Add uv release artifact attestations #11357
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
samypr100
force-pushed
the
release-attestations
branch
3 times, most recently
from
7e04715 to
7b8e78f
Compare
Member
|
cc @Gankra — seems low priority but want to make sure you're aware of this. |
Contributor
|
idle first thought: we can "just" inline the attestation stuff into the build-binaries subscript, in the same way that it builds tarballs in the exact format cargo-dist "would" if it was running the tasks. tedious but not the worst. |
Collaborator
Author
|
I also left a proposal here from a pseudo working implementation I started locally, axodotdev/cargo-dist#1754 Although not sure the best approach now with the fork scenario |
samypr100
force-pushed
the
release-attestations
branch
from
7b8e78f to
0264fe6
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Collaborator
Author
|
Given we're on dist 0.30 now (which has axodotdev/cargo-dist#2000), we can revive this |
samypr100
force-pushed
the
release-attestations
branch
from
0264fe6 to
d6cfd84
Compare
Collaborator
Author
|
@Gankra this should be finally ready |
samypr100
force-pushed
the
release-attestations
branch
from
d6cfd84 to
37de3a1
Compare
Gankra
force-pushed
the
release-attestations
branch
from
37de3a1 to
b498654
Compare
Contributor
|
Apologies for the delay, I'm cutting a cargo-dist release to get your full changes (0.30.0 only had the overly broad ones). |
Contributor
Contributor
|
The PR is now rebased and uses the latest cargo-dist that makes zizmor happy |
1 task
tmeijn
pushed a commit
to tmeijn/dotfiles
that referenced
this pull request
Nov 3, 2025
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [astral-sh/uv](https://github.com/astral-sh/uv) | patch | `0.9.5` -> `0.9.7` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>astral-sh/uv (astral-sh/uv)</summary> ### [`v0.9.7`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#097) [Compare Source](astral-sh/uv@0.9.6...0.9.7) Released on 2025-10-30. ##### Enhancements - Add Windows x86-32 emulation support to interpreter architecture checks ([#​13475](astral-sh/uv#13475)) - Improve readability of progress bars ([#​16509](astral-sh/uv#16509)) - Add GitHub attestations for uv release artifacts ([#​11357](astral-sh/uv#11357)) ##### Bug fixes - Drop terminal coloring from `uv auth token` output ([#​16504](astral-sh/uv#16504)) - Don't use UV\_LOCKED to enable `--check` flag ([#​16521](astral-sh/uv#16521)) ### [`v0.9.6`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#096) [Compare Source](astral-sh/uv@0.9.5...0.9.6) Released on 2025-10-29. This release contains an upgrade to Astral's fork of `async_zip`, which addresses potential sources of ZIP parsing differentials between uv and other Python packaging tooling. See [GHSA-pqhf-p39g-3x64](GHSA-pqhf-p39g-3x64) for additional details. ##### Security - Address ZIP parsing differentials ([GHSA-pqhf-p39g-3x64](GHSA-pqhf-p39g-3x64)) ##### Python - Upgrade GraalPy to 25.0.1 ([#​16401](astral-sh/uv#16401)) ##### Enhancements - Add `--clear` to `uv build` to remove old build artifacts ([#​16371](astral-sh/uv#16371)) - Add `--no-create-gitignore` to `uv build` ([#​16369](astral-sh/uv#16369)) - Do not error when a virtual environment directory cannot be removed due to a busy error ([#​16394](astral-sh/uv#16394)) - Improve hint on `pip install --system` when externally managed ([#​16392](astral-sh/uv#16392)) - Running `uv lock --check` with outdated lockfile will print that `--check` was passed, instead of `--locked` ([#​16322](astral-sh/uv#16322)) - Update `uv init` template for Maturin ([#​16449](astral-sh/uv#16449)) - Improve ordering of Python sources in logs ([#​16463](astral-sh/uv#16463)) - Restore DockerHub release images and annotations ([#​16441](astral-sh/uv#16441)) ##### Bug fixes - Check for matching Python implementation during `uv python upgrade` ([#​16420](astral-sh/uv#16420)) - Deterministically order `--find-links` distributions ([#​16446](astral-sh/uv#16446)) - Don't panic in `uv export --frozen` when the lockfile is outdated ([#​16407](astral-sh/uv#16407)) - Fix root of `uv tree` when `--package` is used with circular dependencies ([#​15908](astral-sh/uv#15908)) - Show package list with `pip freeze --quiet` ([#​16491](astral-sh/uv#16491)) - Limit `uv auth login pyx.dev` retries to 60s ([#​16498](astral-sh/uv#16498)) - Add an empty group with `uv add --group ... -r ...` ([#​16490](astral-sh/uv#16490)) ##### Documentation - Update docs for maturin build backend init template ([#​16469](astral-sh/uv#16469)) - Update docs to reflect previous changes to signal forwarding semantics ([#​16430](astral-sh/uv#16430)) - Add instructions for installing via MacPorts ([#​16039](astral-sh/uv#16039)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNjkuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE2OS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
tmeijn
pushed a commit
to tmeijn/dotfiles
that referenced
this pull request
Nov 10, 2025
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [astral-sh/uv](https://github.com/astral-sh/uv) | patch | `0.9.7` -> `0.9.8` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>astral-sh/uv (astral-sh/uv)</summary> ### [`v0.9.8`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#098) [Compare Source](astral-sh/uv@0.9.7...0.9.8) Released on 2025-11-07. ##### Enhancements - Accept multiple packages in `uv export` ([#​16603](astral-sh/uv#16603)) - Accept multiple packages in `uv sync` ([#​16543](astral-sh/uv#16543)) - Add a `uv cache size` command ([#​16032](astral-sh/uv#16032)) - Add prerelease guidance for build-system resolution failures ([#​16550](astral-sh/uv#16550)) - Allow Python requests to include `+gil` to require a GIL-enabled interpreter ([#​16537](astral-sh/uv#16537)) - Avoid pluralizing 'retry' for single value ([#​16535](astral-sh/uv#16535)) - Enable first-class dependency exclusions ([#​16528](astral-sh/uv#16528)) - Fix inclusive constraints on available package versions in resolver errors ([#​16629](astral-sh/uv#16629)) - Improve `uv init` error for invalid directory names ([#​16554](astral-sh/uv#16554)) - Show help on `uv build -h` ([#​16632](astral-sh/uv#16632)) - Include the Python variant suffix in "Using Python ..." messages ([#​16536](astral-sh/uv#16536)) - Log most recently modified file for cache-keys ([#​16338](astral-sh/uv#16338)) - Update Docker builds to use nightly Rust toolchain with musl v1.2.5 ([#​16584](astral-sh/uv#16584)) - Add GitHub attestations for uv release artifacts ([#​11357](astral-sh/uv#11357)) ##### Configuration - Expose `UV_NO_GROUP` as an environment variable ([#​16529](astral-sh/uv#16529)) - Add `UV_NO_SOURCES` as an environment variable ([#​15883](astral-sh/uv#15883)) ##### Bug fixes - Allow `--check` and `--locked` to be used together in `uv lock` ([#​16538](astral-sh/uv#16538)) - Allow for unnormalized names in the METADATA file ([#​16547](astral-sh/uv#16547)) ([#​16548](astral-sh/uv#16548)) - Fix missing value\_type for `default-groups` in schema ([#​16575](astral-sh/uv#16575)) - Respect multi-GPU outputs in `nvidia-smi` ([#​15460](astral-sh/uv#15460)) - Fix DNS lookup errors in Docker containers ([#​8450](astral-sh/uv#8450)) ##### Documentation - Fix typo in uv tool list doc ([#​16625](astral-sh/uv#16625)) - Note `uv pip list` name normalization in docs ([#​13210](astral-sh/uv#13210)) ##### Other changes - Update Rust toolchain to 1.91 and MSRV to 1.89 ([#​16531](astral-sh/uv#16531)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNzMuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE3My4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Similar to #8685, this adds attestations for uv release artifacts.
The changes on this PR would add attestations for
dist-manifest.jsonuv-installer.ps1uv-installer.sh*.tar.gzand*.zipuv binary filesTest Plan
(clarifying note: I'm aware this file is managed cargo dist and this will not work without allow-dirty at this time)Currently cargo dist targets generation in(edit: fixed by axodotdev/cargo-dist#2000)build_local_artifactswhich is not used here, plus we'd ideally want to attest the GH downloads / artifacts.At a glance, this release workflow seems to work successfully:
e.g. Example Run: https://github.com/samypr100/uv/actions/runs/13229100555
e.g. Example Release: https://github.com/samypr100/uv/releases/tag/0.5.29