-
Notifications
You must be signed in to change notification settings - Fork 85
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: Add GitHub artifact attestations to package distribution #2473
Conversation
Currently blocked by actions/runner-images#9784, without updating |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #2473 +/- ##
=======================================
Coverage 98.21% 98.21%
=======================================
Files 69 69
Lines 4543 4543
Branches 804 804
=======================================
Hits 4462 4462
Misses 48 48
Partials 33 33
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
* Add generation of GitHub artifact attestations to built sdist and wheel before upload. c.f.: - https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/ - https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds * Add verification of artifact attestation before publishing to PyPI using the 'gh attestation verify' CLI API, added in v2.49.0. - c.f. https://github.com/cli/cli/releases/tag/v2.49.0
e33ba6e
to
2e1aab3
Compare
GitHub CLI is updated to |
So it seems that the most important takeaway is described in https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/#a-more-secure-future, and while it seems that this should mean that the number of attestations generated isn't relevant as everything will be machine generated, it seems that it might(?) be useful to keep https://github.com/scikit-hep/pyhf/attestations containing mostly only releases. @woodruffw @di, not to bug you with things that go beyond https://github.com/sigstore/sigstore-python, but is this the correct take (that we should only be publishing attestations for releases)? |
Also cc @sethmlarson given very helpful feedback on scientific-python/summit-2024#9 (comment). |
Thanks for the ping @matthewfeickert! IMO, the number of attestations generated is not currently relevant: these attestations don't appear on PyPI and are "generic" in nature (i.e. don't express a specific intent to build, release, etc.), so having multiple of them doesn't accomplish much at the moment. However, to take a step back: we're building PEP 740 on the same foundations (Sigstore + That's still a little out and not directly related to what you asked though 😅. But the TL;DR: IMO one GitHub attestation is fine, and in the future PEP 740 will also allow your tools to (automatically) load multiple attestations per-file onto PyPI. |
Amazing! Thank you very much for all of this work and this is actually quite useful to know about. 👍 I also now have some reading to do. :) https://peps.python.org/pep-0740/
Okay thanks this is useful. My question was more in the context of the fact that https://github.com/scikit-hep/pyhf/attestations is a log of all attestations, and if I was to remove the |
permissions: | ||
id-token: write | ||
attestations: write | ||
contents: read |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@meeseeksdev backport to release/v0.7.x |
…package distribution
#2496) * Backport: - PR #2473 - PR #2478 --------- Co-authored-by: Matthew Feickert <[email protected]>
Description
c.f.:
gh attestation verify
CLI API, added inv2.49.0
.Checklist Before Requesting Reviewer
Before Merging
For the PR Assignees: