Harden

[spoorcc]

Summary by CodeRabbit

• Documentation

  • Installation guide updated with expanded, clearer release-integrity verification instructions covering installer and PyPI package attestations.

• Chores

  • CI workflow: improved package caching, attestation creation and verification for released artifacts, and expanded allowed endpoints.
  • Repo: added ignore rule for vendor/ directory.

[coderabbitai]

Warning

Rate limit exceeded

@spoorcc has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 46 minutes and 58 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: e2fa3dab-e88a-42d4-b120-c5b192da9287

📥 Commits

Reviewing files that changed from the base of the PR and between 6bb6c88 and a8ce3a1.

📒 Files selected for processing (2)

• .github/workflows/build.yml
• doc/tutorials/installation.rst

Walkthrough

Enables pip caching and updates cache keying, expands hardened-runner endpoints, adds attestation creation and verification steps for binary installers and Python distributions, updates installation docs, and ignores vendor/.

Changes

Build, Caching, and Attestations

Layer / File(s)	Summary
Ignore vendor/ .gitignore	Adds vendor/ to .gitignore.
Enable pip cache .github/workflows/build.yml ... .github/workflows/build.yml	actions/setup-python now uses cache: 'pip' in build and build-whl jobs.
Compiler cache keys .github/workflows/build.yml	ccache and Windows clcache cache keys/restore-keys include ${{ github.ref_name }} and hashFiles('pyproject.toml').
Allowed endpoints .github/workflows/build.yml	Hardened-runner allowed endpoints list extended to include Sigstore endpoints and *.blob.core.windows.net:443.
Binary installer attestations .github/workflows/build.yml	After packaging, workflow loops over installers to verify CycloneDX SBOM and SLSA build provenance attestations using gh attestation verify.
build-whl permissions & attestations .github/workflows/build.yml	build-whl job adds attestations: write and id-token: write, creates and verifies SBOM and provenance attestations for .whl/.tar.gz artifacts.
Installation docs: verification commands doc/tutorials/installation.rst	Rewrites verification commands to use --predicate-type, --cert-identity referencing workflow@v, and --cert-oidc-issuer for Linux/macOS/Windows and PyPI wheels; expands explanatory note.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• dfetch-org/dfetch#1176: Both PRs modify the GitHub Actions workflows and docs to add SBOM attestations and related attestation permissions/steps.
• dfetch-org/dfetch#904: Both PRs modify the same GitHub Actions build workflows, including attestation and caching changes.

Suggested labels

github_actions

Suggested reviewers

• ben-edna

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Harden' is vague and does not clearly convey the specific changes made in this pull request, which involve adding cryptographic attestation verification, updating caching strategies, and improving installation documentation.	Consider a more descriptive title such as 'Add attestation verification and improve caching in CI/CD' or 'Harden security with SBOM and SLSA attestation verification' to better convey the primary changes.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch harden

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build.yml:
- Around line 72-86: The gem install in the "Install fpm" step currently uses
--install-dir vendor/fpm-gems but not --bindir, so the fpm executable is not
placed in vendor/fpm-gems/bin referenced by the "Add fpm to PATH" step; update
the Install fpm step to add --bindir vendor/fpm-gems/bin (i.e., run gem install
--no-document --install-dir vendor/fpm-gems --bindir vendor/fpm-gems/bin fpm
--version 1.17.0) so the binary lands in vendor/fpm-gems/bin and the PATH entry
is correct.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0883e4a7-3ff9-4f79-b016-14097deee6a5

📥 Commits

Reviewing files that changed from the base of the PR and between d79c5fc and 8881011.

📒 Files selected for processing (3)

• .github/workflows/build.yml
• .gitignore
• doc/tutorials/installation.rst

[spoorcc]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build.yml:
- Around line 93-96: Add an extra, more general restore-keys fallback for the
existing restore-keys block (the lines using the key pattern ${{ github.job
}}-${{ matrix.platform }}-${{ github.ref_name }}-${{ hashFiles('pyproject.toml')
}}) so caches can be shared across branches: include one fallback that omits ${
{ github.ref_name } } but keeps the hash (e.g. ${{ github.job }}-${{
matrix.platform }}-${{ hashFiles('pyproject.toml') }}-) and optionally a broader
fallback without the hash (e.g. ${{ github.job }}-${{ matrix.platform }}-) for
both the ccache and clcache restore-keys blocks to improve cross-branch cache
hits while preserving content-addressed safety.
- Line 50: Replace the broad wildcard entry '*.blob.core.windows.net:443' in the
egress allowlist with the specific Azure Blob Storage hostnames required by the
build (e.g., the concrete storage account subdomains used during artifact
fetches), update the allowlist entry in the workflow where the current
'*.blob.core.windows.net:443' string appears, and add a short inline comment in
the same build.yml egress section documenting which specific subdomains are
allowed and why (or add a TODO to enumerate them) so the policy is not overly
permissive.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 5b5fecdc-ab08-4934-a65c-21cb76ac27e3

📥 Commits

Reviewing files that changed from the base of the PR and between 8881011 and 6bb6c88.

📒 Files selected for processing (2)

• .github/workflows/build.yml
• doc/tutorials/installation.rst