Skip to content

fix: critical findings from package audit (C1, C3, C5)#27

Open
shpaker wants to merge 3 commits into
mainfrom
audit/critical-fixes
Open

fix: critical findings from package audit (C1, C3, C5)#27
shpaker wants to merge 3 commits into
mainfrom
audit/critical-fixes

Conversation

@shpaker

@shpaker shpaker commented Apr 26, 2026

Copy link
Copy Markdown
Owner

Summary

Three critical fixes from the package audit:

  • C3Robot Framework keywords Registry Key Should Not Exist and Registry Value Should Not Exist now raise AssertionError (with descriptive message) instead of FileExistsError. Robot reports this as a proper failed assertion rather than an unexpected error.
  • C5README badges migrated from the deprecated pypi.python.org domain to pypi.org/project/winregistry/; added Python-versions and license badges for discoverability.
  • C1.github/workflows/pypi.yml now uses PyPI Trusted Publisher (OIDC) via uv publish --trusted-publishing always, with a dedicated pypi environment and id-token: write permission. Removes the long-lived PYPI_PASS token from the publish flow.

Out-of-scope per audit decisions:

  • Python 3.8/3.9 support is kept as-is (known EOL risk, see audit doc).
  • sed-based version substitution in pypi.yml is kept as-is.
  • Important/nitpick findings (I*/N*) deferred to follow-up PRs.

Required PyPI-side setup before next release

  1. Go to https://pypi.org/manage/project/winregistry/settings/publishing/Add a new publisherGitHub:
    • Owner: shpaker
    • Repository: winregistry
    • Workflow: pypi.yml
    • Environment: pypi
  2. After the first successful publish via OIDC, the PYPI_PASS repository secret can be removed.

Test plan

  • CI: robot.yml workflow stays green on the full Python 3.8–3.14 matrix (Robot tests on Windows).
  • On a real release, verify pypi.yml runs successfully and publishes via OIDC (no PYPI_PASS reference triggered).
  • Visit the PyPI project page and confirm the new badges render and link to the correct URLs.
  • On Windows, manually trigger the Registry Key Should Not Exist keyword against an existing key and confirm Robot reports a failed assertion (not error).

Notes

just lint still reports 6 pre-existing EM102/TRY003/UP032 warnings on lines unrelated to this change (the audit identified this as finding I2 — CI does not currently run the linter). Those are intentionally not fixed here to keep the PR scoped to the three critical items.

🤖 Generated with Claude Code

A.Shpak and others added 3 commits April 26, 2026 23:53
…ve assertions

`registry_key_should_not_exist` and `registry_value_should_not_exist`
previously raised FileExistsError to signal that a key/value existed
when the test expected it to be missing. Robot Framework treats this
as an unexpected error rather than a failed assertion, leading to
confusing reports.

Switch to AssertionError with a descriptive message so the failure
is reported as a proper assertion failure.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The previous badges linked to pypi.python.org, which has been deprecated
since 2018. Update links to pypi.org/project/winregistry/ and add two
informative badges (supported Python versions and license).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Replace long-lived API token (PYPI_PASS secret) with PyPI Trusted
Publisher authentication via GitHub OIDC. Add a `pypi` environment
and `id-token: write` permission so uv publish can request the
short-lived OIDC token.

Setup required on PyPI side:
- Add a Trusted Publisher at
  https://pypi.org/manage/project/winregistry/settings/publishing/
  (owner: shpaker, repo: winregistry, workflow: pypi.yml,
   environment: pypi)
- After the next successful release, the PYPI_PASS secret can be
  removed from repository settings.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant