Doc: explaining how to verify provenance + introducing guarddog in CI

py-pdf · Dec 16, 2024 · 7d5531a · 7d5531a
1 parent bca0695
commit 7d5531a
Showing 5 changed files with 38 additions and 13 deletions.
diff --git a/.github/workflows/continuous-integration-workflow.yml b/.github/workflows/continuous-integration-workflow.yml
@@ -16,6 +16,14 @@ jobs:
         platform: [ubuntu-latest, windows-latest]
     runs-on: ${{ matrix.platform }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2.10.2
+        with:
+          egress-policy: block
+          allowed-endpoints:
+            github.com:443
+            *.actions.githubusercontent.com:443
+            pypi.org:443
       - name: Checkout 🛎️
         uses: actions/checkout@v3
       - name: Set up Python ${{ matrix.python-version }} 🔧
@@ -41,12 +49,23 @@ jobs:
           pylint fpdf test tutorial/tuto*.py
           bandit -c .banditrc.yml -r contributors/ fpdf/ tutorial/
           semgrep scan --config auto --error --strict --exclude-rule=python.lang.security.insecure-hash-function.insecure-hash-function fpdf
-      - name: Scan current project
+      - name: Scan current project with grype
         if: matrix.python-version == '3.13' && matrix.platform == 'ubuntu-latest'
         uses: anchore/scan-action@v3
         with:
           path: "."
           fail-build: true
+      - name: Scan project dependencies with guarddog
+        if: matrix.python-version == '3.13' && matrix.platform == 'ubuntu-latest'
+        run: |
+          pip install guarddog
+          guarddog pypi scan defusedxml
+          guarddog pypi scan Pillow
+          guarddog pypi scan fonttools
+          guarddog pypi scan contributors/requirements.txt
+          guarddog pypi scan docs/requirements.txt
+          guarddog pypi scan test/linters-requirements.txt
+          guarddog pypi scan test/requirements.txt
       - name: Checking all PDF samples ☑
         if: matrix.python-version == '3.13' && matrix.platform == 'ubuntu-latest'
         run: |
@@ -136,11 +155,3 @@ jobs:
         # Doc: https://github.com/marketplace/actions/pypi-publish
         with:
           print-hash: true
-      - name: Generate & release sigstore signatures 🔑
-        if: steps.build.outputs.publish == 'yes'
-        uses: sigstore/gh-action-sigstore-python@v3.0.0
-        # Doc: https://github.com/marketplace/actions/gh-action-sigstore-python
-        with:
-          inputs: ./dist/*.tar.gz ./dist/*.whl
-          # For this setting to work, this pipeline should be triggered by a "release" event:
-          release-signing-artifacts: true
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -28,11 +28,11 @@ This can also be enabled programmatically with `warnings.simplefilter('default',
 * documentation on how to: [render spreadsheets as PDF tables](https://py-pdf.github.io/fpdf2/RenderingSpreadsheetsAsPDFTables.html)
 * support for passing `Align` values (along with string values like `'C'`, `'L'`, `'R'`) in `l_margin` of `TextStyle` to horizontally align text - [issue #1282](https://github.com/py-pdf/fpdf2/issues/1282)
 ### Fixed
-* support for `align=` in [`FPDF.table()`](https://py-pdf.github.io/fpdf2/Tables.html#setting-table-column-widths). Due to this correction, tables are now properly horizontally aligned on the page by default. This was always specified in the documentation, but was not in effect until now. You can revert to have left-aligned tables by passing `align="LEFT"` to `FPDF.table()`.
+* support for `align=` in [`FPDF.table()`](https://py-pdf.github.io/fpdf2/Tables.html#setting-table-column-widths). Due to this correction, tables are now properly horizontally aligned on the page by default. This was always specified in the documentation, but was not in effect until now. You can revert to have left-aligned tables by passing `align="LEFT"` to `FPDF.table()`. - [issue #1306](https://github.com/py-pdf/fpdf2/issues/1306)
 * `FPDF.set_text_shaping(False)` was broken since version 2.7.8 and is now working properly - [issue #1287](https://github.com/py-pdf/fpdf2/issues/1287)
 * fixed bug where cells with `rowspan`, `colspan` > 1 and null text were not displayed properly - [issue #1293](https://github.com/py-pdf/fpdf2/issues/1293)
 * `CreationDate` metadata used a wrong timezone offset for UTC - [issue #1261](https://github.com/py-pdf/fpdf2/issues/1261)
-* [`insert_toc_placeholder()`](https://py-pdf.github.io/fpdf2/fpdf/fpdf.html#fpdf.fpdf.FPDF.insert_toc_placeholder) did not properly the page orientation, which caused a bug when the last page of the document was in a different orientation - [issue #1213](https://github.com/py-pdf/fpdf2/issues/1213)
+* [`insert_toc_placeholder()`](https://py-pdf.github.io/fpdf2/fpdf/fpdf.html#fpdf.fpdf.FPDF.insert_toc_placeholder) did not properly the page orientation, which caused a bug when the last page of the document was in a different orientation - [issue #1312](https://github.com/py-pdf/fpdf2/issues/1213)
 ### Changed
 * improved logic for handling text substitution of the total number of pages, ensuring compatibility with text shaping - [issue #1090](https://github.com/py-pdf/fpdf2/issues/1090)
 * all [`AnnotationDict`](https://py-pdf.github.io/fpdf2/fpdf/annotations.html) properties can now be passed to `FPDF.text_annotation()`, `FPDF.free_text_annotation()`,  `FPDF.add_action()`, `FPDF.add_text_markup_annotation()` & `FPDF.ink_annotation()`. This includes `title`, `color`, `border_width`...

diff --git a/README.md b/README.md
@@ -5,7 +5,7 @@
 [![build status](https://github.com/py-pdf/fpdf2/workflows/build/badge.svg)](https://github.com/py-pdf/fpdf2/actions?query=branch%3Amaster)
 [![codecov](https://codecov.io/gh/py-pdf/fpdf2/branch/master/graph/badge.svg)](https://codecov.io/gh/py-pdf/fpdf2)
 [![Pypi Trusted Publisher: enabled](https://img.shields.io/badge/Pypi%20Trusted%20Publisher-enabled-green.svg)](https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/)
-[![checks: bandit, pylint, semgrep](https://img.shields.io/badge/checks-bandit,pylint,semgrep,grype-green.svg)](https://github.com/py-pdf/fpdf2/actions/workflows/continuous-integration-workflow.yml)
+[![checks: bandit, guarddog, pylint, semgrep](https://img.shields.io/badge/checks-bandit,pylint,semgrep,grype-green.svg)](https://github.com/py-pdf/fpdf2/actions/workflows/continuous-integration-workflow.yml)
 
 [![Dependents](https://img.shields.io/librariesio/dependents/pypi/fpdf2)](https://libraries.io/pypi/fpdf2/dependents)
 [![Downloads per month](https://pepy.tech/badge/fpdf2/month)](https://pepy.tech/project/fpdf2)

diff --git a/docs/Development.md b/docs/Development.md
@@ -217,12 +217,13 @@ Ask maintainers through comments if some errors in the pipeline seem obscure to
 ### Release checklist
 1. complete `CHANGELOG.md` and add the version & date of the new release
 2. bump `FPDF_VERSION` in `fpdf/fpdf.py`.
-Also (optionnal, once every year), update `contributors/contributors-map-small.png` based on <https://py-pdf.github.io/fpdf2/contributors.html>
+Also (optional, once every year), update `contributors/contributors-map-small.png` based on <https://py-pdf.github.io/fpdf2/contributors.html>
 3. update the `announce` block in `docs/overrides/main.html` to mention the new release
 4. `git commit` & `git push` (if editing in a fork: submit and merge a PR)
 5. check that [the GitHub Actions succeed](https://github.com/py-pdf/fpdf2/actions), and that [a new release appears on Pypi](https://pypi.org/project/fpdf2/#history)
 6. perform a [GitHub release](https://github.com/py-pdf/fpdf2/releases), taking the description from the `CHANGELOG.md`.
 It will create a new `git` tag.
+7. (optional) add a comment mentioning that the feature/fix has been released in all the GitHub issues mentioned in the `CHANGELOG.md`
 
 ## Documentation
 The standalone documentation is in the `docs` subfolder,

diff --git a/docs/index.md b/docs/index.md
@@ -83,6 +83,19 @@ pip install git+https://github.com/py-pdf/fpdf2.git@master
 
 **Developement**: check the [dedicated documentation page](Development.md).
 
+### Verifying provenance
+`sigstore` can be used to check the provenance of a `fpdf2-2.X.Y.tar.gz` package.
+
+Example to check the claim that the `fpdf2-2.8.2.tar.gz` file downloaded from Pypi matches the `git` commit [b9cfbb6d8ca1eb034e826fd358194e899a1daf28](https://github.com/py-pdf/fpdf2/commit/b9cfbb6d8ca1eb034e826fd358194e899a1daf28).
+
+```shell
+pip install sigstore
+
+wget https://files.pythonhosted.org/packages/b0/54/0e86f986e81abad9e6b348f5176048a2aa046920d46292c42a581064d93e/fpdf2-2.8.2.tar.gz
+
+sigstore verify github fpdf2-2.8.2.tar.gz --repository=py-pdf/fpdf2 --sha b9cfbb6d8ca1eb034e826fd358194e899a1daf28
+```
+
 ### Displaying deprecation warnings
 `DeprecationWarning`s are not displayed by Python by default.