Add TEA consumer client with discovery, models, and checksum verification #2
Merged
vpetersson merged 17 commits intosbomify:masterfrom Feb 26, 2026
Merged
Conversation
- Introduced a new `exceptions.py` file defining a hierarchy of exceptions for the TEA client, including specific error types for connection, authentication, and validation issues. - Created a new `models.py` file containing Pydantic data models for TEA API objects, including enums for identifiers, checksums, and artifact types. - Added unit tests for the new exception classes and Pydantic models to ensure proper functionality and validation. Updated dependencies in `pyproject.toml` to include `httpx` and `pydantic`, and added `respx` for testing HTTP requests. Updated `uv.lock` to reflect new package versions.
- Introduced `TeaHttpClient` for handling TEA API requests with error handling for connection, authentication, and server issues. - Added `discovery.py` for TEI parsing, fetching `.well-known/tea` documents, and selecting compatible endpoints. - Expanded Pydantic models in `models.py` to include new data structures for TEA API objects. - Implemented unit tests for HTTP client and discovery functions to ensure reliability and correctness.
- Introduced `TeaClient` as the main entry point for interacting with the TEA API, providing methods for product and component retrieval, as well as artifact downloads. - Implemented `download_artifact` method in `TeaClient` to support downloading files with optional checksum verification. - Enhanced `TeaHttpClient` with `download_with_hashes` method to compute checksums during file downloads. - Added unit tests for `TeaClient` and download functionality, ensuring correct behavior for various scenarios including checksum validation and error handling. - Updated test fixtures to accommodate the new client structure.
There was a problem hiding this comment.
Pull request overview
This pull request implements a synchronous Python client library for the Transparency Exchange API (TEA) v0.3.0-beta.2 consumer specification. The implementation includes comprehensive data models with Pydantic v2, HTTP client functionality with httpx, TEI parsing and .well-known/tea discovery, and artifact download capabilities with streaming checksum verification.
Changes:
- Added httpx and pydantic as runtime dependencies; removed twine and related dependencies from dev requirements
- Implemented complete TEA data models with camelCase serialization support and checksum algorithm normalization for server compatibility
- Created HTTP client with typed exception hierarchy, Bearer token authentication, and security-conscious artifact downloads using separate unauthenticated clients
Reviewed changes
Copilot reviewed 15 out of 16 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| uv.lock | Updated dependency lock file to include httpx, pydantic, anyio, h11, httpcore, respx; removed twine and related dependencies |
| pyproject.toml | Added httpx and pydantic as runtime dependencies; added respx as dev dependency for HTTP mocking; removed twine |
| libtea/init.py | Exported TeaClient as primary public API |
| libtea/models.py | Implemented Pydantic v2 models for TEA domain objects with camelCase aliases and checksum algorithm normalization |
| libtea/exceptions.py | Created typed exception hierarchy for different error scenarios |
| libtea/_http.py | Implemented HTTP client with status code mapping, streaming downloads, and checksum computation |
| libtea/discovery.py | Added TEI parsing, .well-known/tea fetching, and endpoint selection logic |
| libtea/client.py | Implemented main TeaClient with methods for all TEA API endpoints and artifact download |
| tests/*.py | Added comprehensive test coverage including unit tests for models, HTTP client, discovery, and end-to-end client functionality |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…e Dependabot - Created a CI workflow to run tests across multiple Python versions using `uv`. - Added a CodeQL analysis workflow scheduled for weekly runs to enhance security. - Configured Dependabot for automatic updates of GitHub Actions and `uv` dependencies on a weekly basis.
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
…ion, update README - Clean up partial files on download failure (transport error or any exception) - Replace hashlib._Hash private type with Any - Raise explicit error when checksum algorithm has no computed digest - Update README with usage examples and error handling docs - Add Python 3.10 to CI matrix
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 19 out of 20 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
vpetersson
reviewed
Feb 25, 2026
…robustness
- User-agent now follows sbomify pattern: py-libtea/{version} (hello@sbomify.com)
- Wrap response.json() in try/except to raise TeaValidationError on non-JSON 2xx
- Create parent directories before writing download dest
- Drop Python 3.10 from CI matrix (requires-python >= 3.11)
aurangzaib048
force-pushed
the
feat/tea-client-v0.1.0
branch
from
aac763e to
4a27168
Compare
- Updated `_get_user_agent` function to `_get_package_version`, which now retrieves the package version using `importlib.metadata` or falls back to reading `pyproject.toml`. - Adjusted `USER_AGENT` to use the new version retrieval method. - Ensured consistent user-agent usage in `TeaHttpClient` methods.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 19 out of 20 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…, README fixes - Enable follow_redirects=True on both API and download httpx clients - Wrap JSON/validation errors in fetch_well_known as TeaDiscoveryError - Match sbomify-action user-agent pattern with pyproject.toml fallback - Fix README code snippets to be self-contained (remove stale indentation)
- Replaced httpx with requests in the TeaHttpClient for improved error handling and session management. - Updated dependencies in pyproject.toml to use requests instead of httpx, and modified related README documentation. - Adjusted unit tests to utilize responses for mocking HTTP requests instead of respx. - Cleaned up unused imports and ensured consistent error handling across the codebase.
vpetersson
reviewed
Feb 25, 2026
- Introduced a new test file `test_integration.py` containing integration tests for the TEA API client. - Implemented a full consumer flow test that verifies the retrieval of product, component releases, collections, and artifacts using example data from the TEA OpenAPI spec. - Utilized the `responses` library to mock HTTP requests and validate the expected behavior of the `TeaClient` methods.
- Updated README to include CI badges, improved usage examples, and clarified TEA API functionality. - Added `search_products` and `search_product_releases` methods to `TeaClient` for searching by identifier with pagination support. - Enhanced TEI parsing in `discovery.py` to validate TEI types and domain formats, improving error handling. - Updated `ComponentReleaseWithCollection` model to allow `latest_collection` to be `None`. - Added comprehensive tests for new search functionalities and TEI validation to ensure robustness.
- Expanded README to include detailed features, usage examples, and a new section on unsupported features. - Modified `fetch_well_known` in `discovery.py` to include a user-agent header for requests. - Added UDI (Unique Device Identifier) to `IdentifierType` in `models.py`. - Implemented tests to verify user-agent functionality and UDI identifier handling in products.
vpetersson
reviewed
Feb 25, 2026
vpetersson
reviewed
Feb 25, 2026
vpetersson
reviewed
Feb 25, 2026
vpetersson
reviewed
Feb 25, 2026
vpetersson
reviewed
Feb 25, 2026
- Updated CI workflows to use specific versions for actions, ensuring stability. - Added `--cov-branch` option to pytest for improved coverage reporting. - Enhanced error handling in the HTTP client to log connection issues and timeouts. - Introduced new validation for URL path segments in the API client to prevent injection attacks. - Updated models to enforce constraints on endpoint versions and priorities. - Added comprehensive tests for new validation logic and error handling improvements.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 21 out of 22 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Expanded docstrings in `TeaHttpClient`, `TeaClient`, and models to include detailed argument descriptions, return types, and potential exceptions. - Improved validation in the `_validate_download_url` function to ensure proper URL formats. - Updated `parse_tei` and `fetch_well_known` functions in `discovery.py` to clarify their arguments and return values. - Added comprehensive docstrings for various models to enhance clarity on their purpose and usage.
- Introduced `TeiType` enumeration in `models.py` to define valid TEI URN scheme types. - Updated references in `discovery.py`, `client.py`, and tests to use the new `TeiType` enumeration for improved clarity and maintainability. - Refactored checksum handling in `Checksum` model to replace `alg_type` and `alg_value` with `algorithm_type` and `algorithm_value`, ensuring consistency across the codebase. - Enhanced tests to validate the new checksum structure and TEI type usage.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 21 out of 22 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…ient - Updated `requests` and `pydantic` dependencies to their latest versions in `pyproject.toml` and `uv.lock`. - Enhanced README to clarify artifact download features, including checksum verification methods and bearer token isolation. - Improved validation in the API client to reject non-list responses in `_validate_list`, ensuring robust error handling. - Added tests to validate the new list validation logic, enhancing overall test coverage.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 21 out of 22 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
normalization
.well-known/teadiscovery, and endpoint selection