Create project structure. (#1)

Author: jessemyers-lettuce

.github/workflows/pull-request.yaml

@@ -0,0 +1,31 @@
+name: Verify
+
+on:
+  pull_request:
+
+jobs:
+  verify:
+    name: Success
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source
+        uses: actions/checkout@v4
+
+      - name: Setup buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build container image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: Dockerfile
+          load: true
+          provenance: false
+          push: false
+          tags: github-bot-signed-commit:${{ github.sha }}
+          target: verify
+
+      - name: Verify container image
+        shell: bash
+        run: |
+          docker run --rm github-bot-signed-commit:${{ github.sha }}

.gitignore

@@ -0,0 +1,162 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# poetry
+#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
+#poetry.lock
+
+# pdm
+#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
+#pdm.lock
+#   pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it
+#   in version control.
+#   https://pdm.fming.dev/#use-with-ide
+.pdm.toml
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# PyCharm
+#  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
+#  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
+#  and can be added to the global gitignore or merged into this file.  For a more nuclear
+#  option (not recommended) you can uncomment the following to ignore the entire idea folder.
+#.idea/
+
+*.pem

.python-version

@@ -0,0 +1 @@
+3.11

.version

@@ -0,0 +1 @@
+0.1.0

Dockerfile

@@ -0,0 +1,33 @@
+### Use an appropriate version of Python
+FROM python:3.12-slim-bullseye@sha256:832f8341da133d603b3141b57a55943e2fe00d431cbb89b8ca04925f3a798ee8 AS python
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get -qq update -y && \
+    apt-get -qq install -y git >/dev/null
+
+### Install requirements
+FROM python AS requirements
+
+COPY requirements.txt /opt/project/
+WORKDIR /opt/project
+RUN --mount=type=cache,target=/root/.cache \
+    pip install --disable-pip-version-check --requirement requirements.txt
+
+### Install source and its dependencies
+FROM requirements AS source
+
+COPY pyproject.toml /opt/project/
+COPY src /opt/project/src
+
+
+### Define verify command
+FROM source AS verify
+
+ENV CI=1
+
+RUN --mount=type=cache,target=/root/.cache \
+    pip install --quiet --disable-pip-version-check --editable .[style,types,test]
+COPY bin/verify* /opt/project/bin/
+
+CMD ["/opt/project/bin/verify"]

README.md

@@ -1 +1,29 @@
-# empty
+# Signed Commits for GitHub Bots
+
+GitHub users can (and should) signed their commits using normal git operations; GitHub bots cannot
+because when they perform git operations, they do not have access to their signing key. GitHub
+ensures that commits created by bots through their API will be signed, but constructing these
+commits requires either managing lower level objects (trees, blobs) or using the GraphQL API,
+which has challenging ergonomics from the CLI and can be extremely slow (e.g. over an hour) when
+creating commits.
+
+This project uses [GitPython](https://github.com/gitpython-developers/GitPython) to inspect a
+local commit and recreate it remotely using [PyGitHub](https://github.com/PyGithub/PyGithub).
+
+
+
+## Docker
+
+### Verification (CI)
+
+ 1. Build:
+
+    ```sh
+    docker build -t verify --target verify .
+    ```
+
+ 2. Verify:
+
+    ```sh
+    docker run -it --rm verify
+    ```

bin/build

@@ -0,0 +1,13 @@
+#!/bin/bash
+set -e
+set -o pipefail
+
+PROJECT_ROOT=$(dirname $(dirname $(realpath $0)))
+
+pushd ${PROJECT_ROOT} > /dev/null
+
+if [ -z "${VIRTUAL_ENV}" ] && [ -r .venv ]; then
+    source .venv/bin/activate
+fi
+
+python -m build

bin/install

@@ -0,0 +1,23 @@
+#!/bin/bash
+set -e
+set -o pipefail
+
+PROJECT_ROOT=$(dirname $(dirname $(realpath $0)))
+PROJECT_NAME=$(basename ${PROJECT_ROOT})
+
+pushd ${PROJECT_ROOT} > /dev/null
+
+# Installation defaults to using a local virtualenv (`.env`) but may use other tooling
+# (e.g. `virtualenvwrapper`) to externalize the installation location.
+
+if [ -z "${VIRTUAL_ENV}" ]; then
+    # Create a local virtualenv if one does not exist
+    test -d .venv || python3 -m venv .venv --prompt ${PROJECT_NAME}
+    source .venv/bin/activate
+fi
+
+# We need wheel to install any binary packagess
+pip3 install --disable-pip-version-check wheel
+
+# Install dependencies in editable mode
+pip3 install --disable-pip-version-check --editable '.[dist,style,test,types]'

bin/update-requirements

@@ -0,0 +1,13 @@
+#!/bin/bash -eo pipefail
+
+PROJECT_ROOT=$(dirname $(dirname $(realpath $0)))
+
+pushd ${PROJECT_ROOT} > /dev/null
+
+WORKDIR=$(mktemp -d)
+
+trap "rm -rf ${WORKDIR}" EXIT
+
+python3 -m venv ${WORKDIR}
+${WORKDIR}/bin/pip install --disable-pip-version-check --quiet --editable .
+${WORKDIR}/bin/pip freeze --disable-pip-version-check --quiet --exclude-editable > requirements.txt

bin/verify

@@ -0,0 +1,9 @@
+#!/bin/bash
+set -e
+set -o pipefail
+
+PARENT=$(dirname $(realpath $0))
+
+${PARENT}/verify-style
+${PARENT}/verify-types
+${PARENT}/verify-tests