ci: Add GitHub artifact attestations to package distribution #3126
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
updates: - github.com/python-jsonschema/check-jsonschema: v0.28.2 → v0.28.4
* Add generation of GitHub artifact attestations to built sdist and wheel before upload. c.f.: - https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/ - https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds * Add verification of artifact attestation before publishing awkward to PyPI using the 'gh attestation verify' CLI API, added in v2.49.0. - c.f. https://github.com/cli/cli/releases/tag/v2.49.0
matthewfeickert
force-pushed
the
ci/add-artifact-attestations
branch
from
6920996
to
8f01e17
Compare
|
Debug examples running on my fork: These debug examples are running on |
jpivarski
approved these changes
May 22, 2024
There was a problem hiding this comment.
Just like scikit-hep/uproot5#1222, this looks good, too! I'll merge it now.
|
This is fantastic! Thanks all :) |
|
Nice to see for
$ python -m pip download --no-deps awkward
Collecting awkward
Downloading awkward-2.6.5-py3-none-any.whl.metadata (7.0 kB)
Downloading awkward-2.6.5-py3-none-any.whl (796 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 796.1/796.1 kB 5.3 MB/s eta 0:00:00
Saved ./awkward-2.6.5-py3-none-any.whl
Successfully downloaded awkward
$ gh attestation verify awkward-2.6.5-py3-none-any.whl --repo scikit-hep/awkward
Loaded digest sha256:9fdecd255b660e05369631331689ca6ffedc1047e7756aa402445b4fa96081ce for file://awkward-2.6.5-py3-none-any.whl
Loaded 1 attestation from GitHub API
✓ Verification succeeded!
sha256:9fdecd255b660e05369631331689ca6ffedc1047e7756aa402445b4fa96081ce was attested by:
REPO PREDICATE_TYPE WORKFLOW
scikit-hep/awkward https://slsa.dev/provenance/v1 .github/workflows/deploy.yml@refs/tags/v2.6.5 |
|
Though I messed up with awkward/.github/workflows/deploy-cpp.yml Lines 37 to 40 in 45c708d as the naming scheme is # $ python -m pip download --no-binary :all: --no-deps awkward-cpp # isn't working to get the sdist without build?
$ curl -sLO https://files.pythonhosted.org/packages/bd/0d/64ce9e9f6164a1bf8f0c32f86f5e705598093f16158d9b73b3e33c00ec35/awkward-cpp-34.tar.gz
$ gh attestation verify awkward-cpp-34*.tar.gz --repo scikit-hep/awkward
Loaded digest sha256:39ac814d769f38ade9a5f6c39b85b07bbc05af56342fb15742edce1237f9e049 for file://awkward-cpp-34.tar.gz
Loaded 1 attestation from GitHub API
✓ Verification succeeded!
sha256:39ac814d769f38ade9a5f6c39b85b07bbc05af56342fb15742edce1237f9e049 was attested by:
REPO PREDICATE_TYPE WORKFLOW
scikit-hep/awkward https://slsa.dev/provenance/v1 .github/workflows/deploy-cpp.yml@refs/heads/main
$ python -m pip download --no-cache-dir --no-deps awkward-cpp
Collecting awkward-cpp
Downloading awkward_cpp-34-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.metadata (2.2 kB)
Downloading awkward_cpp-34-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (694 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 694.1/694.1 kB 6.0 MB/s eta 0:00:00
Saved ./awkward_cpp-34-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Successfully downloaded awkward-cpp
$ gh attestation verify awkward_cpp-34*.whl --repo scikit-hep/awkward
Loaded digest sha256:077f6ae40e2a4fdda1252665eeebb7ab52d3987924e861fe5c8f97b473b540b5 for file://awkward_cpp-34-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
✗ Loading attestations from GitHub API failed
Error: failed to fetch attestations from scikit-hep/awkward: HTTP 404: Not Found (https://api.github.com/repos/scikit-hep/awkward/attestations/sha256:077f6ae40e2a4fdda1252665eeebb7ab52d3987924e861fe5c8f97b473b540b5?per_page=30) |
matthewfeickert
commented
Jun 16, 2024
Comment on lines
+128
to
+136
| - name: Verify sdist artifact attestation | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: gh attestation verify dist/awkward-*.tar.gz --repo ${{ github.repository }} | ||
|
|
||
| - name: Verify wheel artifact attestation | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: gh attestation verify dist/awkward-*.whl --repo ${{ github.repository }} |
There was a problem hiding this comment.
A note related to cli/cli#9215, this is only working currently because there is one wheel. gh attestation verify can't operate on file globs!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As an example c.f. scikit-hep/pyhf#2473.