PYTHON-4541 [v4.8] Add attestations for Python Releases (#1747)

Co-authored-by: Noah Stapp <noah.stapp@mongodb.com>

.github/workflows/release-python.yml

@@ -72,6 +72,7 @@ jobs:
     permissions:
       id-token: write
       contents: write
+      attestations: write
       security-events: write
     steps:
       - uses: mongodb-labs/drivers-github-tools/secure-checkout@v2

.pre-commit-config.yaml

@@ -64,14 +64,11 @@ repos:
       stages: [manual]
 
 - repo: https://github.com/sirosen/check-jsonschema
-  rev: 0.27.0
+  rev: 0.29.0
   hooks:
-    - id: check-jsonschema
-      name: "Check GitHub Workflows"
-      files: ^\.github/workflows/
-      types: [yaml]
-      args: ["--schemafile", "https://json.schemastore.org/github-workflow"]
-      stages: [manual]
+    - id: check-github-workflows
+    - id: check-github-actions
+    - id: check-dependabot
 
 - repo: https://github.com/ariebovenberg/slotscheck
   rev: v0.17.0

pymongo/pyopenssl_context.py

@@ -291,7 +291,7 @@ class SSLContext:
         # Password callback MUST be set first or it will be ignored.
         if password:
 
-            def _pwcb(_max_length: int, _prompt_twice: bool, _user_data: bytes) -> bytes:
+            def _pwcb(_max_length: int, _prompt_twice: bool, _user_data: Optional[bytes]) -> bytes:
                 # XXX:We could check the password length against what OpenSSL
                 # tells us is the max, but we can't raise an exception, so...
                 # warn?
@@ -331,6 +331,7 @@ class SSLContext:
     def _load_wincerts(self, store: str) -> None:
         """Attempt to load CA certs from Windows trust store."""
         cert_store = self._ctx.get_cert_store()
+        assert cert_store is not None
         oid = _stdlibssl.Purpose.SERVER_AUTH.oid
 
         for cert, encoding, trust in _stdlibssl.enum_certificates(store):  # type: ignore