Skip to content

Add native build artifact attestations#175

Merged
zackees merged 1 commit intomainfrom
codex/native-build-attestations
Apr 22, 2026
Merged

Add native build artifact attestations#175
zackees merged 1 commit intomainfrom
codex/native-build-attestations

Conversation

@zackees
Copy link
Copy Markdown
Member

@zackees zackees commented Apr 22, 2026
edited by coderabbitai Bot
Loading

Summary

  • Adds artifact attestation permissions to the manual native build workflow and reusable native build template.
  • Generates SHA256SUMS.txt for staged native artifacts before upload.
  • Attests staged native artifacts with actions/attest-build-provenance@v3 and documents verification steps.

Validation

  • git diff --check
  • Parsed all workflow YAML files with PyYAML

Notes: this follow-up was rebuilt from current origin/main so it preserves the already-merged release retry and PyPI Trusted Publisher environment docs.

Summary by CodeRabbit

  • Documentation

    • Added Native Build Attestations documentation with SHA256 checksum verification instructions and GitHub attestation verification commands for native artifacts.

  • Chores

    • Enhanced CI/CD workflow security permissions for attestations and identity-based signing.
    • Implemented automated build provenance attestation for native artifacts.

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 22, 2026
edited
Loading

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: f64ee7c8-8a2d-4eb2-a442-acb6b2a8a497

📥 Commits

Reviewing files that changed from the base of the PR and between e2fae1e and 70c00ec.

📒 Files selected for processing (3)
  • .github/workflows/README.md
  • .github/workflows/build.yml
  • .github/workflows/template_native_build.yml
📝 Walkthrough

Walkthrough

This PR adds GitHub Actions build attestation capabilities to the native build workflows. Changes include adding necessary workflow permissions (contents: read, attestations: write, id-token: write), implementing SHA-256 checksum generation for staged artifacts, and attesting build provenance using GitHub's attest-build-provenance action. Documentation describing verification procedures for both Unix-like and Windows platforms is also added.

Changes

Cohort / File(s) Summary
Documentation
.github/workflows/README.md		 Added instructions for verifying native build attestations via SHA256SUMS.txt and gh attestation verify commands, with separate guidance for Windows and non-Windows platforms.
Workflow Permissions & Attestations
.github/workflows/build.yml, .github/workflows/template_native_build.yml		 Added workflow-level permissions block enabling attestation and token signing. Introduced SHA-256 checksum generation step and attest-build-provenance@v3 action to sign native artifacts.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related issues

Poem

🐰 Checksums dance in digital rows,
Attestations bloom where trust now grows,
Artifacts signed with cryptic care,
Build provenance floats on the air!

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/native-build-attestations

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@zackees zackees merged commit f13fc0b into main Apr 22, 2026
75 of 77 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@zackees