-
Notifications
You must be signed in to change notification settings - Fork 76
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: Add GitHub artifact attestations to package distribution #993
ci: Add GitHub artifact attestations to package distribution #993
Conversation
updates: - [github.com/python-jsonschema/check-jsonschema: 0.28.3 → 0.28.4](python-jsonschema/[email protected])
* Add generation of GitHub artifact attestations to built sdist and wheel before upload. c.f.: - https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/ - https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
Thanks, this will be tested on next release. |
Once this runs during a release the attestations will be uploaded to https://github.com/scikit-hep/iminuit/attestations and can be verified from a wheel or sdist using the |
@matthewfeickert The release failed in the upload stage, see https://github.com/scikit-hep/iminuit/actions/runs/9349824358/job/25732717796 |
Nevermind, I have not yet added github as trusted publisher for iminuit. I did this for resample but apparently not iminuit. |
https://github.com/scikit-hep/iminuit/attestations are now up and working. 👍 $ python -m pip download --no-binary :all: --no-deps iminuit
Collecting iminuit
Downloading iminuit-2.26.0.tar.gz (2.9 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.9/2.9 MB 16.2 MB/s eta 0:00:00
Installing build dependencies ... done
Getting requirements to build wheel ... done
Installing backend dependencies ... done
Preparing metadata (pyproject.toml) ... done
Saved ./iminuit-2.26.0.tar.gz
Successfully downloaded iminuit
$ gh attestation verify iminuit-*.tar.gz --repo scikit-hep/iminuit
Loaded digest sha256:a51233fbf1c2e008aa584f9eea65b6c30ed56624e4dea5d4e53370ccd84c9b4e for file://iminuit-2.26.0.tar.gz
Loaded 1 attestation from GitHub API
✓ Verification succeeded!
sha256:a51233fbf1c2e008aa584f9eea65b6c30ed56624e4dea5d4e53370ccd84c9b4e was attested by:
REPO PREDICATE_TYPE WORKFLOW
scikit-hep/iminuit https://slsa.dev/provenance/v1 .github/workflows/release.yml@refs/heads/main
$ python -m pip download --no-deps iminuit
Collecting iminuit
Downloading iminuit-2.26.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.metadata (11 kB)
Downloading iminuit-2.26.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (428 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 428.6/428.6 kB 4.4 MB/s eta 0:00:00
Saved ./iminuit-2.26.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Successfully downloaded iminuit
$ gh attestation verify iminuit-*.whl --repo scikit-hep/iminuit
Loaded digest sha256:8b32825029cebbc0df3b85cbdb389d7edf4bf608bd09d1f19efa098fbbfefaf4 for file://iminuit-2.26.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Loaded 1 attestation from GitHub API
✓ Verification succeeded!
sha256:8b32825029cebbc0df3b85cbdb389d7edf4bf608bd09d1f19efa098fbbfefaf4 was attested by:
REPO PREDICATE_TYPE WORKFLOW
scikit-hep/iminuit https://slsa.dev/provenance/v1 .github/workflows/release.yml@refs/heads/main Thanks for the release, @HDembinski! |
c.f.:
python-jsonschema/check-jsonschema
pre-commit hook to recognizeattestations
permissions
key.