Security

Supply chain security

repomatic implements most of the practices described in Astral’s Open Source Security at Astral post, baked into a drop-in setup that any maintainer can inherit by pointing their workflows at the reusable callers.

Astral practice	How repomatic covers it
Ban dangerous triggers (pull_request_target, workflow_run)	The lint-workflow-security job runs zizmor on every push: see .github/workflows/lint.yaml
Minimal workflow permissions	check_workflow_permissions parses every workflow file and warns when a custom-step workflow omits the top-level permissions key
Pinned actions	All uses: refs pinned to full commit SHAs (with the semver tag preserved as a trailing comment) via Renovate’s helpers:pinGitHubActionDigestsToSemver preset: see renovate.json5
No force-pushes to main	check_branch_ruleset_on_default verifies an active branch ruleset exists, and the setup guide walks users through creating one
Immutable release tags	check_immutable_releases verifies GitHub immutable releases is enabled, and the release workflow rewrites @main refs to @vX.Y.Z during freeze: see tagged workflow URLs
Dependency cooldowns	Renovate stabilization windows (minimumReleaseAge) and uv --exclude-newer, with a per-package escape hatch for CVE fixes: see renovate.json5 and Renovate cooldowns
Trusted Publishing	PyPI uploads via OIDC with no long-lived token. The publish-pypi job in each downstream caller workflow invokes the upstream publish-pypi composite action, which inherits the caller’s OIDC context. This sidesteps pypi/warehouse#11096, where reusable workflows mint an OIDC token whose job_workflow_ref does not match the downstream’s PyPI Trusted Publisher config. check_pypi_trusted_publisher reads PEP 740 provenance for the latest published file and warns when no bundle names this repo’s own release.yaml; the setup guide walks through the registration
Cryptographic attestations	Every binary and wheel is attested to the workflow run that built it via attest-build-provenance: see the Generate build attestations steps in .github/workflows/_release-engine.yaml
Checksums in installer scripts	The update-checksums CLI command regenerates SHA-256 checksums on every release, invoked from .github/workflows/renovate.yaml when upstream action versions change
Fork PR approval policy	check_fork_pr_approval_policy warns when the policy is weaker than first_time_contributors, and the setup guide ships a pre-filled gh api one-liner to fix it

Warning

Known gap: multi-person release approval. Astral gates releases behind a dedicated GitHub deployment environment with required reviewers, so that a single compromised account cannot publish. repomatic does not enforce this, but if the repository has multiple maintainers, I recommend adding an environment: release key to the caller-side publish-pypi job (and to the upstream create-release job, if the caller exposes it) in the downstream workflow and configuring required reviewers on that environment in repo settings.

Important

One-time PyPI Trusted Publisher setup. Each downstream repository must register a Trusted Publisher entry on PyPI for its own caller workflow. The publisher config matches against the OIDC job_workflow_ref claim, which names the downstream’s workflow file (typically .github/workflows/release.yaml). Without this registration, the first PyPI upload after migration fails cleanly with a publisher mismatch error. See the PyPI Trusted Publishers documentation for the registration steps.

Third-party action minimization

Every third-party GitHub Action executes with access to GITHUB_TOKEN and repository secrets. Each action is a trust delegation: you depend on the maintainer’s security practices, their CI pipeline, and their transitive dependencies. A compromised action can steal secrets, inject code into builds, or tamper with releases.

repomatic has systematically eliminated 18 third-party actions since late 2025, replacing them with internal CLI commands, SHA-256-verified binary downloads, and runner built-in tools:

Removed action	Replacement	Strategy
calibreapp/image-actions	repomatic format-images	Internal CLI
crazy-max/ghaction-virustotal	repomatic scan-virustotal	Internal CLI
AndreasAugustin/actions-template-sync	repomatic sync-awesome-template	Internal CLI
JasonEtco/is-sponsor-label-action	repomatic sponsor-label	Internal CLI
lycheeverse/lychee-action	repomatic run lychee	Direct binary + SHA-256
crate-ci/typos	repomatic run typos	Direct binary + SHA-256
biomejs/setup-biome	repomatic run biome	Direct binary + SHA-256
gitleaks/gitleaks-action	repomatic run gitleaks	Direct binary + SHA-256
julb/action-manage-label	repomatic run labelmaker	Direct binary + SHA-256
taiki-e/install-action	Direct curl + checksum	Direct binary + SHA-256
softprops/action-gh-release	gh release create	Runner built-in
actions/github-script	Bash + gh CLI	Runner built-in
actions-rust-lang/setup-rust-toolchain	Runner built-in Rust	Runner built-in
actions/setup-python	astral-sh/setup-uv	Consolidated
peaceiris/actions-gh-pages	actions/deploy-pages	First-party replacement
codecov/codecov-action	codecov-cli via uvx	Pinned CLI
codecov/test-results-action	codecov-cli via uvx	Pinned CLI
GitHubSecurityLab/actions-permissions	Explicit permissions: key	Removed entirely

The remaining third-party actions (5 of 14 total) are:

Action	Purpose
astral-sh/setup-uv	Core toolchain: installs uv
peter-evans/create-pull-request	Creates autofix PRs
dessant/lock-threads	Locks inactive issues
renovatebot/github-action	Dependency updates
crazy-max/ghaction-dump-context	Debug diagnostics (no secrets access)

Replacement strategies, ordered from most to least isolated:

1. Internal CLI: the operation runs inside repomatic Python code with no external process.

2. Direct binary download: checksummed binary fetched from a GitHub release URL, no action code path involved.

3. Runner built-in: uses tools pre-installed on the GitHub Actions runner (gh, Rust toolchain).

4. First-party replacement: swaps a community action for an official actions/* equivalent maintained by GitHub.

Ruff consolidation

Eight separate Python linters and formatters have been absorbed into ruff, eliminating eight runtime or dev dependencies:

Removed tool	What it did	Replaced
pylint	Static analysis and linting	Feb 2023
pydocstyle	Docstring convention enforcement	Feb 2023
pycln	Unused import removal	Feb 2023
pyupgrade	Python syntax modernization	Feb 2023
isort	Import sorting	Feb 2023
black	Code formatting	Sep 2023
docformatter	Docstring formatting	Jan 2024
blacken-docs	Python formatting in Markdown code blocks	Feb 2026

The mdformat-black plugin was also swapped for mdformat-ruff (Aug 2024): same dependency count, but aligns the Markdown pipeline with ruff’s formatting rules.

autopep8 is the only legacy formatter still in use: it handles long-line comment wrapping that ruff does not yet cover.

uv consolidation

Five separate packaging and install tools have been absorbed into uv, which now handles dependency management, builds, publishing, auditing, and Python version installation:

Removed tool	What it did	Replaced
poetry	Dependency management, lock files, virtual environments	Jun 2024
build / python -m build	Package building (wheels and sdists)	Sep 2024
twine	PyPI uploads	Jan 2025
check-wheel-contents	Wheel validation	Jan 2025
pip-audit	Vulnerability scanning	Mar 2026

uv also consolidated command-line usage that previously required separate tools: pip install became uv pip install / uv sync, pipx became uvx, and actions/setup-python was replaced by astral-sh/setup-uv (counted in the action minimization table above).

Two other Python packages were eliminated outside the ruff/uv consolidations: pipdeptree (replaced by an internal deps-graph implementation) and gitignore-parser (replaced by py-walk).

Permissions and token

Several workflows need a REPOMATIC_PAT secret to create PRs that modify files in .github/workflows/ and to trigger downstream workflows. Without it, those jobs silently fall back to the default GITHUB_TOKEN, which lacks the required permissions.

After your first push, the setup-guide job automatically opens an issue with step-by-step instructions to create and configure the token.

Concurrency and cancellation

All workflows use a concurrency directive to prevent redundant runs and save CI resources. When a new commit is pushed, any in-progress workflow runs for the same branch or PR are automatically cancelled.

Workflows are grouped by:

• Pull requests: {workflow-name}-{pr-number} — Multiple commits to the same PR cancel previous runs

• Branch pushes: {workflow-name}-{branch-ref} — Multiple pushes to the same branch cancel previous runs

release.yaml uses a stronger protection: release commits get a unique concurrency group based on the commit SHA, so they can never be cancelled. This ensures tagging, PyPI publishing, and GitHub release creation complete successfully.

Additionally, cancel-runs.yaml actively cancels in-progress and queued runs when a PR is closed. This complements passive concurrency groups, which only trigger cancellation when a new run enters the same group — closing a PR doesn’t produce such an event.

Tip

For implementation details on how concurrency groups are computed and why release.yaml needs special handling, see the repomatic.github.actions module docstring.

AV false-positive submissions

Compiled Python binaries (built with Nuitka --onefile) are frequently flagged as malicious by heuristic AV engines. The onefile packaging technique (self-extracting archive with embedded Python runtime) triggers generic “packed/suspicious” signatures. This is a known issue across the Nuitka ecosystem.

The scan-virustotal job in _release-engine.yaml uploads all compiled binaries to VirusTotal on every release. This seeds AV vendor databases to reduce false positive rates for downstream distributors (Chocolatey, Scoop, etc.).

When a release is flagged, the /av-false-positive skill generates per-vendor submission files with pre-written text and form field mappings. The vendor details below document the process for manual reference.

Vendor portals

Vendor	Engines covered	Portal	Format	Turnaround
Microsoft	Microsoft	WDSI file submission	One file per form, 1900 char limit on additional info	Fastest
BitDefender	BitDefender, ALYac, Arcabit, Emsisoft, GData, MicroWorld-eScan, VIPRE	bitdefender.com/submit	One file per form, screenshot mandatory	Fast
ESET	ESET-NOD32	Email to samples@eset.com	Single email, password-protected ZIP (infected), ~24 MB limit	Reliable
Symantec	Symantec	symsubmit.symantec.com	Hash submission only (no .exe/.bin upload), one hash per form, 5000 char limit	3-7 business days
Avast/AVG	Avast, AVG	avast.com/submit-a-sample	One file per form, shared engine	Medium
Sophos	Sophos	sophos.com filesubmission	One file per form, 25 MB max per submission	Up to 15 business days

Submission priority

Submit in this order to maximize impact:

1. Microsoft: most influential engine. ML detections (Sabsik, Wacatac) have the broadest downstream effect.

2. BitDefender: powers ~6 downstream vendor engines. Highest detection-removal-per-submission ratio.

3. ESET: email-based channel with no portal dependency. The most reliable submission path.

4. Symantec: ML detections (ML.Attribute.*) may take longer to process.

5. Avast/AVG: shared engine, so one submission covers both.

6. Sophos: PUA detections require justification of the software’s legitimate purpose.

Submission content

Every false-positive submission should include:

• The binary’s VirusTotal report link.

• VirusTotal links for the clean .whl and .tar.gz source distributions (as comparison evidence).

• The GitHub release link and direct download URL for the binary.

• Project homepage and PyPI URL.

• License from pyproject.toml.

• Reference to any prior false-positive issue in the repository.

All submission text should mention that the binary is compiled with Nuitka --onefile from an open-source project.

Known portal issues

• Microsoft: CORS errors or stuck progress modals during upload (auth session expiring). Workaround: sign out, clear cookies for microsoft.com, sign back in, submit immediately.

• BitDefender: form sometimes returns “Your request could not be registered!” with no details. Retry later.

• Avast: form sometimes returns “An internal error occurred while sending the form.” Retry later.

repomatic.virustotal API

Upload release binaries to VirusTotal and update GitHub release notes.

Submits compiled binaries (.bin, .exe) to the VirusTotal API for malware scanning, then appends analysis links to the GitHub release body so users can verify scan results.

Supports two-phase operation: phase 1 uploads files and writes an initial table with scan links, phase 2 polls for analysis completion and replaces the table with detection statistics.

Note

The free-tier API allows 4 requests per minute. All API calls (uploads and polls) are rate-limited with a sleep between each request.

repomatic.virustotal.VIRUSTOTAL_GUI_URL = 'https://www.virustotal.com/gui/file/{sha256}'

URL template for the VirusTotal file analysis page.

repomatic.virustotal.VIRUSTOTAL_SECTION_HEADER = '### 🛡️ VirusTotal scans'

Markdown header identifying the VirusTotal section in release bodies.

Used for idempotency: if this header is already present, the release body is not modified (unless replace=True is passed to update_release_body).

repomatic.virustotal.DETECTION_PENDING = '*pending*'

Placeholder text for the Detections column when analysis is not yet complete.

class repomatic.virustotal.DetectionStats(malicious, suspicious, undetected, harmless)

Bases: object

Detection statistics from a completed VirusTotal analysis.

Stores only the four categories that constitute a definitive verdict. type-unsupported, timeout, and failure from the API response are excluded from the total.

malicious: int

Number of engines that flagged the file as malicious.

suspicious: int

Number of engines that flagged the file as suspicious.

undetected: int

Number of engines that found no threat.

harmless: int

Number of engines that classified the file as harmless.

property flagged: int

Total engines that flagged the file (malicious + suspicious).

property total: int

Total engines that produced a definitive verdict.

class repomatic.virustotal.ScanResult(filename, sha256, analysis_url, detection_stats=None)

Bases: object

Result of uploading a single file to VirusTotal.

filename: str

Original filename of the uploaded binary.

sha256: str

SHA-256 hash of the file content.

analysis_url: str

VirusTotal web GUI URL for the file analysis.

detection_stats: DetectionStats | None = None

Detection statistics, or None if analysis is still pending.

repomatic.virustotal.scan_files(api_key, file_paths, rate_limit=4)

Upload files to VirusTotal and return scan results.

Uses the synchronous vt.Client API. Sleeps between uploads to respect the free-tier rate limit.

Parameters:

• api_key (str) – VirusTotal API key.

• file_paths (list[Path]) – Paths to binary files to upload.

• rate_limit (int) – Maximum requests per minute (free tier: 4).

Return type:

list[ScanResult]

Returns:

List of scan results with analysis URLs.

repomatic.virustotal.poll_detection_stats(api_key, results, rate_limit=4, timeout=600)

Poll VirusTotal for detection statistics of previously uploaded files.

Queries GET /files/:sha256: for each file until analysis completes or the timeout is reached. Respects the free-tier rate limit for all API calls.

Parameters:

• api_key (str) – VirusTotal API key.

• results (list[ScanResult]) – Scan results from a previous upload.

• rate_limit (int) – Maximum API requests per minute (shared with uploads).

• timeout (int) – Maximum seconds to wait for all analyses to complete.

Return type:

list[ScanResult]

Returns:

Results with detection_stats populated (or None for files whose analysis did not complete before the timeout).

repomatic.virustotal.format_virustotal_section(results, repo='', tag='')

Format scan results as a markdown section for a GitHub release body.

When any result has detection_stats, a three-column table is rendered with a Detections column. Otherwise the simpler two-column format is used.

Parameters:

• results (list[ScanResult]) – Scan results to format.

• repo (str) – Repository in owner/repo format. When provided along with tag, binary names are linked to their GitHub release download URLs.

• tag (str) – Release tag (e.g., v6.11.1).

Return type:

str

Returns:

Markdown string, or empty string if no results.

repomatic.virustotal.update_release_body(repo, tag, results, replace=False)

Append or replace VirusTotal scan links in a GitHub release body.

Parameters:

• repo (str) – Repository in owner/repo format.

• tag (str) – Release tag (e.g., v6.11.1).

• results (list[ScanResult]) – Scan results to write.

• replace (bool) – When True, replace an existing VirusTotal section instead of skipping. When False (default), skip if the section is already present.

Return type:

bool

Returns:

True if the body was updated, False if skipped.

repomatic.checksums API

Update SHA-256 checksums for binary downloads.

Two update modes:

1. Workflow files — scans for GitHub release download URLs paired with sha256sum --check verification lines. Replaces stale hashes in-place.

2. Tool registry — iterates TOOL_REGISTRY entries with binary specs, downloads each URL, and replaces stale hashes in tool_runner.py.

Designed to be called by Renovate postUpgradeTasks after version bumps, but also works standalone for manual checksum updates.

repomatic.checksums.update_checksums(file_path)

Update SHA-256 checksums in a workflow file.

Parameters:

file_path (Path) – Path to the workflow YAML file.

Return type:

list[tuple[str, str, str]]

Returns:

List of (url, old_hash, new_hash) for each updated checksum. Empty if all checksums are already correct.

repomatic.checksums.update_registry_checksums(registry_path)

Update SHA-256 checksums for binary tools in the tool runner registry.

Iterates all TOOL_REGISTRY entries with binary specs, downloads each URL, computes the SHA-256, and replaces stale hashes in-place in the Python source file.

Parameters:

registry_path (Path) – Path to tool_runner.py.

Return type:

list[tuple[str, str, str]]

Returns:

List of (url, old_hash, new_hash) for each updated checksum. Empty if all checksums are already correct.

repomatic.binary API

Binary build targets and verification utilities.

Defines the Nuitka compilation targets for all supported platforms and provides binary architecture verification using exiftool.

repomatic.binary.NUITKA_BUILD_TARGETS = {'linux-arm64': {'arch': 'arm64', 'extension': 'bin', 'os': 'ubuntu-24.04-arm', 'platform_id': 'linux'}, 'linux-x64': {'arch': 'x64', 'extension': 'bin', 'os': 'ubuntu-24.04', 'platform_id': 'linux'}, 'macos-arm64': {'arch': 'arm64', 'extension': 'bin', 'os': 'macos-26', 'platform_id': 'macos'}, 'macos-x64': {'arch': 'x64', 'extension': 'bin', 'os': 'macos-26-intel', 'platform_id': 'macos'}, 'windows-arm64': {'arch': 'arm64', 'extension': 'exe', 'os': 'windows-11-arm', 'platform_id': 'windows'}, 'windows-x64': {'arch': 'x64', 'extension': 'exe', 'os': 'windows-2025', 'platform_id': 'windows'}}

List of GitHub-hosted runners used for Nuitka builds.

The key of the dictionary is the target name, which is used as a short name for user-friendlyness. As such, it is used to name the compiled binary.

Values are dictionaries with the following keys:

• os: Operating system name, as used in GitHub-hosted runners.

  Hint

  We choose to run the compilation only on the latest supported version of each OS, for each architecture. Note that macOS and Windows do not have the latest version available for each architecture.

• platform_id: Platform identifier, as defined by Extra Platform.

• arch: Architecture identifier.

  Note

  Architecture IDs are inspired from those specified for self-hosted runners

  Note

  Maybe we should just adopt target triple.

• extension: File extension of the compiled binary.

repomatic.binary.FLAT_BUILD_TARGETS = [{'arch': 'arm64', 'extension': 'bin', 'os': 'ubuntu-24.04-arm', 'platform_id': 'linux', 'target': 'linux-arm64'}, {'arch': 'x64', 'extension': 'bin', 'os': 'ubuntu-24.04', 'platform_id': 'linux', 'target': 'linux-x64'}, {'arch': 'arm64', 'extension': 'bin', 'os': 'macos-26', 'platform_id': 'macos', 'target': 'macos-arm64'}, {'arch': 'x64', 'extension': 'bin', 'os': 'macos-26-intel', 'platform_id': 'macos', 'target': 'macos-x64'}, {'arch': 'arm64', 'extension': 'exe', 'os': 'windows-11-arm', 'platform_id': 'windows', 'target': 'windows-arm64'}, {'arch': 'x64', 'extension': 'exe', 'os': 'windows-2025', 'platform_id': 'windows', 'target': 'windows-x64'}]

List of build targets in a flat format, suitable for matrix inclusion.

repomatic.binary.BINARY_AFFECTING_PATHS: Final[tuple[str, ...]] = ('.github/workflows/release.yaml', 'pyproject.toml', 'tests/', 'uv.lock')

Path prefixes that always affect compiled binaries, regardless of the project.

Project-specific source directories (derived from [project.scripts] in pyproject.toml) are added dynamically by binary_affecting_paths.

repomatic.binary.SKIP_BINARY_BUILD_BRANCHES: Final[frozenset[str]] = frozenset({'format-images', 'format-json', 'format-markdown', 'format-shell', 'sync-gitignore', 'sync-mailmap', 'update-deps-graph'})

Autofix branches whose changes cannot affect compiled binaries.

Members are PR branch names produced by autofix jobs that touch only repository housekeeping (.mailmap, .gitignore, JSON, Markdown, images, shell scripts, dependency graph). The binary output is unchanged, so skip_binary_build returns True when the PR head branch matches a member, saving an expensive Nuitka compilation.

Note

This set is intentionally disjoint from VERSION_BUMP_BRANCHES: version-bump branches do change binaries (they rewrite the version string baked into the build), so they belong to a different policy.

repomatic.binary.VERSION_BUMP_BRANCHES: Final[frozenset[str]] = frozenset({'major-version-increment', 'minor-version-increment', 'prepare-release'})

PR branches that carry only automated version-bump and lockfile churn.

Members are bot-authored draft PRs created by the bump-version and prepare-release jobs in changelog.yaml. Their working tree is byte-identical to main except for the version string in pyproject.toml, **/__init__.py, changelog.md, citation.cff, and uv.lock. Heavy PR-time workflows (tests.yaml, lint.yaml, labels.yaml) list these branches under pull_request.branches-ignore so the matrix doesn’t burn CI minutes for a guaranteed-passing run.

Note

These branches are not binary-neutral: the rewritten version string is baked into the Nuitka binary, so they are deliberately absent from SKIP_BINARY_BUILD_BRANCHES. Post-merge release artifacts on main are still produced.

repomatic.binary.MANUAL_VERSION_BUMP_COMMIT_PREFIXES: Final[frozenset[str]] = frozenset({'Bump major version to ', 'Bump minor version to '})

Head-commit-message prefixes for user-initiated version bumps.

Members are the bump-version job’s Bump $part version to \``v$version\ commit messages (rendered from the bump-version template’s title). These merges land as a single commit on main and carry no other payload, so workflows can short-circuit on them safely.

The release-cycle prefix [changelog] Post-release bump `` is deliberately absent from this set because the ``prepare-release merge bundles the post-release-bump commit with the actual release commit ([changelog] Release vX.Y.Z) in a single push. Workflows that gate on the head commit message (tests.yaml, release.yaml::compile-binaries) must run on those pushes to test the release commit and build its binary — so they consult only this subset.

repomatic.binary.VERSION_BUMP_COMMIT_PREFIXES: Final[frozenset[str]] = frozenset({'Bump major version to ', 'Bump minor version to ', '[changelog] Post-release bump '})

Full set of head-commit-message prefixes that mark a version-bump push.

Combines MANUAL_VERSION_BUMP_COMMIT_PREFIXES with the [changelog] Post-release bump `` prefix produced by ``prepare-release merges. Workflows without a release-artifact dependency (lint.yaml, labels.yaml) use this full set in their metadata job’s if: gate so the entire job graph skips for any push generated by the version-bump PR family. Workflows that do produce release artifacts on the same push use MANUAL_VERSION_BUMP_COMMIT_PREFIXES instead.

repomatic.binary.BINARY_ARCH_MAPPINGS: Final[dict[str, tuple[str, str]]] = {'linux-arm64': ('CPUType', 'Arm 64-bits'), 'linux-x64': ('CPUType', 'AMD x86-64'), 'macos-arm64': ('CPUType', 'ARM 64-bit'), 'macos-x64': ('CPUType', 'x86 64-bit'), 'windows-arm64': ('MachineType', 'ARM64'), 'windows-x64': ('MachineType', 'AMD64')}

Mapping of build targets to (exiftool_field, expected_substring) tuples.

ABI signatures reported by file(1) for each compiled binary:

• linux-arm64: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, for GNU/Linux 3.7.0, stripped

• linux-x64: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped

• macos-arm64: Mach-O 64-bit executable arm64

• macos-x64: Mach-O 64-bit executable x86_64

• windows-arm64: PE32+ executable (console) Aarch64, for MS Windows

• windows-x64: PE32+ executable (console) x86-64, for MS Windows

repomatic.binary.get_exiftool_command()

Return the platform-appropriate exiftool command.

On Windows, exiftool is installed as exiftool.exe.

Return type:

str

repomatic.binary.run_exiftool(binary_path)

Run exiftool on a binary and return parsed JSON output.

Parameters:

binary_path (Path) – Path to the binary file.

Return type:

dict[str, str]

Returns:

Dictionary of exiftool metadata.

Raises:

• subprocess.CalledProcessError – If exiftool fails.

• json.JSONDecodeError – If output is not valid JSON.

repomatic.binary.verify_binary_arch(target, binary_path)

Verify that a binary matches the expected architecture for a target.

Parameters:

• target (str) – Build target (e.g., ‘linux-arm64’, ‘macos-x64’).

• binary_path (Path) – Path to the binary file.

Raises:

• ValueError – If target is unknown.

• AssertionError – If binary architecture does not match expected.

Return type:

None