Enforce keyword arguments for public methods

1. Feels appropriate given the number of arguments
2. Already in line with existing README examples
3. Will make it easy for me to expand functionality

hv4gha/entry.py

@@ -6,6 +6,7 @@
 
 def import_app_key(
     pem_key: bytes | str,
+    *,
     key_name: str,
     vault_addr: str,
     vault_token: str,
@@ -26,14 +27,22 @@ def import_app_key(
     if isinstance(pem_key, str):
         pem_key = pem_key.encode()
 
-    transit = VaultTransit(vault_addr, vault_token, transit_backend)
-    transit.import_key(key_name, pem_key)
+    transit = VaultTransit(
+        vault_addr=vault_addr,
+        vault_token=vault_token,
+        transit_backend=transit_backend,
+    )
+    transit.import_key(
+        key_name=key_name,
+        pem_app_key=pem_key,
+    )
 
     if revoke_vault_token:
         transit.revoke_token()
 
 
 def issue_access_token(
+    *,
     key_name: str,
     vault_addr: str,
     vault_token: str,
@@ -64,11 +73,24 @@ def issue_access_token(
     if isinstance(app_id, int):
         app_id = str(app_id)
 
-    transit = VaultTransit(vault_addr, vault_token, transit_backend)
-    jwt: str = transit.sign_jwt(key_name, app_id)
-
-    ghapp = GitHubApp(account, jwt)
-    access_token: TokenResponse = ghapp.issue_token(permissions, repositories)
+    transit = VaultTransit(
+        vault_addr=vault_addr,
+        vault_token=vault_token,
+        transit_backend=transit_backend,
+    )
+    jwt: str = transit.sign_jwt(
+        key_name=key_name,
+        app_id=app_id,
+    )
+
+    ghapp = GitHubApp(
+        account=account,
+        jwt_token=jwt,
+    )
+    access_token: TokenResponse = ghapp.issue_token(
+        permissions=permissions,
+        repositories=repositories,
+    )
 
     if revoke_vault_token:
         transit.revoke_token()

hv4gha/gh.py

@@ -124,7 +124,7 @@ class AccessToken(BaseModel):
 class GitHubApp:
     """GitHub App Access Tokens, etc"""
 
-    def __init__(self, account: str, jwt_token: str):
+    def __init__(self, *, account: str, jwt_token: str):
         """
         :param app_id: GitHub App ID.
         :param jwt_token: GitHub App JWT token
@@ -186,6 +186,7 @@ def __find_installation(self) -> str:
 
     def issue_token(
         self,
+        *,
         permissions: None | dict[str, str] = None,
         repositories: None | list[str] = None,
     ) -> TokenResponse:

hv4gha/vault.py

@@ -72,7 +72,7 @@ class WrappingKey(BaseModel):
 class VaultTransit:
     """Interact with Vault's Transit Secrets Engine"""
 
-    def __init__(self, vault_addr: str, vault_token: str, transit_backend: str):
+    def __init__(self, *, vault_addr: str, vault_token: str, transit_backend: str):
         """
         :param vault_addr: Vault instance VAULT_ADDR.
         :param vault_token: Vault instance VAULT_TOKEN.
@@ -147,7 +147,7 @@ def __api_write(
 
         return response
 
-    def import_key(self, key_name: str, pem_app_key: bytes) -> None:
+    def import_key(self, *, key_name: str, pem_app_key: bytes) -> None:
         """
         Import GitHub App key
 
@@ -169,7 +169,7 @@ def import_key(self, key_name: str, pem_app_key: bytes) -> None:
 
         self.__api_write(api_path, payload, AppKeyImportError)
 
-    def sign_jwt(self, key_name: str, app_id: str) -> str:
+    def sign_jwt(self, *, key_name: str, app_id: str) -> str:
         """
         Sign JWT token to authenticate towards GitHub