Thank you for your interest in contributing to sigstore!
The information below will help you set up a local development environment, as well as performing common development tasks.
sigstore's only development environment requirement should be Python 3.9
or newer. Development and testing is actively performed on macOS and Linux,
but Windows and other supported platforms that are supported by Python
should also work.
If you're on a system that has GNU Make, you can use the convenience targets
included in the Makefile that comes in the sigstore repository detailed
below. But this isn't required; all steps can be done without Make.
First, clone this repository:
git clone https://github.com/sigstore/sigstore-python
cd sigstoreThen, use one of the Makefile targets to run a task. The first time this is
run, this will also set up the local development virtual environment, and will
install sigstore as an editable package into this environment.
Any changes you make to the sigstore source tree will take effect
immediately in the virtual environment.
You can lint locally with:
make lintsigstore is automatically linted and formatted with a collection of tools:
ruff: Code formatting, PEP-8 linting, style enforcementmypy: Static type checkingbandit: Security issue scanninginterrogate: Documentation coverage
To automatically apply any lint-suggested changes, you can run:
make reformatYou can run the tests locally with:
make testor:
make test-interactiveto run tests that require OIDC credentials (will prompt for authentication to generate tokens).
Note that test-interactive may fail if you have a slow network, as the tokens generated are only
valid for 60 seconds after their issuance.
You can also filter by a pattern (uses pytest -k):
make test TESTS=test_versionTo test a specific file:
make test T=path/to/file.pysigstore has a pytest-based unit test suite,
including code coverage with coverage.py.
sigstore includes some checked-in X.509 test assets under
test/unit/assets/x509.
These assets are generated by the adjacent
build-testcases.py script,
which can be updated to generate additional test cases.
To re-build the X.509 test cases, you can use make:
make gen-x509-testcasesIf you're running Python 3.9 or newer, you can run the documentation build locally:
make docsigstore uses pdoc to generate HTML
documentation for the public Python APIs.
NOTE: If you're a non-maintaining contributor, you don't need the steps here! They're documented for completeness and for onboarding future maintainers.
Releases of sigstore are managed with bump
and GitHub Actions.
# default release (patch bump)
make release
# override the default
# vX.Y.Z -> vX.Y.Z-rc.0
make release BUMP_ARGS="--pre rc.0"
# vX.Y.Z -> vN.0.0
make release BUMP_ARGS="--major"make release will fail if there are any untracked changes in the source tree.
If make release succeeds, you'll see an output like this:
RUN ME MANUALLY: git push origin main && git push origin vX.Y.Z
Run that last command sequence to complete the release.
Here are some guidelines to follow if you're working on a new feature or changes to
sigstore's internal APIs:
-
Keep the
sigstoreAPIs as private as possible. Nearly all ofsigstore's APIs should be private and treated as unstable and unsuitable for public use. If you're adding a new module to the source tree, prefix the filename with an underscore to emphasize that it's an internal (e.g.,sigstore/_foo.pyinstead ofsigstore/foo.py). -
Perform judicious debug logging.
sigstoreuses the standard Pythonloggingmodule. Uselogger.debugearly and often -- users who experience errors can submit better bug reports when their debug logs include helpful context! -
Update the CHANGELOG. If your changes are public or result in changes to
sigstore's CLI, please record them under the "Unreleased" section, with an entry in an appropriate subsection ("Added", "Changed", "Removed", or "Fixed"). -
Ensure your commits are signed off, as sigstore uses the DCO. You can do it using
git commit -s, orgit commit -s --amendif you want to amend already existing commits.