Harden releases with source-only artifacts, verification, and CI publishing

.github/CODEOWNERS

@@ -0,0 +1,2 @@
+# Global ownership for everything
+* @miketlk @odudex

.github/codeql/codeql-config.yml

@@ -0,0 +1,4 @@
+name: CodeQL config
+
+paths-ignore:
+  - tests/**

.github/dependency-review-reviewed-purls.txt

@@ -0,0 +1,68 @@
+# Reviewed dependency baseline for .github/workflows/dependency-review.yml.
+# Entries are package URL bases without versions. Additions to dependency
+# manifests must be reviewed here before the workflow gate will pass.
+pkg:githubactions/actions/attest-build-provenance
+pkg:githubactions/actions/checkout
+pkg:githubactions/actions/dependency-review-action
+pkg:githubactions/actions/download-artifact
+pkg:githubactions/actions/setup-python
+pkg:githubactions/actions/upload-artifact
+pkg:githubactions/github/codeql-action/analyze
+pkg:githubactions/github/codeql-action/init
+pkg:githubactions/pypa/gh-action-pypi-publish
+pkg:githubactions/rhysd/actionlint
+pkg:pypi/babel
+pkg:pypi/backrefs
+pkg:pypi/black
+pkg:pypi/certifi
+pkg:pypi/cfgv
+pkg:pypi/charset-normalizer
+pkg:pypi/click
+pkg:pypi/colorama
+pkg:pypi/coverage
+pkg:pypi/distlib
+pkg:pypi/exceptiongroup
+pkg:pypi/filelock
+pkg:pypi/ghp-import
+pkg:pypi/griffelib
+pkg:pypi/identify
+pkg:pypi/idna
+pkg:pypi/iniconfig
+pkg:pypi/jinja2
+pkg:pypi/librt
+pkg:pypi/markdown
+pkg:pypi/markupsafe
+pkg:pypi/mergedeep
+pkg:pypi/mkdocs
+pkg:pypi/mkdocs-autorefs
+pkg:pypi/mkdocs-get-deps
+pkg:pypi/mkdocs-material
+pkg:pypi/mkdocs-material-extensions
+pkg:pypi/mkdocstrings
+pkg:pypi/mkdocstrings-python
+pkg:pypi/mypy
+pkg:pypi/mypy-extensions
+pkg:pypi/nodeenv
+pkg:pypi/packaging
+pkg:pypi/paginate
+pkg:pypi/pathspec
+pkg:pypi/platformdirs
+pkg:pypi/pluggy
+pkg:pypi/pre-commit
+pkg:pypi/pygments
+pkg:pypi/pymdown-extensions
+pkg:pypi/pytest
+pkg:pypi/pytest-cov
+pkg:pypi/python-dateutil
+pkg:pypi/python-discovery
+pkg:pypi/pytokens
+pkg:pypi/pyyaml
+pkg:pypi/pyyaml-env-tag
+pkg:pypi/requests
+pkg:pypi/ruff
+pkg:pypi/six
+pkg:pypi/tomli
+pkg:pypi/typing-extensions
+pkg:pypi/urllib3
+pkg:pypi/virtualenv
+pkg:pypi/watchdog

.github/scripts/require-reviewed-dependencies.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+changes=${DEPENDENCY_CHANGES:-[]}
+reviewed=${REVIEWED_DEPENDENCY_PURLS:-}
+reviewed_file=""
+
+if [ -n "${REVIEWED_DEPENDENCY_PURLS_FILE:-}" ]; then
+  reviewed_file=$(cat "$REVIEWED_DEPENDENCY_PURLS_FILE")
+fi
+
+pending=$(
+  jq -r --arg reviewed "$reviewed" --arg reviewed_file "$reviewed_file" '
+    (($reviewed + "\n" + $reviewed_file)
+      | split("\n")
+      | [.[] | split(",")[] | split("#")[0] | gsub("^\\s+|\\s+$"; "") | select(length > 0)]
+    ) as $allowlist
+    | [
+        .[]
+        | select(.change_type == "added")
+        | select((.package_url | split("@")[0]) as $purl | ($allowlist | index($purl) | not))
+        | "\(.manifest): \(.package_url)"
+      ]
+    | .[]
+  ' <<< "$changes"
+)
+
+if [ -n "$pending" ]; then
+  {
+    echo "New dependencies require maintainer review."
+    echo "Add reviewed package URLs without versions to REVIEWED_DEPENDENCY_PURLS or REVIEWED_DEPENDENCY_PURLS_FILE."
+    echo "$pending"
+  } >&2
+  exit 1
+fi

.github/workflows/ci.yml

@@ -0,0 +1,102 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  actionlint:
+    name: Workflow lint
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v6
+      - uses: rhysd/actionlint@914e7df21a07ef503a81201c76d2b11c789d3fca
+
+  action-pin-policy:
+    name: GitHub Actions pin policy
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Verify third-party Action pins
+        run: python tools/verify_github_actions_pins.py --self-test
+
+  tests:
+    name: Tests (Python ${{ matrix.python-version }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ["3.10", "3.11", "3.12", "3.13"]
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: actions/setup-python@v6
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: pip
+          cache-dependency-path: constraints-dev.txt
+
+      - name: Install pinned CI dependencies
+        run: python -m pip install --require-hashes -r constraints-dev.txt
+
+      - name: Install package
+        run: python -m pip install --no-deps -e .
+
+      # TODO: Re-enable Ruff once the repository has a committed lint baseline or
+      # focused cleanup for existing violations. Ruff remains configured and
+      # installed so local cleanup can continue without blocking CI.
+
+      - name: Tests
+        run: pytest
+
+  package:
+    name: Build and verify artifacts
+    runs-on: ubuntu-latest
+    needs:
+      - actionlint
+      - action-pin-policy
+      - tests
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: actions/setup-python@v6
+        with:
+          python-version: "3.10"
+          cache: pip
+          cache-dependency-path: constraints-dev.txt
+
+      - name: Install pinned CI dependencies
+        run: python -m pip install --require-hashes -r constraints-dev.txt
+
+      - name: Build artifacts
+        run: python -m build --sdist --wheel --no-isolation
+
+      - name: Verify built artifacts
+        run: python tools/verify_package_artifacts.py --inspection-log "$RUNNER_TEMP/ci-package-inspection.md"
+
+      - name: Smoke install from local artifacts
+        run: |
+          python -m venv "$RUNNER_TEMP/venv-smoke"
+          . "$RUNNER_TEMP/venv-smoke/bin/activate"
+          python -m pip install --no-index --find-links dist embit
+          python -c "import embit; print(embit.__file__)"
+
+      - name: Upload inspection log
+        uses: actions/upload-artifact@v7
+        with:
+          name: ci-package-inspection
+          path: ${{ runner.temp }}/ci-package-inspection.md

.github/workflows/codeql.yml

@@ -0,0 +1,49 @@
+name: CodeQL
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+  schedule:
+    - cron: "23 4 * * 1"
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language:
+          - python
+          - actions
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: github/codeql-action/init@v4
+        with:
+          languages: ${{ matrix.language }}
+          queries: security-and-quality
+          config-file: ./.github/codeql/codeql-config.yml
+
+      - uses: github/codeql-action/analyze@v4
+        with:
+          category: /language:${{ matrix.language }}
+          upload: always
+          post-processed-sarif-path: ${{ runner.temp }}/sarif-results
+
+      - name: Upload SARIF artifact
+        if: always()
+        uses: actions/upload-artifact@v7
+        with:
+          name: codeql-sarif-${{ matrix.language }}
+          path: ${{ runner.temp }}/sarif-results
+          if-no-files-found: warn

.github/workflows/dependency-review.yml

@@ -0,0 +1,67 @@
+name: Dependency Review
+
+on:
+  pull_request:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pull-requests: read
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
+
+jobs:
+  dependency-review:
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - id: review
+        uses: actions/dependency-review-action@v4
+        with:
+          fail-on-severity: low
+          fail-on-scopes: runtime, development, unknown
+          license-check: true
+          vulnerability-check: true
+
+      - name: Require review for new dependencies
+        env:
+          DEPENDENCY_CHANGES: ${{ steps.review.outputs.dependency-changes }}
+          REVIEWED_DEPENDENCY_PURLS_FILE: .github/dependency-review-reviewed-purls.txt
+        run: .github/scripts/require-reviewed-dependencies.sh
+
+  review-gate-fixtures:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Passes reviewed added dependency
+        env:
+          DEPENDENCY_CHANGES: >-
+            [{"change_type":"added","manifest":"poetry.lock","package_url":"pkg:pypi/example-package@1.2.3"}]
+          REVIEWED_DEPENDENCY_PURLS: " pkg:pypi/example-package "
+        run: .github/scripts/require-reviewed-dependencies.sh
+
+      - name: Ignores non-added dependency changes
+        env:
+          DEPENDENCY_CHANGES: >-
+            [{"change_type":"modified","manifest":"poetry.lock","package_url":"pkg:pypi/unreviewed-package@1.2.3"},{"change_type":"removed","manifest":"poetry.lock","package_url":"pkg:pypi/removed-package@1.2.3"}]
+          REVIEWED_DEPENDENCY_PURLS: ""
+        run: .github/scripts/require-reviewed-dependencies.sh
+
+      - name: Fails unreviewed added dependency
+        env:
+          DEPENDENCY_CHANGES: >-
+            [{"change_type":"added","manifest":"poetry.lock","package_url":"pkg:pypi/example-package@1.2.3"}]
+          REVIEWED_DEPENDENCY_PURLS: ""
+        run: |
+          set +e
+          output=$(.github/scripts/require-reviewed-dependencies.sh 2>&1)
+          exit_code=$?
+          set -e
+          echo "$output"
+          test "$exit_code" -ne 0
+          grep -q "New dependencies require maintainer review" <<< "$output"
+          grep -q "poetry.lock: pkg:pypi/example-package@1.2.3" <<< "$output"

.github/workflows/package-content-verification.yml

@@ -0,0 +1,64 @@
+name: Package Content Verification
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - ".github/workflows/**"
+      - ".gitmodules"
+      - "pyproject.toml"
+      - "setup.py"
+      - "MANIFEST.in"
+      - "constraints-dev.txt"
+      - "src/embit/util/ctypes_secp256k1.py"
+      - "docs/package-content-policy.md"
+      - "tools/verify_package_artifacts.py"
+      - "secp256k1/**"
+  pull_request:
+    paths:
+      - ".github/workflows/**"
+      - ".gitmodules"
+      - "pyproject.toml"
+      - "setup.py"
+      - "MANIFEST.in"
+      - "constraints-dev.txt"
+      - "src/embit/util/ctypes_secp256k1.py"
+      - "docs/package-content-policy.md"
+      - "tools/verify_package_artifacts.py"
+      - "secp256k1/**"
+
+permissions:
+  contents: read
+
+jobs:
+  verify:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: actions/setup-python@v6
+        with:
+          python-version: "3.10"
+          cache: pip
+          cache-dependency-path: constraints-dev.txt
+
+      - name: Verify vendored submodule URL
+        run: grep -nE '^[[:space:]]*url = https://github.com/ElementsProject/secp256k1-zkp\.git$' .gitmodules
+
+      - name: Install pinned CI dependencies
+        run: python -m pip install --require-hashes -r constraints-dev.txt
+
+      - name: Build artifacts
+        run: python -m build --sdist --wheel --no-isolation
+
+      - name: Verify artifacts and metadata
+        run: python tools/verify_package_artifacts.py --inspection-log "$RUNNER_TEMP/package-content-verification.md"
+
+      - name: Upload inspection log
+        uses: actions/upload-artifact@v7
+        with:
+          name: package-content-verification
+          path: ${{ runner.temp }}/package-content-verification.md