New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add build-provenance in publish-commit-bottles.yml #160941
Add build-provenance in publish-commit-bottles.yml #160941
Conversation
Adds an extra step after pr-pull in publish-commit-bottles.yml to generate build provenance for bottles that get published. This requires a small change in `Homebrew/brew` to retain the temporary directory and to expose the path to the following workflow steps. That change must be merged first before this change will work.
I will wait to mark this as ready for review until the PR mentioned above is merged. In the meantime, if @Bo98, @carlocab, @MikeMcQuaid, @woodruffw have any feedback about testing this or the above PR, please let me know! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense to me! Happy for this to be merged as-is and reverted if it causes issues.
That works for me, we'll definitely have to keep an eye out after merging on the publish-commit-bottles action but if I missed anything, it should be obvious. |
Co-authored-by: Bo Anderson <mail@boanderson.me>
Let's try this... |
Ok, I guess that worked? https://github.com/Homebrew/homebrew-core/actions/runs/7679301023/job/20930044698#step:9:1 I don't see this though: https://github.com/github-early-access/generate-build-provenance#where-does-the-attestation-go I also get a 404 from https://github.com/Homebrew/homebrew-core/attestations/378699 |
Thank you for merging @carlocab, it looks like it is working! I can see the attestation page you linked. I think that because the feature is still in early access, they haven't rolled it out to everyone yet. |
Great work here @josephsweeney! @carlocab: I'll see about getting you added to the private beta (along with the other org members) 🙂 |
@carlocab You should have access to those URLs now! (I've also asked them to add @MikeMcQuaid and @Bo98 initially -- adding everyone from the Homebrew org is manual on their side, but anybody else who wants early access can be added!) |
Put me in coach! |
@josephsweeney Me too, please! |
@MikeMcQuaid I believe you have been added. Can you see the attestations here? |
@josephsweeney Yup, got them now thanks! |
Adds an extra step after pr-pull in publish-commit-bottles.yml to generate build provenance for bottles that get published.
This requires a small change in
Homebrew/brew
to retain the temporary directory and to expose the path to the following workflow steps. This PR must be merged first before this change will work.HOMEBREW_NO_INSTALL_FROM_API=1 brew install --build-from-source <formula>
, where<formula>
is the name of the formula you're submitting?brew test <formula>
, where<formula>
is the name of the formula you're submitting?brew audit --strict <formula>
(after doingHOMEBREW_NO_INSTALL_FROM_API=1 brew install --build-from-source <formula>
)? If this is a new formula, does it passbrew audit --new <formula>
?