openssf scorecard suggested improvements

2026-03-20 08:41:37 -07:00 · 2026-03-20 08:41:37 -07:00 · db97997521
commit db97997521
parent 3a47fef398
5 changed files with 30 additions and 44 deletions
--- a/.github/workflows/pypi.yml
+++ b/.github/workflows/pypi.yml
@ -1,13 +1,12 @@
 name: pypi-wheels

 on:
-  workflow_run:
-    workflows: ["Publish Docker image"]
-    types: [completed]
+  release:
+    types: [published]
  workflow_dispatch:
    inputs:
      tag:
-        description: "Release tag to package (e.g., v1.2.3). Leave blank to use Cargo.toml."
+        description: "Release tag to package (e.g., v1.2.3). Leave blank to use the latest release."
        required: false
        type: string

@ -16,31 +15,26 @@ permissions: {}
 jobs:
  build-wheels:
    name: Build PyPI wheels
-    if: >
-      github.event_name != 'workflow_run' ||
-      github.event.workflow_run.conclusion == 'success' ||
-      github.run_attempt > 1
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || github.sha }}
-
      - name: Determine version/tag
        id: version
        shell: bash
        env:
          INPUT_TAG: ${{ github.event.inputs.tag || '' }}
+          RELEASE_TAG_NAME: ${{ github.event.release.tag_name || '' }}
+          GH_TOKEN: ${{ github.token }}
        run: |
          set -euo pipefail
-          if [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" && -n "${INPUT_TAG}" ]]; then
+          if [[ "${GITHUB_EVENT_NAME}" == "release" && -n "${RELEASE_TAG_NAME}" ]]; then
+            TAG="${RELEASE_TAG_NAME}"
+          elif [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" && -n "${INPUT_TAG}" ]]; then
            TAG="${INPUT_TAG}"
          else
-            VERSION=$(grep -m1 '^version\s*=' Cargo.toml | cut -d '"' -f2)
-            TAG="v${VERSION}"
+            TAG=$(gh release view --json tagName --jq .tagName)
          fi
          if [[ ! "${TAG}" =~ ^v[0-9A-Za-z._+-]+$ ]]; then
            echo "Invalid tag format: ${TAG}" >&2
@ -50,6 +44,10 @@ jobs:
          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"

+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ steps.version.outputs.tag }}
+
      - name: Download release assets
        env:
          GH_TOKEN: ${{ github.token }}
@ -89,7 +87,7 @@ jobs:
          done

      - name: Install build tooling
-        run: python -m pip install --upgrade build
+        run: python -m pip install --upgrade --require-hashes -r .github/requirements/pypi-build.txt

      - name: Build wheels
        shell: bash
--- a/.github/workflows/release-docker.yml
+++ b/.github/workflows/release-docker.yml
@ -9,14 +9,7 @@ on:
  release:
    types: [published]

-  # 2️⃣  Option 2: run every time the build-and-release workflow
-  #     completes successfully on the main branch
-  workflow_run:
-    workflows: ["build-and-release"]
-    types: [completed]
-    branches: [main]
-
-  # 3️⃣  Manual: “Run workflow” button or `gh workflow run`
+  # 2️⃣  Manual: “Run workflow” button or `gh workflow run`
  workflow_dispatch:
    inputs:
      tag:
@ -32,25 +25,9 @@ permissions:
 ###############################################################################
 jobs:
  build-and-push:
-    # Run if:
-    # - event is NOT workflow_run (release, workflow_dispatch)
-    # - OR workflow_run completed successfully
-    # - OR this is a re-run (run_attempt > 1) so we force it to run
-    if: >
-      github.event_name != 'workflow_run' ||
-      github.event.workflow_run.conclusion == 'success' ||
-      github.run_attempt > 1
    runs-on: ubuntu-latest

    steps:
-    # -----------------------------------------------------------------------
-    # Check out the exact commit that produced the artifacts (workflow_run),
-    # otherwise just use the SHA tied to the release / manual dispatch.
-    # -----------------------------------------------------------------------
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      with:
-        ref: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || github.sha }}
-
    # -----------------------------------------------------------------------
    # Decide which tag we’re going to publish
    # -----------------------------------------------------------------------
@ -66,10 +43,10 @@ jobs:
        set -euo pipefail
        if [[ "${GITHUB_EVENT_NAME}" == "release" ]]; then
          RAW_TAG="${RELEASE_TAG_NAME}"
-        elif [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" && -n "${MANUAL_TAG}" ]]; then
+        elif [[ -n "${MANUAL_TAG}" ]]; then
          RAW_TAG="${MANUAL_TAG}"
        else
-          # workflow_run (or manual w/o tag) → ask GitHub API for latest release tag
+          # manual w/o tag → ask GitHub API for latest release tag
          RAW_TAG=$(curl -sSL -H "Authorization: Bearer ${GH_TOKEN}" \
                   "https://api.github.com/repos/${{ github.repository }}/releases/latest" \
                   | jq -r .tag_name)
@ -80,6 +57,10 @@ jobs:
        echo "Selected tag: ${TAG}"
        echo "tag=${TAG}" >> "${GITHUB_OUTPUT}"

+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        ref: v${{ steps.tag.outputs.tag }}
+
    # -----------------------------------------------------------------------
    # Build & push
    # -----------------------------------------------------------------------