(tooling-trusted-releases) 03/05: Move github model into general models out of SBOM models

Mon, 23 Feb 2026 08:33:02 -0800 

This is an automated email from the ASF dual-hosted git repository.

arm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git

commit ffd5e8fe6aa70f965410fd4f05f48b9deaf71596
Author: Alastair McFarlane <[email protected]>
AuthorDate: Fri Feb 20 09:41:18 2026 +0000

    Move github model into general models out of SBOM models
---
 atr/jwtoken.py                    | 39 ++-------------------------------------
 atr/models/__init__.py            | 16 ++++++++++++++--
 atr/{sbom => }/models/github.py   |  4 ++--
 atr/sbom/models/__init__.py       |  4 ++--
 atr/tasks/checks/__init__.py      |  2 +-
 atr/tasks/checks/compare.py       |  2 +-
 tests/unit/test_checks_compare.py | 12 ++++++------
 7 files changed, 28 insertions(+), 51 deletions(-)

diff --git a/atr/jwtoken.py b/atr/jwtoken.py
index ec613903..634780fe 100644
--- a/atr/jwtoken.py
+++ b/atr/jwtoken.py
@@ -30,7 +30,7 @@ import quart
 import atr.config as config
 import atr.ldap as ldap
 import atr.log as log
-import atr.models.schema as schema
+import atr.models.github as github
 import atr.util as util
 
 _ALGORITHM: Final[str] = "HS256"
@@ -51,41 +51,6 @@ if TYPE_CHECKING:
     from collections.abc import Awaitable, Callable, Coroutine
 
 
-class GitHubOIDCPayload(schema.Subset):
-    # Not in atr.models because this is not used outside of this file
-
-    actor: str
-    actor_id: str
-    aud: str
-    base_ref: str
-    check_run_id: str
-    enterprise: str
-    enterprise_id: str
-    event_name: str
-    exp: int
-    head_ref: str
-    iat: int
-    iss: str
-    job_workflow_ref: str
-    job_workflow_sha: str
-    jti: str
-    nbf: int | None = None
-    ref: str
-    ref_protected: str
-    ref_type: str
-    repository: str
-    repository_owner: str
-    repository_visibility: str
-    run_attempt: str
-    run_number: str
-    runner_environment: str
-    sha: str
-    sub: str
-    workflow: str
-    workflow_ref: str
-    workflow_sha: str
-
-
 def issue(uid: str, *, ttl: int = _ATR_JWT_TTL) -> str:
     now = datetime.datetime.now(tz=datetime.UTC)
     payload = {
@@ -187,7 +152,7 @@ async def verify_github_oidc(token: str) -> dict[str, Any]:
                 f"GitHub OIDC payload mismatch: {key} = {payload[key]} != 
{value}",
                 errorcode=401,
             )
-    return GitHubOIDCPayload.model_validate(payload).model_dump()
+    return github.TrustedPublisherPayload.model_validate(payload).model_dump()
 
 
 def _extract_bearer_token(request: quart.Request) -> str:
diff --git a/atr/models/__init__.py b/atr/models/__init__.py
index 3d7d9fd5..0eea22ce 100644
--- a/atr/models/__init__.py
+++ b/atr/models/__init__.py
@@ -15,7 +15,19 @@
 # specific language governing permissions and limitations
 # under the License.
 
-from . import api, basic, distribution, helpers, results, schema, session, 
sql, tabulate, validation
+from . import api, basic, distribution, github, helpers, results, schema, 
session, sql, tabulate, validation
 
 # If we use .__name__, pyright gives a warning
-__all__ = ["api", "basic", "distribution", "helpers", "results", "schema", 
"session", "sql", "tabulate", "validation"]
+__all__ = [
+    "api",
+    "basic",
+    "distribution",
+    "github",
+    "helpers",
+    "results",
+    "schema",
+    "session",
+    "sql",
+    "tabulate",
+    "validation",
+]
diff --git a/atr/sbom/models/github.py b/atr/models/github.py
similarity index 95%
rename from atr/sbom/models/github.py
rename to atr/models/github.py
index 99a4b8db..d20ac73f 100644
--- a/atr/sbom/models/github.py
+++ b/atr/models/github.py
@@ -17,10 +17,10 @@
 
 from __future__ import annotations
 
-from .base import Lax
+from . import schema
 
 
-class TrustedPublisherPayload(Lax):
+class TrustedPublisherPayload(schema.Subset):
     actor: str
     actor_id: str
     aud: str
diff --git a/atr/sbom/models/__init__.py b/atr/sbom/models/__init__.py
index b0dae618..15cf734c 100644
--- a/atr/sbom/models/__init__.py
+++ b/atr/sbom/models/__init__.py
@@ -17,6 +17,6 @@
 
 from __future__ import annotations
 
-from . import base, bom, bundle, conformance, github, licenses, osv, patch, 
sbomqs, tool
+from . import base, bom, bundle, conformance, licenses, osv, patch, sbomqs, 
tool
 
-__all__ = ["base", "bom", "bundle", "conformance", "github", "licenses", 
"osv", "patch", "sbomqs", "tool"]
+__all__ = ["base", "bom", "bundle", "conformance", "licenses", "osv", "patch", 
"sbomqs", "tool"]
diff --git a/atr/tasks/checks/__init__.py b/atr/tasks/checks/__init__.py
index 5ece2282..ffc8251e 100644
--- a/atr/tasks/checks/__init__.py
+++ b/atr/tasks/checks/__init__.py
@@ -40,8 +40,8 @@ import atr.db as db
 import atr.file_paths as file_paths
 import atr.hashes as hashes
 import atr.log as log
+import atr.models.github as github_models
 import atr.models.sql as sql
-import atr.sbom.models.github as github_models
 import atr.util as util
 
 
diff --git a/atr/tasks/checks/compare.py b/atr/tasks/checks/compare.py
index 70f8daf1..914ebbf2 100644
--- a/atr/tasks/checks/compare.py
+++ b/atr/tasks/checks/compare.py
@@ -40,8 +40,8 @@ import atr.archives as archives
 import atr.attestable as attestable
 import atr.config as config
 import atr.log as log
+import atr.models.github as github_models
 import atr.models.results as results
-import atr.sbom.models.github as github_models
 import atr.tasks.checks as checks
 import atr.util as util
 
diff --git a/tests/unit/test_checks_compare.py 
b/tests/unit/test_checks_compare.py
index 5ec9b751..aff3a23a 100644
--- a/tests/unit/test_checks_compare.py
+++ b/tests/unit/test_checks_compare.py
@@ -26,8 +26,8 @@ import dulwich.objects
 import dulwich.refs
 import pytest
 
+import atr.models.github
 import atr.models.sql
-import atr.sbom.models.github
 import atr.tasks.checks
 import atr.tasks.checks.compare
 
@@ -39,7 +39,7 @@ class CheckoutRecorder:
 
     async def __call__(
         self,
-        payload: atr.sbom.models.github.TrustedPublisherPayload,
+        payload: atr.models.github.TrustedPublisherPayload,
         checkout_dir: pathlib.Path,
     ) -> str | None:
         self.checkout_dir = checkout_dir
@@ -194,12 +194,12 @@ class RunRecorder:
 
 
 class PayloadLoader:
-    def __init__(self, payload: atr.sbom.models.github.TrustedPublisherPayload 
| None) -> None:
+    def __init__(self, payload: atr.models.github.TrustedPublisherPayload | 
None) -> None:
         self.payload = payload
 
     async def __call__(
         self, project_name: str, version_name: str, revision_number: str
-    ) -> atr.sbom.models.github.TrustedPublisherPayload | None:
+    ) -> atr.models.github.TrustedPublisherPayload | None:
         return self.payload
 
 
@@ -935,7 +935,7 @@ def _make_payload(
     repository: str = "apache/test",
     ref: str = "refs/heads/main",
     sha: str = "0000000000000000000000000000000000000000",
-) -> atr.sbom.models.github.TrustedPublisherPayload:
+) -> atr.models.github.TrustedPublisherPayload:
     payload = {
         "actor": "actor",
         "actor_id": "1",
@@ -968,7 +968,7 @@ def _make_payload(
         "workflow_ref": "refs/heads/main",
         "workflow_sha": "ffffffffffffffffffffffffffffffffffffffff",
     }
-    return 
atr.sbom.models.github.TrustedPublisherPayload.model_validate(payload)
+    return atr.models.github.TrustedPublisherPayload.model_validate(payload)
 
 
 def _make_tree(root: pathlib.Path, files: Iterable[str]) -> None:


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to