Commit d157c32
authored
Address audit feedback: distinguish generated code, harden release pipeline (#27)
* Mark generated files distinctly from hand-written
Adds an AUTO-GENERATED header line via the openapi-python-client
post-hook and a .gitattributes entry for linguist-generated, so readers
can tell at a glance which files are output of the generator and which
are hand-written. Addresses Jon's audit feedback that the split was not
visually obvious.
The post-hook's existing `(?!# Copyright)` lookahead skips files that
already have a copyright header, so hand-written files keep their
two-line header and only freshly-generated files get the marker.
* Use @generated marker for code-review tool compatibility
Phabricator, Sapling, Reviewable, and other code-review tools
auto-collapse files containing the literal string `@generated`. Switch
the post-hook from `AUTO-GENERATED` to `@generated` so the marker
works as a magic pragma for those tools, in addition to its existing
human-readable role. Pairs with the existing `DO NOT EDIT.` to also
satisfy Go's formal generated-file regex.
The `\@` escape prevents Perl from interpolating `@generated` as an
empty array variable in the s/// replacement context.
* Drop redundant DO NOT EDIT from generated-file marker
The `@generated` substring alone is what Phabricator, Sapling, and
Reviewable look for to auto-collapse generated files in code review;
`DO NOT EDIT` is only required by Go's spec, not Python. Trimming
keeps the magic marker plus tool attribution and drops the redundant
phrase.
* Trim marker to bare @generated
The literal substring `@generated` is what Phabricator, Sapling, and
Reviewable look for; tool attribution is informational, not standard.
Examples: Apollo Tooling and most Meta-internal generators emit just
`@generated`. Hand-written files are still distinguished by the
absence of the marker.
* Trim effect-explanation from .gitattributes header
* Enable PyPI attestations for SLSA build provenance
Adds `attestations: write` to the publish job's permissions and
`attestations: true` on the pypa/gh-action-pypi-publish step. The
action signs each distribution with a sigstore identity bound to the
GitHub Actions OIDC token and uploads attestations to PyPI alongside
the wheel/sdist. OpenSSF Scorecard awards the higher SLSA-provenance
score (10/10) over plain signatures (8/10).
* Drop redundant attestations input from PyPI publish
The pypa/gh-action-pypi-publish action defaults attestations to 'true' as of v1.14.0, so passing it explicitly is a no-op. The attestations: write permission is still required and stays.
* Adopt REUSE-preferred SPDX-FileCopyrightText header
Switch all per-file copyright headers from the back-compat 'Copyright YYYY Holder' form to the REUSE 3.3-preferred 'SPDX-FileCopyrightText: YYYY Holder' tag, paired with the existing SPDX-License-Identifier line. Also updates the generator post-hook so future regeneration produces (and idempotently skips) the new form.1 parent 855ece5 commit d157c32
157 files changed
Lines changed: 315 additions & 155 deletions
File tree
- .github/workflows
- ionq_core
- api
- backends
- characterizations
- default
- usage
- whoami
- models
Some content is hidden
Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
61 | 61 | | |
62 | 62 | | |
63 | 63 | | |
| 64 | + | |
64 | 65 | | |
65 | 66 | | |
66 | 67 | | |
| |||
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | | - | |
| 1 | + | |
2 | 2 | | |
3 | 3 | | |
4 | 4 | | |
| |||
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
0 commit comments