Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 17 additions & 4 deletions .github/workflows/_ketryx_report_and_check.yml
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ jobs:
name: audit-results
path: audit-results

- name: Report build to Ketryx and check for approval
- name: Report test results to Ketryx
if: |
!contains(inputs.commit_message, 'skip:ketryx') &&
!contains(github.event.pull_request.labels.*.name, 'skip:ketryx')
Expand All @@ -65,8 +65,23 @@ jobs:
api-key: ${{ secrets.KETRYX_API_KEY }}
commit-sha: ${{ inputs.version == '' && inputs.commit-sha || '' }}
version: ${{ inputs.version }}
build-name: "ci-cd"
build-name: "ci-cd-tests"
test-junit-path: test-results/junit_*.xml
artifact-path: |
test-results/coverage.xml
test-results/coverage.md

- name: Report audit results to Ketryx
if: |
!contains(inputs.commit_message, 'skip:ketryx') &&
!contains(github.event.pull_request.labels.*.name, 'skip:ketryx')
uses: Ketryx/ketryx-github-action@40b13ef68c772e96e58ec01a81f5b216d7710186 # v1.4.0
with:
project: ${{ secrets.KETRYX_PROJECT }}
api-key: ${{ secrets.KETRYX_API_KEY }}
commit-sha: ${{ inputs.version == '' && inputs.commit-sha || '' }}
version: ${{ inputs.version }}
build-name: "ci-cd-audit"
cyclonedx-json-path: |
audit-results/sbom.json
artifact-path: |
Expand All @@ -75,5 +90,3 @@ jobs:
audit-results/licenses.json
audit-results/licenses_grouped.json
audit-results/vulnerabilities.json
test-results/coverage.xml
test-results/coverage.md
2 changes: 1 addition & 1 deletion noxfile.py
Original file line number Diff line number Diff line change
Expand Up @@ -225,7 +225,7 @@ def audit(session: nox.Session) -> None:
_format_json_with_jq(session, "reports/licenses_grouped.json")

# SBOMs
session.run("cyclonedx-py", "environment", "-o", SBOM_CYCLONEDX_PATH)
session.run("cyclonedx-py", "environment", "--pyproject", "pyproject.toml", "-o", SBOM_CYCLONEDX_PATH)
_format_json_with_jq(session, SBOM_CYCLONEDX_PATH)

# Generates an SPDX SBOM including vulnerability scanning
Expand Down
3 changes: 3 additions & 0 deletions pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,7 @@ dependencies = [
"httpx>=0.28.1,<1",
"idc-index-data==24.0.3",
"ijson>=3.4.0.post0,<4",
"joserfc>=1.6.7",
"jsf>=0.11.2,<1",
"jsonschema[format-nongpl]>=4.25.1,<5",
"loguru>=0.7.3,<1",
Expand All @@ -114,6 +115,8 @@ dependencies = [
"pyarrow>=23.0.1,<24; python_version >= '3.14'",
"pyjwt[crypto]>=2.13.0,<3", # CVE-2026-32597 requires >=2.12.0 (Renovate #475)
"python-dateutil>=2.9.0.post0,<3",
"python-engineio>=4.13.3",
"python-socketio>=5.16.3",
# "pywebview[qt6]>=5.4,<6; sys_platform == 'linux'",
"requests>=2.33.0,<3", # CVE-2026-25645 requires >= 2.33.0
"requests-oauthlib>=2.0.0,<3",
Expand Down
3 changes: 2 additions & 1 deletion src/aignostics/platform/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@
from aignx.codegen.models import UserReadResponse as User
from aignx.codegen.models import VersionReadResponse as ApplicationVersion

from ._cli import cli_sdk, cli_user
from ._cli import cli_auth, cli_sdk, cli_user
from ._client import Client
from ._constants import (
API_ROOT_DEV,
Expand Down Expand Up @@ -184,6 +184,7 @@
"User",
"UserInfo",
"calculate_file_crc32c",
"cli_auth",
"cli_sdk",
"cli_user",
"download_file",
Expand Down
48 changes: 47 additions & 1 deletion src/aignostics/platform/_cli.py
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,10 @@

from aignostics.utils import console

from ._authentication import get_token
from ._sdk_metadata import get_item_sdk_metadata_json_schema, get_run_sdk_metadata_json_schema
from ._service import Service
from ._settings import settings

cli_user = typer.Typer(name="user", help="User operations such as login, logout and whoami.")

Expand Down Expand Up @@ -85,7 +87,6 @@ def whoami(
logger.exception(message)
console.print(message, style="error")
sys.exit(1)
sys.exit(1)


cli_sdk = typer.Typer(name="sdk", help="Platform operations such as dumping the SDK metadata schema.")
Expand Down Expand Up @@ -135,3 +136,48 @@ def item_sdk_metadata_schema(
logger.exception(message)
console.print(message, style="error")
sys.exit(1)


cli_auth = typer.Typer(name="auth", help="Authentication token operations for external integrations.")


@cli_user.command("token")
def auth_token() -> None:
"""Print an Aignostics access token for use as a gcloud external credential helper.

Outputs a JSON document to stdout in the format expected by gcloud's pluggable
authentication executable credential source (Workload Identity Federation).

Configure as an executable credential source by adding the following to your ADC
credentials JSON file, then run ``gcloud auth application-default login`` to activate
it. The GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES environment variable must be set
to 1 for gcloud to call this helper.

On success writes: {"version": 1, "success": true, "token_type": "...", "id_token": "...", "expiration_time": ...}

On failure writes: {"version": 1, "success": false, "code": "1", "message": "..."}
"""
try:
token = get_token(use_cache=True)
stored = settings().token_file.read_text(encoding="utf-8")
expiry = int(stored.rsplit(":", 1)[-1])
print(
json.dumps({
"version": 1,
"success": True,
"token_type": "urn:ietf:params:oauth:token-type:id_token",
"id_token": token,
"expiration_time": expiry,
})
)
except Exception as e:
logger.debug("Failed to obtain Aignostics token for WIF credential helper: {}", e)
print(
json.dumps({
"version": 1,
"success": False,
"code": "1",
"message": str(e),
})
)
sys.exit(1)
Loading
Loading