Skip to content

chore: housekeeping — py.typed, verify_webhook, dependabot#21

Merged
jackparnell merged 1 commit intomainfrom
feature/housekeeping
Apr 9, 2026
Merged

chore: housekeeping — py.typed, verify_webhook, dependabot#21
jackparnell merged 1 commit intomainfrom
feature/housekeeping

Conversation

@ColonistOne
Copy link
Copy Markdown
Collaborator

@ColonistOne ColonistOne commented Apr 9, 2026

Summary

Three small unrelated improvements bundled together.

1. PEP 561 py.typed marker

Empty file at src/colony_sdk/py.typed so type checkers (mypy, pyright) recognise colony_sdk as a typed package and pick up our type hints out of the box. Verified to ship in the built wheel via hatchling's automatic inclusion.

Without this marker, downstream consumers' type checkers silently ignore all of colony_sdk's type hints unless they pass --ignore-missing-imports.

2. verify_webhook(payload, signature, secret) helper

HMAC-SHA256 verification for incoming Colony webhook deliveries. Matches the canonical signing format used by The Colony's webhook server:

  • Hash: HMAC-SHA256
  • Signed data: raw request body (bytes)
  • Header: X-Colony-Signature
  • Encoding: lowercase hex digest, no prefix
from colony_sdk import verify_webhook

@app.post("/colony-webhook")
def handle():
    body = request.get_data()  # raw bytes
    signature = request.headers.get("X-Colony-Signature", "")
    if not verify_webhook(body, signature, secret=WEBHOOK_SECRET):
        return "invalid signature", 401
    process(json.loads(body))

Implementation notes:

  • Constant-time comparison via hmac.compare_digest (timing-attack resistant)
  • Accepts bytes (preferred) or str payloads
  • Tolerates a leading "sha256=" prefix for frameworks that normalise that way
  • Returns False for malformed/empty signatures rather than raising

3. Dependabot config

.github/dependabot.yml watches pip and github-actions weekly, grouped into single PRs to keep noise low (one PR per ecosystem per week instead of one PR per dependency).

Test plan

  • 10 new TestVerifyWebhook tests: bytes/str payloads, valid sig, invalid sig, wrong secret, tampered payload, sha256= prefix, malformed/empty signature, empty body, unicode body
  • Verified py.typed ships in the built wheel (python -m build && unzip -l dist/*.whl)
  • Coverage stays at 100% (470/470 statements)
  • ruff check / ruff format --check / mypy src/ all clean
  • CI green on Python 3.10 / 3.11 / 3.12 / 3.13

@ColonistOne @claude
chore: housekeeping — py.typed, verify_webhook helper, dependabot
bbcde29 
Three small unrelated improvements bundled together:

1. py.typed marker (PEP 561) — empty file at src/colony_sdk/py.typed
   so mypy/pyright recognise colony_sdk as a typed package and pick up
   our type hints without --ignore-missing-imports. Verified to ship in
   the wheel via hatchling's automatic inclusion.

2. verify_webhook(payload, signature, secret) — HMAC-SHA256 verification
   helper for incoming webhook deliveries. Matches the canonical
   X-Colony-Signature format (raw body, hex digest, no prefix). Uses
   hmac.compare_digest for constant-time comparison. Tolerates a leading
   "sha256=" prefix on the signature for frameworks that normalise that
   way. Accepts bytes or str payloads.

3. Dependabot config — .github/dependabot.yml watches pip and
   github-actions weekly, grouped into single PRs to keep noise low.

Tests: 10 new verify_webhook tests covering bytes/str payloads, valid
sig, invalid sig, wrong secret, tampered payload, sha256= prefix,
malformed/empty signature, empty body, unicode body. Coverage stays at
100% (470/470 statements).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jackparnell jackparnell merged commit 9ca2ae0 into main Apr 9, 2026
6 checks passed
@codecov
Copy link
Copy Markdown

codecov bot commented Apr 9, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

ColonistOne added a commit that referenced this pull request Apr 9, 2026
@ColonistOne @claude
chore: release v1.5.0 + OIDC release automation
748d0da 
Two changes that ship together so v1.5.0 can be the first release cut
via the new automation:

1. Release workflow at .github/workflows/release.yml — triggered on
   `v*` tag push. Stages:
     - test:           runs ruff, mypy, pytest before anything else
     - build:          builds wheel + sdist, refuses to proceed if
                       the tag version doesn't match pyproject.toml
     - publish:        uploads to PyPI via OIDC trusted publishing
                       (no API token stored anywhere — short-lived
                       token minted by PyPI from the GitHub Actions
                       OIDC identity at publish time)
     - github-release: extracts the matching CHANGELOG section and
                       creates a GitHub Release with the wheel + sdist
                       attached

2. Version bump 1.4.0 → 1.5.0 in pyproject.toml and __init__.py.

3. CHANGELOG: consolidated the 1.5.0 section into a clean, ordered
   summary covering everything that's landed since 1.4.0:
     - AsyncColonyClient (PR #18)
     - Typed error hierarchy (PR #19)
     - RetryConfig + 5xx default retry (PR #20)
     - py.typed + verify_webhook + Dependabot (PR #21)
     - Pagination iterators (PR #23)
     - Coverage + Codecov (PR #17)
     - This release automation

Coverage at 100% (514/514 statements). 215 tests passing.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@ColonistOne ColonistOne mentioned this pull request Apr 9, 2026
Merged
6 tasks
ColonistOne added a commit that referenced this pull request Apr 9, 2026
@ColonistOne @claude
chore: release v1.5.0 + OIDC release automation (#24)
1296b83 
Two changes that ship together so v1.5.0 can be the first release cut
via the new automation:

1. Release workflow at .github/workflows/release.yml — triggered on
   `v*` tag push. Stages:
     - test:           runs ruff, mypy, pytest before anything else
     - build:          builds wheel + sdist, refuses to proceed if
                       the tag version doesn't match pyproject.toml
     - publish:        uploads to PyPI via OIDC trusted publishing
                       (no API token stored anywhere — short-lived
                       token minted by PyPI from the GitHub Actions
                       OIDC identity at publish time)
     - github-release: extracts the matching CHANGELOG section and
                       creates a GitHub Release with the wheel + sdist
                       attached

2. Version bump 1.4.0 → 1.5.0 in pyproject.toml and __init__.py.

3. CHANGELOG: consolidated the 1.5.0 section into a clean, ordered
   summary covering everything that's landed since 1.4.0:
     - AsyncColonyClient (PR #18)
     - Typed error hierarchy (PR #19)
     - RetryConfig + 5xx default retry (PR #20)
     - py.typed + verify_webhook + Dependabot (PR #21)
     - Pagination iterators (PR #23)
     - Coverage + Codecov (PR #17)
     - This release automation

Coverage at 100% (514/514 statements). 215 tests passing.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ColonistOne @jackparnell