Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add build provenance for gh CLI releases #9087

Merged
merged 9 commits into from
May 28, 2024
Merged

Add build provenance for gh CLI releases #9087

merged 9 commits into from
May 28, 2024

Conversation

malancas
Copy link
Contributor

@malancas malancas commented May 15, 2024
edited

Fixes #9041

This adds build provenance for gh CLI releases. Because gh CLI releases generate multiple artifacts, the Action will create an attestation for each artifact prefixed with gh found in the dist directory.

@malancas
add build provenance for the gh cli
a32036b 
Signed-off-by: Meredith Lancaster <malancas@github.com>
@malancas malancas changed the base branch from build-provenance to trunk May 15, 2024 18:03
@malancas
update path
a574cb8 
Signed-off-by: Meredith Lancaster <malancas@github.com>
@malancas malancas changed the title Add build provenance gh CLI releases Add build provenance for gh CLI releases May 15, 2024
@malancas malancas marked this pull request as ready for review May 24, 2024 15:58
@malancas malancas requested a review from a team as a code owner May 24, 2024 15:58
@cliAutomation cliAutomation added the external pull request originating outside of the CLI core team label May 24, 2024
@cliAutomation cliAutomation added this to Needs review 🤔 in The GitHub CLI May 24, 2024
@phillmv phillmv requested a review from a team May 24, 2024 17:32
williammartin
williammartin reviewed May 27, 2024
View reviewed changes
Copy link
Member

@williammartin williammartin left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hihi, thanks for looking at this @malancas.

Is there a reason to do this in the job for each platform rather than once for all artifacts in the release job? We grab the artifacts upload from each platform job, and downloaded into the release job here:

cli/.github/workflows/deployment.yml

Line 277 in 1bc3cfa

mv -v {linux,macos,windows}/gh_* dist/

Job logs: https://github.com/cli/cli/actions/runs/9066936008/job/24911809571

Edit: in fact when I look at the issue this seems to be what andy proposed and you agreed upon which makes me even more curious!

@williammartin
Copy link
Member

If we don't gate this via inputs.environment == 'production' we could also test that the signing works before we do a production release. Or do you feel confident enough in this to do it live?

For example:

cli/.github/workflows/deployment.yml

Line 330 in 1bc3cfa

DO_PUBLISH: ${{ inputs.environment == 'production' }}

@malancas
Copy link
Contributor Author

If we don't gate this via inputs.environment == 'production' we could also test that the signing works before we do a production release. Or do you feel confident enough in this to do it live?

For example:

cli/.github/workflows/deployment.yml

Line 330 in 1bc3cfa

DO_PUBLISH: ${{ inputs.environment == 'production' }}

I feel confident enough to do it live but we can generate provenance for a non-production release if you'd like. Note that all attestations will be available for view on https://github.com/cli/cli/attestations. So if we do decide to generate non-production attestations, they will appear on that page alongside the production attestations.

williammartin
williammartin approved these changes May 28, 2024
View reviewed changes
Copy link
Member

@williammartin williammartin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM thank you. Looking forward to trying it out.

@williammartin williammartin merged commit e550933 into cli:trunk May 28, 2024
8 checks passed
@malancas malancas deleted the build-provenance branch May 28, 2024 16:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@trevrosen trevrosen trevrosen approved these changes

@williammartin williammartin williammartin approved these changes

@kommendorkapten kommendorkapten kommendorkapten approved these changes

Assignees
No one assigned
Labels
external pull request originating outside of the CLI core team
Projects
No open projects
The GitHub CLI
  
Needs review 🤔
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Update GitHub CLI release process to generate artifact attestations
5 participants
@malancas @williammartin @trevrosen @kommendorkapten @cliAutomation