From ea4fb7a7bcc5cd45d672a0f8d91e5e9978092e4c Mon Sep 17 00:00:00 2001
From: David Vo <auscompgeek@users.noreply.github.com>
Date: Sun, 27 Apr 2025 22:19:40 +1000
Subject: [PATCH 1/3] bump: Read payload in env

- DRY
- Harden against any possible attacks
---
 .github/workflows/bump.yml | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/bump.yml b/.github/workflows/bump.yml
index 2334404..1e523ff 100644
--- a/.github/workflows/bump.yml
+++ b/.github/workflows/bump.yml
@@ -7,10 +7,14 @@ jobs:
   bump:
     if: github.event_name == 'repository_dispatch' && github.event.action == 'tag'
     runs-on: ubuntu-latest
+    env:
+      PACKAGE_NAME: ${{ github.event.client_payload.package_name }}
+      PACKAGE_VERSION: ${{ github.event.client_payload.package_version }}
+
     steps:
     - name: Information
       run: |
-        echo "Version update for ${{ github.event.client_payload.package_name }} -> ${{ github.event.client_payload.package_version }} requested"
+        echo "Version update for $PACKAGE_NAME -> $PACKAGE_VERSION requested"
     - uses: actions/checkout@v4
       with:
         token: ${{ secrets.REPO_ACCESS_TOKEN }}
@@ -27,7 +31,7 @@ jobs:
     - name: Bump requirements
       shell: bash
       run: |
-        python .github/workflows/bump.py ${{ github.event.client_payload.package_name }} ${{ github.event.client_payload.package_version }} "$(git describe --tags)"
+        python .github/workflows/bump.py "$PACKAGE_NAME" "$PACKAGE_VERSION" "$(git describe --tags)"
 
     - name: Commit and push
       shell: bash
@@ -35,12 +39,12 @@ jobs:
         git config --local user.email "action@github.com"
         git config --local user.name "Github Action"
         git add pyproject.toml
-        git commit -m "Bump '${{ github.event.client_payload.package_name }}' dependency to '${{ github.event.client_payload.package_version }}'"
+        git commit -m "Bump '$PACKAGE_NAME' dependency to '$PACKAGE_VERSION'"
         git push
 
     - name: Tag and push
       shell: bash
       run: |
-        TAG=$(python .github/workflows/tag.py ${{ github.event.client_payload.package_name }} ${{ github.event.client_payload.package_version }} "$(git describe --tags --no-abbrev)")
-        git tag ${TAG}
-        git push origin ${TAG}
+        TAG=$(python .github/workflows/tag.py "$PACKAGE_NAME" "$PACKAGE_VERSION" "$(git describe --tags --no-abbrev)")
+        git tag "${TAG}"
+        git push origin "${TAG}"

From 0f712e953b9df6880710bfe346ce05b6114bc842 Mon Sep 17 00:00:00 2001
From: David Vo <auscompgeek@users.noreply.github.com>
Date: Sun, 27 Apr 2025 22:23:55 +1000
Subject: [PATCH 2/3] bump: Use workflow_dispatch

---
 .github/workflows/bump.yml | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/bump.yml b/.github/workflows/bump.yml
index 1e523ff..46f4f3a 100644
--- a/.github/workflows/bump.yml
+++ b/.github/workflows/bump.yml
@@ -1,15 +1,22 @@
 ---
 name: bump
 
-on: [repository_dispatch]
+on:
+  workflow_dispatch:
+    inputs:
+      package_name:
+        description: 'Package to bump'
+        required: true
+      package_version:
+        description: 'Package version'
+        required: true
 
 jobs:
   bump:
-    if: github.event_name == 'repository_dispatch' && github.event.action == 'tag'
     runs-on: ubuntu-latest
     env:
-      PACKAGE_NAME: ${{ github.event.client_payload.package_name }}
-      PACKAGE_VERSION: ${{ github.event.client_payload.package_version }}
+      PACKAGE_NAME: ${{ github.event.inputs.package_name }}
+      PACKAGE_VERSION: ${{ github.event.inputs.package_version }}
 
     steps:
     - name: Information

From b4de3f5e3054101013cdacc991fe0e411307d6a7 Mon Sep 17 00:00:00 2001
From: David Vo <auscompgeek@users.noreply.github.com>
Date: Sun, 27 Apr 2025 22:24:12 +1000
Subject: [PATCH 3/3] Add octo-sts policy for mostrobotpy

https://github.com/octo-sts/app
---
 .github/chainguard/bump-package.sts.yaml | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 .github/chainguard/bump-package.sts.yaml

diff --git a/.github/chainguard/bump-package.sts.yaml b/.github/chainguard/bump-package.sts.yaml
new file mode 100644
index 0000000..39094be
--- /dev/null
+++ b/.github/chainguard/bump-package.sts.yaml
@@ -0,0 +1,7 @@
+issuer: https://token.actions.githubusercontent.com
+subject_pattern: 'repo:robotpy/mostrobotpy:ref:refs/tags/[1-9]+.*'
+claim_pattern:
+  workflow_ref: 'robotpy/mostrobotpy/\.github/workflows/dist.yml@.*'
+
+permissions:
+  workflows: write