didlite v0.2.4 - CI/CD Pipeline and Python 3.9+ Support

This release establishes production-ready CI/CD infrastructure with OIDC authentication and resolves Python compatibility issues discovered during multi-version testing.

⚠️ Breaking Changes

Python 3.8 Support Dropped

Minimum version is now Python 3.9+ (#50)

Rationale: Python 3.8 reached EOL in October 2024 (no security patches)
Technical blocker: Type hint incompatibility (tuple[dict, dict] syntax requires PEP 585, introduced in Python 3.9)
Migration: Upgrade to Python 3.9 or newer

✨ New Features

CI/CD Pipeline with GitHub Actions

Automated testing on every PR/push (#50):

✅ Multi-version testing (Python 3.9, 3.10, 3.11, 3.12)
✅ Fuzzing tests with hypothesis (30-minute timeout in CI)
✅ Security scanning with pip-audit (OSV database)
✅ Code coverage reporting via Codecov

Workflows:

.github/workflows/test.yml - Runs on PR/push to main/dev
.github/workflows/publish.yml - Runs on GitHub release publication

OIDC-Authenticated PyPI Publishing

Secure publishing without API tokens (#50):

✅ GitHub OIDC Trusted Publisher configuration
✅ Automated build and verification with twine
✅ Triggers on GitHub release publication
✅ No API tokens stored - uses GitHub's cryptographic identity

Modern Python Packaging (PEP 517/518)

Complete pyproject.toml configuration (#50):

✅ Centralized package metadata (keywords, classifiers, URLs)
✅ Centralized pytest and coverage configuration
✅ setup.py converted to minimal shim for backwards compatibility

Release Automation

scripts/release.sh for streamlined releases (#50):

✅ Automated version bumping in pyproject.toml and __init__.py
✅ CHANGELOG.md date stamping
✅ Git tagging and push automation
✅ GitHub release draft creation
✅ Branch enforcement (must run on main)

Community Contribution Guidelines

Documentation for contributors (#50):

✅ CONTRIBUTING.md with security hardening documentation
✅ CODE_OF_CONDUCT.md (Contributor Covenant v2.0)
✅ Reference to 23+ security fixes with GitHub issue links
✅ Development philosophy ("lite by design")

Supply Chain Security Documentation

SLSA Level 2 compliance documented (#50):

✅ Current SLSA Level 2 status in SECURITY.md
✅ SLSA Level 3 roadmap for v1.0.0 (provenance, hermetic builds, dependency pinning)
✅ Dependency vulnerability scanning policy (48-hour SLA for critical issues)
✅ Automated pip-audit scanning on every PR

🔧 Bug Fixes

PyO3 Compatibility Fixes

Resolved reinitialization errors across all Python versions (#50):

Root Cause: PyNaCl's cryptography dependency uses PyO3 (Rust bindings), which can only initialize once per Python process. Lazy imports inside functions caused reinitialization errors in test suites.

Solution: Implemented module-level lazy singleton pattern

✅ Affects: didlite/keystore.py and didlite/core.py
✅ Preserves lazy loading philosophy (no imports unless FileKeyStore/PEM methods used)
✅ Imports cryptography modules once per process, caches globally

Removed Deprecated Parameter

Removed deprecated backend parameter from load_pem_private_key() (#50):

✅ Deprecated in cryptography v36.0.0 (November 2021)
✅ Backend now auto-selected by cryptography library
✅ Zero functionality changes

Python 3.9-3.12 Compatibility

All tests pass on supported versions (#50):

✅ Added from __future__ import annotations for PEP 585 compatibility
✅ Fixed pytest import mode conflicts with PyO3 bindings (--import-mode=importlib)
✅ Removed license classifier conflict (setuptools >=77.0.0 compliance)

📊 Test Coverage

Current Coverage: 95.7% (351 statements, 336 covered, 15 missing)

Coverage by Module:

Module	Coverage	Status
`didlite/__init__.py`	100%	✅ Complete
`didlite/core.py`	96%	✅ All critical paths covered
`didlite/jws.py`	99%	✅ Algorithm confusion prevented
`didlite/keystore.py`	93%	✅ All storage backends validated

Why coverage decreased from v0.2.3 (97.2%):

Statement count increased (+30 statements) due to lazy singleton infrastructure
Absolute covered lines increased (+24)
New code is infrastructure (TYPE_CHECKING guards, singleton helpers)
All security-critical code remains 100% covered

Test Results: ✅ All 233 tests pass on Python 3.9, 3.10, 3.11, 3.12

📝 Documentation Updates

✅ Updated test coverage metrics in README.md and docs/TESTING_GUIDE.md
✅ Documented acceptable coverage gaps (TYPE_CHECKING guards, abstract methods, defensive assertions)
✅ Explained infrastructure code coverage trade-offs
✅ Added SLSA Level 2 compliance documentation to SECURITY.md

🔒 Security Posture

Supply Chain Security: SLSA Level 2 ✅

Compliance Details:

✅ Version-controlled source (Git)
✅ Scripted builds (GitHub Actions)
✅ Authenticated provenance (OIDC Trusted Publisher)
✅ Service-generated attestations (GitHub)

SLSA Level 3 planned for v1.0.0:

🔲 Build attestation signing (Sigstore)
🔲 Dependency pinning with checksums
🔲 Hermetic builds (Docker)

Dependency Scanning

Automated: pip-audit runs on every PR/push
Tools: OSV database (Google Open Source Vulnerabilities)
Policy:

Critical vulnerabilities: 48-hour SLA
High severity: 7-day SLA
Medium/Low: Next regular release

🚀 Installation

pip install didlite==0.2.4

Requirements:

Python 3.9 or newer
Dependencies: pynacl, py-multibase, cryptography

⚠️ Beta Status

This release has not undergone an independent security audit. While we've conducted comprehensive internal security hardening with 23+ security fixes (see closed security issues), we recommend against production use until an external audit is complete. See SECURITY.md for:

Vulnerability reporting process
Security best practices
Threat model
Known limitations

📖 Full Changelog

See CHANGELOG.md for complete details.

🙏 Acknowledgments

Generated with Claude Code Co-Authored-By: Claude Sonnet 4.5 noreply@anthropic.com

🐛 Reporting Issues

Found a bug? Open an issue Security vulnerability? Email: security@jondepalma.com (PGP key in .github/security/)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

v0.2.4

Choose a tag to compare

Sorry, something went wrong.