOME/.local/bin"
+          url="https://github.com/FiloSottile/age/releases/download/${AGE_VERSION}/age-${AGE_VERSION}-linux-amd64.tar.gz"
+          curl -fsSL -o age.tar.gz "$url"
+          echo "${AGE_LINUX_AMD64_SHA256}  age.tar.gz" | sha256sum -c -
+          tar -xzf age.tar.gz
+          install -m 0755 age/age "$HOME/.local/bin/age"
+          install -m 0755 age/age-keygen "$HOME/.local/bin/age-keygen"
+          rm -rf age age.tar.gz
+          "$HOME/.local/bin/age" --version
+          "$HOME/.local/bin/age-keygen" --help >/dev/null 2>&1 || true
+
+      - name: Install project (all extras + dev)
+        run: uv sync --all-extras --dev
+
+      - name: Ruff lint
+        run: uv run ruff check src tests
+
+      - name: Ruff format check
+        run: uv run ruff format --check src tests
+
+      - name: mypy
+        run: uv run mypy src
+
+      - name: Unit tests + coverage gate
+        run: >-
+          uv run pytest
+          --override-ini="addopts=-v --tb=short"
+          -m "not integration"
+          --cov=src/himitsubako
+          --cov-report=xml
+          --cov-report=term-missing
+          --cov-fail-under=80
+
+      - name: Integration tests (S013 subset — sops + env)
+        run: >-
+          uv run pytest tests/integration/
+          --override-ini="addopts=-v --tb=short"
+          -m "integration and not macos and not bitwarden and not direnv"
+
+      - name: Upload coverage XML
+        if: ${{ always() }}
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
+        with:
+          name: coverage-xml-py${{ matrix.python-version }}
+          path: coverage.xml
+          if-no-files-found: warn
+          retention-days: 14

himitsubako-0.3.1/.github/workflows/release.yml

@@ -0,0 +1,210 @@
+# HMB-S016: Release workflow — publish to PyPI via Trusted Publishers (OIDC).
+#
+# Supply-chain notes
+# ------------------
+# - Same SHA-pinning policy as the CI workflow. Every `uses:` reference
+#   is pinned to a commit SHA, not a tag (supply-chain policy per
+#   Obsidian/code/supply-chain-protection.md). Tag pointers below the
+#   SHA are documentation only.
+# - `sops` and `age` are installed from upstream releases with SHA256
+#   verification, identical to the CI workflow. The release build only
+#   needs them for the integration test step; publish itself does not.
+# - **No long-lived PyPI API token.** Production publish uses Trusted
+#   Publishers (OIDC) bound to this repository + this workflow file +
+#   the `pypi-release` environment. The repository owner must configure
+#   the binding on pypi.org before the first release tag runs.
+# - The `pypi-release` environment has a required-reviewer gate so an
+#   accidental tag push cannot auto-publish. A human must approve the
+#   job before the publish step runs.
+#
+# Action pins (tag at pinning time → commit SHA)
+#   actions/checkout               v4.3.0   08eba0b27e820071cde6df949e0beb9ba4906955
+#   astral-sh/setup-uv             v5.4.1   0c5e2b8115b80b4c7c5ddf6ffdd634974642d182
+#   actions/upload-artifact        v4.6.2   ea165f8d65b6e75b540449e92b4886f43607fa02
+#   actions/download-artifact      v4.3.0   d3f86a106a0bac45b974a628896c90dbdf5c8093
+#
+# Docker container action exception:
+#   pypa/gh-action-pypi-publish is a Docker container action whose
+#   registry image is tagged by release version, not by commit SHA.
+#   Pinning to a commit SHA causes the action wrapper to attempt
+#   `docker pull ghcr.io/pypa/gh-action-pypi-publish:<sha>`, which
+#   fails with `manifest unknown` because no SHA-tagged image
+#   exists. PyPA's published guidance for this action is to pin to
+#   a specific version tag instead. We pin to v1.13.0 (released
+#   2025-09-04, well past the 7-day quarantine window) and accept
+#   the slightly weaker supply-chain posture for this one action.
+#   PyPA does not move version tags, so the trust delta vs SHA
+#   pinning is small in practice.
+#
+# Binary pins — same as ci.yml:
+#   sops v3.12.2  14e2e1ba3bef31e74b70cf0b674f6443c80f6c5f3df15d05ffc57c34851b4998
+#   age  v1.3.1   bdc69c09cbdd6cf8b1f333d372a1f58247b3a33146406333e30c0f26e8f51377
+
+name: release
+
+on:
+  push:
+    tags:
+      # Final v*.*.* tags only. Pre-release tags (v*-rc*, v*-beta*)
+      # are intentionally excluded until a decision is made on whether
+      # to publish them.
+      - 'v[0-9]+.[0-9]+.[0-9]+'
+
+permissions:
+  contents: read
+
+concurrency:
+  group: release-${{ github.ref }}
+  cancel-in-progress: false
+
+env:
+  SOPS_VERSION: v3.12.2
+  SOPS_LINUX_AMD64_SHA256: 14e2e1ba3bef31e74b70cf0b674f6443c80f6c5f3df15d05ffc57c34851b4998
+  AGE_VERSION: v1.3.1
+  AGE_LINUX_AMD64_SHA256: bdc69c09cbdd6cf8b1f333d372a1f58247b3a33146406333e30c0f26e8f51377
+
+jobs:
+  verify:
+    name: verify (pre-publish CI gate)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955  # v4.3.0
+        with:
+          fetch-depth: 0
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@0c5e2b8115b80b4c7c5ddf6ffdd634974642d182  # v5.4.1
+        with:
+          python-version: "3.13"
+          enable-cache: true
+
+      - name: Install sops (pinned + SHA256 verified)
+        run: |
+          set -euo pipefail
+          mkdir -p "$HOME/.local/bin"
+          url="https://github.com/getsops/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.linux.amd64"
+          curl -fsSL -o sops-bin "$url"
+          echo "${SOPS_LINUX_AMD64_SHA256}  sops-bin" | sha256sum -c -
+          install -m 0755 sops-bin "$HOME/.local/bin/sops"
+          rm -f sops-bin
+          echo "$HOME/.local/bin" >> "$GITHUB_PATH"
+
+      - name: Install age (pinned + SHA256 verified)
+        run: |
+          set -euo pipefail
+          mkdir -p "$HOME/.local/bin"
+          url="https://github.com/FiloSottile/age/releases/download/${AGE_VERSION}/age-${AGE_VERSION}-linux-amd64.tar.gz"
+          curl -fsSL -o age.tar.gz "$url"
+          echo "${AGE_LINUX_AMD64_SHA256}  age.tar.gz" | sha256sum -c -
+          tar -xzf age.tar.gz
+          install -m 0755 age/age "$HOME/.local/bin/age"
+          install -m 0755 age/age-keygen "$HOME/.local/bin/age-keygen"
+          rm -rf age age.tar.gz
+
+      - name: Install project (all extras + dev)
+        run: uv sync --all-extras --dev
+
+      - name: Ruff lint
+        run: uv run ruff check src tests
+
+      - name: Ruff format check
+        run: uv run ruff format --check src tests
+
+      - name: mypy
+        run: uv run mypy src
+
+      - name: Unit tests + coverage gate
+        run: >-
+          uv run pytest
+          --override-ini="addopts=-v --tb=short"
+          -m "not integration"
+          --cov=src/himitsubako
+          --cov-report=term-missing
+          --cov-fail-under=80
+
+      - name: Integration tests (S013 subset)
+        run: >-
+          uv run pytest tests/integration/
+          --override-ini="addopts=-v --tb=short"
+          -m "integration and not macos and not bitwarden and not direnv"
+
+  build:
+    name: build (wheel + sdist)
+    needs: verify
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955  # v4.3.0
+        with:
+          fetch-depth: 0
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@0c5e2b8115b80b4c7c5ddf6ffdd634974642d182  # v5.4.1
+        with:
+          python-version: "3.13"
+          enable-cache: true
+
+      - name: Install project with publish extras
+        run: uv sync --all-extras --dev
+
+      - name: Verify tag matches pyproject.toml version
+        run: |
+          set -euo pipefail
+          tag="${GITHUB_REF_NAME}"
+          version="${tag#v}"
+          pyproject_version=$(uv run python -c "import tomllib; print(tomllib.loads(open('pyproject.toml','rb').read().decode())['project']['version'])")
+          init_version=$(uv run python -c "from himitsubako import __version__; print(__version__)")
+          if [[ "$pyproject_version" != "$version" ]]; then
+            echo "ERROR: tag $tag implies version $version but pyproject.toml has $pyproject_version" >&2
+            exit 1
+          fi
+          if [[ "$init_version" != "$version" ]]; then
+            echo "ERROR: tag $tag implies version $version but himitsubako.__version__ is $init_version" >&2
+            exit 1
+          fi
+          echo "Tag, pyproject.toml, and __version__ all agree on $version."
+
+      - name: Build sdist and wheel
+        run: uv run python -m build
+
+      - name: Twine check
+        run: uv run twine check dist/*
+
+      - name: Upload dist artifacts
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
+        with:
+          name: dist
+          path: dist/
+          if-no-files-found: error
+          retention-days: 14
+
+  publish:
+    name: publish to PyPI (Trusted Publishers OIDC)
+    needs: build
+    runs-on: ubuntu-latest
+    # Required-reviewer gate: the pypi-release environment must be
+    # configured on the repository (Settings → Environments) with at
+    # least one required reviewer (the maintainer). That reviewer is
+    # the human approval on every release.
+    environment:
+      name: pypi-release
+      url: https://pypi.org/project/himitsubako/
+    permissions:
+      # Needed for Trusted Publishers OIDC.
+      id-token: write
+      contents: read
+    steps:
+      - name: Download dist artifact
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093  # v4.3.0
+        with:
+          name: dist
+          path: dist/
+
+      - name: Publish to PyPI via Trusted Publishers
+        # Tag-pinned (NOT SHA-pinned) — see the "Docker container action
+        # exception" note in the header. v1.13.0 release is 2025-09-04.
+        uses: pypa/gh-action-pypi-publish@v1.13.0
+        with:
+          packages-dir: dist/
+          # No `password:` — OIDC Trusted Publisher binding on PyPI
+          # provides the short-lived token automatically.
+          verbose: true

himitsubako-0.3.1/.gitignore

@@ -0,0 +1,56 @@
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.egg-info/
+*.egg
+dist/
+build/
+.eggs/
+
+# Virtual environments
+.venv/
+venv/
+env/
+ENV/
+
+# Testing
+.pytest_cache/
+.coverage
+htmlcov/
+.tox/
+coverage.xml
+*.cover
+
+# Type checking
+.mypy_cache/
+.ruff_cache/
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# macOS
+.DS_Store
+
+# Secrets — belt and suspenders
+# himitsubako's own test/example files should always be encrypted before commit,
+# but never commit plaintext decrypted files even by accident
+*.dec.yaml
+*.dec.yml
+*.dec.json
+*.plaintext
+secrets.yaml
+.env
+.env.local
+.envrc.local
+
+# Docs site
+site/
+
+# UV lockfile — commit it
+# (uncomment next line if you want to gitignore it instead)
+# uv.lock