From ac830a34d9721206166af97ee65fa213d53b8b70 Mon Sep 17 00:00:00 2001 From: Matthew Feickert Date: Tue, 21 May 2024 11:27:17 -0500 Subject: [PATCH 1/2] chore: update pre-commit hooks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - github.com/python-jsonschema/check-jsonschema: v0.28.2 → v0.28.4 --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 86fce3b3b8..3de30d8861 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -62,7 +62,7 @@ repos: files: ^tests/ - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.28.2 + rev: 0.28.4 hooks: - id: check-github-workflows args: ["--verbose"] From 8f01e175832f130298e09ea9d20c1369e07992e4 Mon Sep 17 00:00:00 2001 From: Matthew Feickert Date: Tue, 21 May 2024 11:19:59 -0500 Subject: [PATCH 2/2] ci: Add GitHub artifact attestations to package distribution * Add generation of GitHub artifact attestations to built sdist and wheel before upload. c.f.: - https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/ - https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds * Add verification of artifact attestation before publishing awkward to PyPI using the 'gh attestation verify' CLI API, added in v2.49.0. - c.f. https://github.com/cli/cli/releases/tag/v2.49.0 --- .github/workflows/deploy-cpp.yml | 7 +++++++ .github/workflows/deploy.yml | 22 ++++++++++++++++++++++ 2 files changed, 29 insertions(+) diff --git a/.github/workflows/deploy-cpp.yml b/.github/workflows/deploy-cpp.yml index b819f9f35c..c2d8f7d56b 100644 --- a/.github/workflows/deploy-cpp.yml +++ b/.github/workflows/deploy-cpp.yml @@ -18,6 +18,8 @@ jobs: if: inputs.publish-pypi permissions: id-token: write + attestations: write + contents: read environment: name: "pypi" url: "https://pypi.org/project/awkward-cpp/" @@ -32,4 +34,9 @@ jobs: - name: List distributions to be deployed run: ls -l dist/ + - name: Generate artifact attestation for sdist and wheel + uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2 + with: + subject-path: "dist/awkward-cpp-*" + - uses: pypa/gh-action-pypi-publish@v1.8.14 diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 213f3db4cd..a0e923fc8a 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -67,6 +67,10 @@ jobs: name: "Build wheel & sdist" runs-on: ubuntu-latest needs: [determine-source-date-epoch] + permissions: + id-token: write + attestations: write + contents: read env: SOURCE_DATE_EPOCH: ${{ needs.determine-source-date-epoch.outputs.source-date-epoch }} steps: @@ -83,6 +87,11 @@ jobs: - name: Check metadata run: pipx run twine check dist/* + - name: Generate artifact attestation for sdist and wheel + uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2 + with: + subject-path: "dist/awkward-*" + - uses: actions/upload-artifact@v4 with: name: distributions @@ -113,6 +122,19 @@ jobs: name: distributions path: dist + - name: List distributions to be deployed + run: ls -l dist/ + + - name: Verify sdist artifact attestation + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: gh attestation verify dist/awkward-*.tar.gz --repo ${{ github.repository }} + + - name: Verify wheel artifact attestation + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: gh attestation verify dist/awkward-*.whl --repo ${{ github.repository }} + - uses: pypa/gh-action-pypi-publish@v1.8.14 publish-headers: