First off, thank you for taking the time to contribute!
The following guidelines help keep the project consistent and maintainable.
- Code of Conduct
- Getting Started
- Branching & Workflow
- Commit Conventions
- Developer Certificate of Origin (DCO)
- Coding Style
- Testing
- Pull-Request Checklist
- Release Process
We follow the Contributor Covenant v2.1.
Please be respectful and inclusive in all interactions.
# clone
git clone https://github.com/your-org/pycosign.git
cd pycosign
# install Poetry (if not already)
curl -sSL https://install.python-poetry.org | python3 -
# create & activate venv + install deps
poetry install --with dev
# drop into project shell
poetry shell
# install git hooks
pre-commit install
*Poetry automatically selects Python ≥ 3.10 on your system or the one specified in pyproject.toml. All dev tools—ruff, black, mypy, pytest, invoke—are declared under [tool.poetry.group.dev].*
### Prerequisites
| Tool | Required Version | Notes |
|------------------|------------------|-------|
| **Poetry** | 1.8 or newer | Dependency & virtual-env manager |
| **Python** | 3.10 – 3.12 | Poetry will auto-select within this range |
| **cosign CLI** | ≥ 2.2 | `brew install sigstore/tap/cosign` or download release binary |
| **plantuml** | _optional_ | Render `.puml` diagrams locally (`brew install plantuml`) |
| **Docker** | _optional_ | Quick PlantUML preview, OCI registry tests |
## Branching & Workflow
* **`main`** — always releasable; tagged releases are cut from here.
* **Feature branches** — name `feature/<short-topic>` (e.g., `feature/registry-push`).
* **Bug-fix branches** — name `bugfix/<issue-#>` (e.g., `bugfix/42-null-sig-path`).
* **Documentation-only branches** — name `docs/<topic>`.
Workflow:
1. Create an **Issue** if one doesn’t exist.
2. Branch from `main` with the naming rules above.
3. Work locally in a Poetry shell:
```bash
poetry shell
git checkout -b feature/my-cool-thing- Keep commits small, descriptive, and signed (
git commit -s). - Push to your fork / to the repo:
git push -u origin feature/my-cool-thing. - Open a pull request against
main. GitHub Actions will run:
- lint → test → type-check → coverage → packaging checks.
- Address review comments; squash-merge once approved.
Tip: Use
git rebase -i mainto keep history clean before opening the PR.
We follow Conventional Commits:
feature(signer): add --push flag for sign-blob
bugfix(verifier): handle missing Rekor bundle gracefully
docs: update README diagramsBy submitting a PR you certify you have the right to submit the work under the project’s MIT license. Sign your commits:
git commit -s -m "bugfix: correct typo"The -s flag adds the required Signed-off-by line.
- ruff for linting (
black,isort,flake8rules) - Docstrings follow Google style.
Run all checks:
- black for formatting (PEP 8 compliant).
poetry run black --verbose pycosign- isort your imports, so you don't have to.
poetry run isort --verbose pycosign- pytest with pytest-asyncio for async routines.
- 90%+ coverage target.
pytest -qCI will fail if coverage drops below the threshold.
Before requesting a review, make sure you can check every box below:
- Issue linked (e.g., “Closes #123”) or marked N/A for trivial docs fixes.
- Unit / integration tests added or updated;
poetry run pytestpasses locally. - Docs updated (
README,docs/, or inline docstrings) if behavior changed. - Changelog entry added under
## [Unreleased]inCHANGELOG.md. -
pre-commit run --all-filespasses (ruff, black, mypy, etc.). - All commits are signed (
git commit -s) to satisfy the DCO. - PR title follows Conventional Commits (e.g.,
feat(verifier): add policy flag). - CI status is green (GitHub Actions).
🔒 PRs without a Signed-off-by line will be blocked by the DCO GitHub check.
- Merge all features into
main. - Bump version with
bumpver update --push-tag. - GitHub Action builds sdist & wheels and uploads to PyPI.
- Draft release notes in
CHANGELOG.md.
Happy hacking! 💙