sigstore · ModeSevenIndustrialSolutions · Nov 23, 2025
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,3 +1,4 @@
+---
 version: 2
 
 updates:

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,3 +1,4 @@
+---
 name: CI
 
 on:

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,3 +1,4 @@
+---
 on:
   release:
     types:

diff --git a/.github/workflows/schedule-selftest.yml b/.github/workflows/schedule-selftest.yml
@@ -1,3 +1,4 @@
+---
 name: Scheduled self-test
 
 on:

diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml
@@ -1,3 +1,4 @@
+---
 name: Self-test
 
 on:

diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
@@ -1,3 +1,4 @@
+---
 on:
   pull_request: {}
   push:

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -1,3 +1,4 @@
+---
 name: GitHub Actions Security Analysis with zizmor 🌈
 
 on:

diff --git a/.gitignore b/.gitignore
@@ -1 +1 @@
-env/
+env/
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,128 @@
+---
+# SPDX-License-Identifier: Apache-2.0
+# SPDX-FileCopyrightText: 2025 The Linux Foundation
+
+ci:
+  skip: [pytest]
+  autofix_commit_msg: |
+    Chore: pre-commit autofixes
+
+    Signed-off-by: pre-commit-ci[bot] <[email protected]>
+  autoupdate_commit_msg: |
+    Chore: pre-commit autoupdate
+
+    Signed-off-by: pre-commit-ci[bot] <[email protected]>
+
+exclude: "^docs/conf.py"
+
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: cef0300fd0fc4d2a87a85fa2093c6b283ea36f4b # frozen: v5.0.0
+    hooks:
+      - id: trailing-whitespace
+      - id: check-added-large-files
+      - id: check-ast
+      - id: check-json
+      - id: check-merge-conflict
+      - id: check-xml
+      - id: check-yaml
+      - id: debug-statements
+      - id: end-of-file-fixer
+      - id: requirements-txt-fixer
+      - id: mixed-line-ending
+        args: ["--fix=lf"]
+      - id: no-commit-to-branch
+        args:
+          - --branch=dev
+          - --branch=master
+          - --branch=main
+          - --branch=rc
+          - --branch=production
+
+  - repo: https://github.com/jorisroovers/gitlint
+    rev: acc9d9de6369b76d22cb4167029d2035e8730b98 # frozen: v0.19.1
+    hooks:
+      - id: gitlint
+
+  - repo: https://github.com/adrienverge/yamllint.git
+    rev: 79a6b2b1392eaf49cdd32ac4f14be1a809bbd8f7 # frozen: v1.37.1
+    hooks:
+      - id: yamllint
+        types: [yaml]
+
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: 4cbc74d53fe5634e58e0e65db7d28939c9cec3f7  # frozen: v0.12.7
+    hooks:
+      - id: ruff
+        files: ^(src|tests|scripts)/.+\.py$
+        args: [--fix, --exit-non-zero-on-fix]
+      - id: ruff-format
+        files: ^(src|tests|scripts)/.+\.py$
+
+  - repo: https://github.com/pre-commit/mirrors-mypy
+    rev: 412de98d50e846f31ea6f4b0ad036f2c24a7a024  # frozen: v1.17.1
+    hooks:
+      - id: mypy
+        additional_dependencies: [types-requests]
+
+  - repo: https://github.com/btford/write-good
+    rev: ab66ce10136dfad5146e69e70f82a3efac8842c1 # frozen: v1.0.8
+    hooks:
+      - id: write-good
+        files: "\\.(rst|md|markdown|mdown|mkdn)$"
+
+  - repo: https://github.com/shellcheck-py/shellcheck-py
+    rev: a23f6b85d0fdd5bb9d564e2579e678033debbdff # frozen: v0.10.0.1
+    hooks:
+      - id: shellcheck
+
+  - repo: https://github.com/igorshubovych/markdownlint-cli
+    rev: 192ad822316c3a22fb3d3cc8aa6eafa0b8488360 # frozen: v0.45.0
+    hooks:
+      - id: markdownlint
+        args: ["--fix"]
+
+  - repo: https://github.com/fsfe/reuse-tool
+    rev: 60dfc6b2ad9e1f3eabfbcf3a0dc202ee89dc5a00 # frozen: v5.0.2
+    hooks:
+      - id: reuse
+
+  # Replaces: https://github.com/rhysd/actionlint
+  # Permits actionlint to run both locally and with precommit.ci/GitHub
+  - repo: https://github.com/Mateusz-Grzelinski/actionlint-py
+    rev: a185be0fd5b45112845b700d91b81050c75579e2 # frozen: v1.7.7.23
+    hooks:
+      - id: actionlint
+
+  # Check for misspellings in documentation files
+  - repo: https://github.com/codespell-project/codespell
+    rev: 63c8f8312b7559622c0d82815639671ae42132ac # frozen: v2.4.1
+    hooks:
+      - id: codespell
+        args: ["--ignore-words=.codespell"]
+
+  - repo: https://github.com/python-jsonschema/check-jsonschema.git
+    rev: 54da05914997e6b04e4db33ed6757d744984c68b # frozen: 0.33.2
+    hooks:
+      - id: check-github-actions
+      - id: check-github-workflows
+      - id: check-jsonschema
+        name: Check GitHub Workflows set timeout-minutes
+        args:
+          - --builtin-schema
+          - github-workflows-require-timeout
+        files: ^\.github/workflows/[^/]+$
+        types:
+          - yaml
+      - id: check-readthedocs
+
+  # Run tests last to ensure all code changes from other hooks are tested
+  - repo: local
+    hooks:
+      - id: pytest
+        name: pytest
+        entry: uv
+        args: [run, pytest, --tb=short, -q]
+        language: system
+        pass_filenames: false
+        always_run: true
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -30,7 +30,6 @@ transparency log (but produced signature bundles still contain Rekor v1 entries
   3.x series will remain 1 (except when using `staging: true`).
   ([#228](https://github.com/sigstore/gh-action-sigstore-python/pull/228))
 
-
 ## [3.0.1]
 
 ### Changed
@@ -62,7 +61,6 @@ transparency log (but produced signature bundles still contain Rekor v1 entries
   `certificate`, `bundle`
   ([#146](https://github.com/sigstore/gh-action-sigstore-python/pull/146))
 
-
 ### Changed
 
 * `inputs` is now parsed according to POSIX shell lexing rules, improving
@@ -97,6 +95,5 @@ transparency log (but produced signature bundles still contain Rekor v1 entries
   package prefixes
   ([#145](https://github.com/sigstore/gh-action-sigstore-python/pull/145))
 
-
 [Unreleased]: https://github.com/sigstore/gh-action-sigstore-python/compare/v3.0.0...HEAD
 [3.0.0]: https://github.com/sigstore/gh-action-sigstore-python/compare/v2.1.1...v3.0.0
diff --git a/README.md b/README.md
@@ -285,6 +285,7 @@ permissions:
 ```
 
 ### Internal options
+
 <details>
   <summary>⚠️ Internal options ⚠️</summary>
 
@@ -294,7 +295,7 @@ permissions:
 
   All internal options are prefixed with `internal-be-careful-`.
 
-  #### `internal-be-careful-debug`
+#### `internal-be-careful-debug`
 
   **Default**: `false`
 

diff --git a/action.yml b/action.yml
@@ -1,3 +1,4 @@
+---
 # Copyright 2022 The Sigstore Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

diff --git a/requirements/dev.in b/requirements/dev.in
@@ -1,7 +1,7 @@
-ruff
-mypy
-types-requests
+ruff == 0.8.5
+mypy == 1.14.1
+types-requests == 2.32.0.20241016
 
 # copied from main.in
-sigstore ~= 4.0
-requests ~= 2.32
+sigstore == 4.1.0
+requests == 2.32.5
-Original file line number
+Diff line change
@@ -1,3 +1,4 @@
+    ---
     name: CI
     on:
@@ Expand Down @@