Skip to content

Commit d157c32

Browse files
authored
Address audit feedback: distinguish generated code, harden release pipeline (#27)
* Mark generated files distinctly from hand-written Adds an AUTO-GENERATED header line via the openapi-python-client post-hook and a .gitattributes entry for linguist-generated, so readers can tell at a glance which files are output of the generator and which are hand-written. Addresses Jon's audit feedback that the split was not visually obvious. The post-hook's existing `(?!# Copyright)` lookahead skips files that already have a copyright header, so hand-written files keep their two-line header and only freshly-generated files get the marker. * Use @generated marker for code-review tool compatibility Phabricator, Sapling, Reviewable, and other code-review tools auto-collapse files containing the literal string `@generated`. Switch the post-hook from `AUTO-GENERATED` to `@generated` so the marker works as a magic pragma for those tools, in addition to its existing human-readable role. Pairs with the existing `DO NOT EDIT.` to also satisfy Go's formal generated-file regex. The `\@` escape prevents Perl from interpolating `@generated` as an empty array variable in the s/// replacement context. * Drop redundant DO NOT EDIT from generated-file marker The `@generated` substring alone is what Phabricator, Sapling, and Reviewable look for to auto-collapse generated files in code review; `DO NOT EDIT` is only required by Go's spec, not Python. Trimming keeps the magic marker plus tool attribution and drops the redundant phrase. * Trim marker to bare @generated The literal substring `@generated` is what Phabricator, Sapling, and Reviewable look for; tool attribution is informational, not standard. Examples: Apollo Tooling and most Meta-internal generators emit just `@generated`. Hand-written files are still distinguished by the absence of the marker. * Trim effect-explanation from .gitattributes header * Enable PyPI attestations for SLSA build provenance Adds `attestations: write` to the publish job's permissions and `attestations: true` on the pypa/gh-action-pypi-publish step. The action signs each distribution with a sigstore identity bound to the GitHub Actions OIDC token and uploads attestations to PyPI alongside the wheel/sdist. OpenSSF Scorecard awards the higher SLSA-provenance score (10/10) over plain signatures (8/10). * Drop redundant attestations input from PyPI publish The pypa/gh-action-pypi-publish action defaults attestations to 'true' as of v1.14.0, so passing it explicitly is a no-op. The attestations: write permission is still required and stays. * Adopt REUSE-preferred SPDX-FileCopyrightText header Switch all per-file copyright headers from the back-compat 'Copyright YYYY Holder' form to the REUSE 3.3-preferred 'SPDX-FileCopyrightText: YYYY Holder' tag, paired with the existing SPDX-License-Identifier line. Also updates the generator post-hook so future regeneration produces (and idempotently skips) the new form.
1 parent 855ece5 commit d157c32

157 files changed

Lines changed: 315 additions & 155 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.gitattributes

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
# Auto-generated by openapi-python-client.
2+
ionq_core/__init__.py linguist-generated=true
3+
ionq_core/client.py linguist-generated=true
4+
ionq_core/errors.py linguist-generated=true
5+
ionq_core/types.py linguist-generated=true
6+
ionq_core/api/** linguist-generated=true
7+
ionq_core/models/** linguist-generated=true
8+
9+
# Vendored upstream OpenAPI spec.
10+
openapi.json linguist-vendored=true
11+
12+
# Lockfiles.
13+
uv.lock linguist-generated=true

.github/workflows/release.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -61,6 +61,7 @@ jobs:
6161
url: https://pypi.org/p/ionq-core
6262
permissions:
6363
id-token: write
64+
attestations: write
6465
steps:
6566
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
6667
with:

ionq_core/__init__.py

Lines changed: 2 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

ionq_core/_transport.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
# Copyright 2026 IonQ, Inc.
1+
# SPDX-FileCopyrightText: 2026 IonQ, Inc.
22
# SPDX-License-Identifier: Apache-2.0
33

44
"""Transport layer: retry via httpx-retries, error raising for IonQ API responses.

ionq_core/api/__init__.py

Lines changed: 2 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

ionq_core/api/backends/__init__.py

Lines changed: 2 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

ionq_core/api/backends/get_backend.py

Lines changed: 2 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

ionq_core/api/backends/get_backends.py

Lines changed: 2 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

ionq_core/api/characterizations/__init__.py

Lines changed: 2 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

ionq_core/api/characterizations/get_characterization.py

Lines changed: 2 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)