Fix attestation

Bumps [astroid](https://github.com/pylint-dev/astroid) from 3.2.2 to 3.2.3.
- [Release notes](https://github.com/pylint-dev/astroid/releases)
- [Changelog](https://github.com/pylint-dev/astroid/blob/main/ChangeLog)
- [Commits](https://github.com/pylint-dev/astroid/compare/v3.2.2...v3.2.3)

---
updated-dependencies:
- dependency-name: astroid
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/dependabot.yml

@@ -6,8 +6,8 @@ updates:
       interval: "daily"
     assignees:
       - "luketainton"
-    reviewers:
+    # reviewers:
-      - "luketainton"
+      # - "luketainton"
     commit-message:
       prefix: "chore(actions)"
       include: "scope"
@@ -20,8 +20,8 @@ updates:
       interval: "daily"
     assignees:
       - "luketainton"
-    reviewers:
+    # reviewers:
-      - "luketainton"
+      # - "luketainton"
     commit-message:
       prefix: "chore(docker)"
       include: "scope"
@@ -34,11 +34,11 @@ updates:
       interval: "daily"
     assignees:
       - "luketainton"
-    reviewers:
+    # reviewers:
-      - "luketainton"
+      # - "luketainton"
     commit-message:
       prefix: "chore(pip-prod)"
       prefix-development: "chore(pip-dev)"
       include: "scope"
     labels:
-      - "dependencies"
+      - "dependencies"

.github/renovate.json

@@ -5,7 +5,7 @@
     ":semanticCommitTypeAll(fix)"
   ],
   "baseBranches": [
-    "next"
+    "main"
   ],
   "platformCommit": true,
   "dependencyDashboardAutoclose": true,

.github/workflows-old/release.yml

@@ -3,6 +3,10 @@ on:
   push:
     branches: [main]
 
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
 jobs:
   release:
     name: Release
@@ -23,34 +27,38 @@ jobs:
           tag: ${{ steps.tag_version.outputs.new_tag }}
           name: ${{ steps.tag_version.outputs.new_tag }}
           body: ${{ steps.tag_version.outputs.changelog }}
+          generateReleaseNotes: true
 
   publish:
     name: GitHub Container Registry
     runs-on: ubuntu-latest
     needs: release
+    permissions:
+      contents: read
+      packages: write
     steps:
       - uses: actions/checkout@v4
       - name: Login to GitHub Container Registry
-        run: echo ${{ secrets.GHCR_ACCESS_TOKEN }} | docker login ghcr.io -u luketainton --password-stdin
+        run: echo ${{ secrets.GITHUB_TOKEN }} | docker login ${{ env.REGISTRY }} -u ${{ github.actor }} --password-stdin
       - name: Build image for GitHub Package Registry
         run: |
           docker build . --file Dockerfile \
           --build-arg "version=${{ needs.release.outputs.new_tag }}" \
-          --tag ghcr.io/luketainton/roboluke-tasks:${{ needs.release.outputs.new_tag }} \
+          --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.release.outputs.new_tag }} \
-          --tag ghcr.io/luketainton/roboluke-tasks:latest
+          --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
       - name: Push image to GitHub Package Registry
         run: |
-          docker push ghcr.io/luketainton/roboluke-tasks:latest
+          docker push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
-          docker push ghcr.io/luketainton/roboluke-tasks:${{ needs.release.outputs.new_tag }}
+          docker push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.release.outputs.new_tag }}
 
-  deploy:
+  # deploy:
-    name: Update Portainer Deployment
+  #   name: Update Portainer Deployment
-    runs-on: ubuntu-latest
+  #   runs-on: ubuntu-latest
-    needs: publish
+  #   needs: publish
-    steps:
+  #   steps:
-      - uses: fjogeleit/http-request-action@v1
+  #     - uses: fjogeleit/http-request-action@v1
-        with:
+  #       with:
-          url: ${{ secrets.PORTAINER_WEBHOOK_URL }}
+  #         url: ${{ secrets.PORTAINER_WEBHOOK_URL }}
-          method: POST
+  #         method: POST
-          timeout: 60000
+  #         timeout: 60000
-          preventFailureOnNoResponse: "true"
+  #         preventFailureOnNoResponse: "true"

.github/workflows/ci.yml

@@ -11,14 +11,8 @@ on:
       - ".github/dependabot.yml"
 
 jobs:
-  pythonci:
+  ci:
-    uses: luketainton/gha-workflows/.github/workflows/ci-python.yml@main
+    uses: luketainton/gha-workflows/.github/workflows/ci-python-with-docker.yml@main
-    secrets:
-      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-  
-  dockerci:
-    uses: luketainton/gha-workflows/.github/workflows/ci-docker.yml@main
     secrets:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
       SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

.github/workflows/create_release.yml

@@ -0,0 +1,36 @@
+name: Create Release
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 9 * * *"
+
+jobs:
+  create_release:
+    name: Create Release
+    runs-on: ubuntu-latest
+    outputs:
+      new_tag: ${{ steps.tag_version.outputs.new_tag }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Bump version and push tag
+        id: tag_version
+        uses: mathieudutour/github-tag-action@v6.2
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          default_bump: minor
+
+      - name: Create a GitHub release
+        uses: ncipollo/release-action@v1
+        with:
+          tag: ${{ steps.tag_version.outputs.new_tag }}
+          name: ${{ steps.tag_version.outputs.new_tag }}
+          body: ${{ steps.tag_version.outputs.changelog }}
+          generateReleaseNotes: true
+
+  create_docker:
+    name: Create Docker Image
+    needs: create_release
+    uses: luketainton/roboluke-tasks/.github/workflows/docker_publish.yml@main
+    with:
+      release: ${{ needs.create_release.outputs.new_tag }}

.github/workflows/docker_publish.yml

@@ -0,0 +1,61 @@
+name: Publish Docker Image
+
+on:
+  workflow_call:
+    inputs:
+      release:
+        required: true
+        type: string
+
+jobs:
+  publish:
+    name: Publish Docker image
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      contents: read
+      attestations: write
+      id-token: write
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.release }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+        with:
+          images: |
+            ghcr.io/${{ github.repository }}
+          tags: |
+            type=semver,pattern=v{{version}},value=${{ inputs.release }}
+
+      - name: Build and push Docker image
+        id: push
+        uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671
+        with:
+          context: .
+          push: true
+          # provenance: mode=max
+          labels: ${{ steps.meta.outputs.labels }}
+          tags: |
+            ghcr.io/${{ github.repository }}:latest
+            ghcr.io/${{ github.repository }}:${{ inputs.release }}
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: ghcr.io/${{ github.repository }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true

app/main.py

@@ -15,6 +15,7 @@ if config.sentry_enabled:
         dsn=config.sentry_dsn,
         enable_tracing=True,
         environment=config.environment,
+        release=config.version,
         integrations=[StdlibIntegration()],
         spotlight=True
     )

requirements-dev.txt

@@ -4,3 +4,4 @@ isort
 pylint
 pylint-exit
 pytest
+zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability

requirements.txt

@@ -1,47 +1,48 @@
 appdirs==1.4.4
-astroid==3.1.0
+astroid==3.2.3
 attrs==23.2.0
-autopep8==2.1.0
+autopep8==2.3.1
 backoff==2.2.1
-certifi==2024.2.2
+certifi==2024.7.4
 cfgv==3.4.0
 charset-normalizer==3.3.2
 click==8.1.7
 coloredlogs==15.0.1
 dill==0.3.8
 distlib==0.3.8
-filelock==3.13.4
+filelock==3.15.4
 future==1.0.0
 humanfriendly==10.0
-identify==2.5.35
+identify==2.6.0
 idna==3.7
 iniconfig==2.0.0
 lazy-object-proxy==1.10.0
 mccabe==0.7.0
 mypy-extensions==1.0.0
-nodeenv==1.8.0
+nodeenv==1.9.1
-packaging==24.0
+packaging==24.1
 pathspec==0.12.1
-platformdirs==4.2.0
+platformdirs==4.2.2
-pluggy==1.4.0
+pluggy==1.5.0
 py==1.11.0
-pycodestyle==2.11.1
+pycodestyle==2.12.0
 PyJWT==2.8.0
 pyparsing==3.1.2
 python-dateutil==2.9.0.post0
 python-dotenv==1.0.1
 PyYAML==6.0.1
-requests==2.31.0
+requests==2.32.3
 requests-toolbelt==1.0.0
-sentry-sdk==1.45.0
+sentry-sdk==2.9.0
 six==1.16.0
 toml==0.10.2
 tomli==2.0.1
-tomlkit==0.12.4
+tomlkit==0.13.0
-urllib3==2.2.1
+urllib3==2.2.2
-virtualenv==20.25.3
+virtualenv==20.26.3
-webex-bot==0.4.1
+webex-bot==0.5.1
 webexteamssdk==1.6.1
-websockets==10.2
+websockets==11.0.3
 wrapt==1.16.0
 xmltodict==0.13.0
+zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability

tests/test_config.py

@@ -6,6 +6,7 @@ import os
 
 
 vars: dict = {
+    "APP_VERSION": "dev",
     "BOT_NAME": "TestBot",
     "WEBEX_API_KEY": "testing",
     "ADMIN_FIRST_NAME": "Test",