first commit

.gitattributes

@@ -0,0 +1 @@
+*.pdf binary

.github/dependabot.yml

@@ -0,0 +1,23 @@
+version: 2
+updates:
+- package-ecosystem: "github-actions"
+  directory: "/"
+  schedule:
+    interval: "weekly"
+    day: "sunday"
+    time: "21:45"
+    timezone: "Europe/Brussels"
+  labels:
+    - "gha-deps"
+  reviewers:
+    - "msetina"
+- package-ecosystem: "pip"
+  directory: "/"
+  schedule:
+    interval: "daily"
+    time: "22:15"
+    timezone: "Europe/Brussels"
+  labels:
+    - "python-deps"
+  reviewers:
+    - "msetina"

.github/stale.yml

@@ -0,0 +1,14 @@
+staleLabel: stale
+closeComment: false
+
+onlyLabels:
+  - waiting for user
+
+only: issues
+issues:
+  daysUntilStale: 30
+  daysUntilClose: 5
+  markComment: >
+    This issue has been automatically marked as stale because it has not had
+    recent activity. It will be closed in 5 days if no further activity occurs.
+    Thank you for your contributions!

.github/workflows/build-pipeline.yml

@@ -0,0 +1,102 @@
+name: CI pipeline
+
+on:
+  push:
+    branches: [ main, "release/*", "maintenance/*", "ci/*" ]
+  pull_request:
+    branches: [ main ]
+  workflow_call:
+    secrets: {}
+    outputs:
+      hashes:
+        description: "Hashes of the artifacts that were built"
+        value: ${{ jobs.build.outputs.hashes }}
+  workflow_dispatch: {}
+permissions:
+  actions: read
+  contents: read
+env:
+  MAIN_PYTHON_VERSION: "3.10"
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    outputs:
+      hashes: ${{ steps.artifact-hashes.outputs.hashes }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ env.MAIN_PYTHON_VERSION }}
+      - name: Install build tools
+        run: pip install --upgrade build setuptools pip wheel
+      - name: Build release artifacts
+        run: python -m build
+      - name: Record release artifact hashes
+        id: artifact-hashes
+        run: cd dist && echo "hashes=$(sha256sum * | base64 -w0)" >> "$GITHUB_OUTPUT"
+      - name: Upload dist artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: plugin-dist
+          path: dist/
+  pytest-coverage:
+    runs-on: ubuntu-latest
+    needs: build
+    strategy:
+      matrix:
+        python-version: ["3.10", "3.11", "3.12"]
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+      - name: Download dist artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: plugin-dist
+          path: dist/
+      - name: Install Python dependencies
+        shell: bash
+        run: |
+          python -m pip install --upgrade pip
+          WHEEL=(dist/*.whl)
+          REQ="${WHEEL[0]}[testing]"
+          python -m pip install $REQ
+      - name: Test with pytest
+        run: python -m pytest --cov=./ --cov-report=xml:python-${{ matrix.python-version }}-coverage.xml
+        env:
+          PKCS11_TEST_MODULE: ${{ env.SOFTHSM2_MODULE_PATH }}
+      - name: Stash coverage report
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-${{ strategy.job-index }}
+          path: "*-coverage.xml"
+  codecov-upload:
+    permissions:
+      actions: write
+      contents: read
+    runs-on: ubuntu-latest
+    needs: [pytest-coverage]
+    steps:
+      # checkout necessary to ensure the uploaded report contains the correct paths
+      - uses: actions/checkout@v4
+      - name: Retrieve coverage reports
+        uses: actions/download-artifact@v4
+        with:
+          pattern: coverage-*
+          path: ./reports/
+      - name: Upload all coverage reports to Codecov
+        uses: codecov/codecov-action@v4
+        with:
+          directory: ./reports/
+          flags: unittests
+          env_vars: OS,PYTHON
+          name: codecov-umbrella
+      - name: Clean up coverage reports
+        continue-on-error: true
+        uses: GeekyEggo/delete-artifact@v5
+        with:
+          name: coverage-*

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,60 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ main, "ci/*" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ main ]
+  schedule:
+    - cron: '16 16 * * 5'
+
+permissions:
+  actions: read
+  contents: read
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'python' ]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v3
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3

.github/workflows/release.yml

@@ -0,0 +1,79 @@
+name: Publish release
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        type: environment
+        description: "Environment in which to execute the release process"
+  push:
+    branches: [ "ci/*", "ci-*" ]
+jobs:
+  ci:
+    name: Run CI pipeline
+    uses: msetina/pyhanko-eoi-plugin/.github/workflows/build-pipeline.yml@main
+    permissions:
+      actions: write
+      contents: read
+  extract-params:
+    name: Determine release parameters
+    runs-on: ubuntu-latest
+    permissions: {}
+    outputs:
+      publish-env: ${{ steps.setenv.outputs.envname }}
+      release-version: ${{ steps.getversion.outputs.version }}
+    steps:
+      - id: setenv
+        run: |
+          if [[ $GITHUB_EVENT_NAME == 'release' ]]; then
+              echo envname=release >> "$GITHUB_OUTPUT"
+          elif [[ $GITHUB_EVENT_NAME == 'push' ]]; then
+              # at times it may be convenient to temporarily turn on release-on-push
+              # for testing purposes, so leaving this line in helps make that smoother
+              echo envname=test-release >> "$GITHUB_OUTPUT"
+          elif [[ $GITHUB_EVENT_NAME == 'workflow_dispatch' ]]; then
+              echo "envname=${{ inputs.environment }}" >> "$GITHUB_OUTPUT"
+          else
+              echo "Cannot run release workflow for trigger event $GITHUB_EVENT_NAME"
+              exit 1
+          fi
+          cat "$GITHUB_OUTPUT"
+  publish:
+    name: Publish release artifacts
+    needs: [extract-params,ci]
+    runs-on: ubuntu-latest
+    environment: ${{ needs.extract-params.outputs.publish-env }}
+    permissions:
+      # we use PyPI's trusted publisher model -> expose identity token
+      id-token: write
+      # we want to add sigstore's artifacts to the release on GitHub
+      contents: write
+      discussions: write
+    steps:
+    - name: Download dist artifacts
+      uses: actions/download-artifact@v4
+      with:
+        name: plugin-dist
+        path: dist/
+    - name: Upload to PyPI
+      uses: pypa/gh-action-pypi-publish@release/v1
+      with:
+        repository-url: ${{ vars.REPOSITORY_URL }}
+    - name: Sign with sigstore
+      uses: sigstore/[email protected]
+      with:
+        inputs: ./dist/*
+        # useful to inspect workflow artifacts in test runs
+        upload-signing-artifacts: true
+    - name: Create GitHub release
+      if: needs.extract-params.outputs.publish-env == 'release' && startsWith(github.ref, 'refs/tags/')
+      uses: softprops/action-gh-release@v2
+      with:
+        files: |
+          dist/*.whl
+          dist/*.tar.gz
+          dist/*.sigstore          
+        fail_on_unmatched_files: true
+        discussion_category_name: Announcements
+        prerelease: true
+        name: pyhanko-eoi-plugin ${{ needs.extract-params.outputs.release-version }}

.github/workflows/static-analysis.yml

@@ -0,0 +1,26 @@
+name: Static analysis
+
+on: ["push", "pull_request"]
+
+permissions:
+  actions: read
+  contents: read
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+      - run: pip install --upgrade pip isort black
+      - name: Check import order
+        run: isort --profile black --line-length 80 --check pyhanko_eoi*
+      - name: Run Black
+        run: black -S --line-length 80 --check pyhanko_eoi*
+  mypy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: jpetrucciani/[email protected]
+        with:
+          path: pyhanko_eoi
+          requirements: "-e .[mypy] --config-settings editable_mode=strict"