-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using Artifact Attestations #13965
Comments
Also since this may be useful in multiple projects, happy to move this issue to a more general place (if someone would like to recommend a location 🙂) |
I'm happy to review PRs for this. I'm realistically a bit busy with physics conferences in the next weeks to make them, but happy to review. :) |
Ah the ping here was intended as "Thank you for this suggestion! We will work on next steps" Please don't feel under any obligation to do anything 😌 That said, we would definitely appreciate your help reviewing 😄 |
Thank you @jakirkham for bringing this up, GitHub's beta launch has been on my radar. There are a few concerns that block this at the moment:
There is no need for any action at the moment, thank you for raising it though, it's quite timely! |
Thanks Jannis! 🙏 Where would I find more information about existing discussions on these topics? |
@jezdez Here would something like https://github.com/sigstore/gh-action-sigstore-python be more appropriate in your mind?
I don't follow the conda community security team meetings, but if you have general feedback and information here it would be great to get that information in the SPEC 8 draft (scientific-python/summit-2024#9). I think we'd all be very keen to learn from the discussions you've had. |
Checklist
What is the idea?
Recently at the Scientific Python Summit @matthewfeickert pointed out that GitHub has provided support for Artifact Attestations using Sigstore ( scientific-python/summit-2024#9 ). This is also covered in this GitHub blogpost from last month
The process uses artifacts built in a GitHub Action workflow to create the Attestation. Given we have recently gone through the work of setting up Conda ( #13399 ) and Conda-Build ( conda/conda-build#5340 ) to use GitHub Actions to create source artifacts, think it would be a good idea to go a step further and setup Attestations for them as well
Given both Conda & Conda-build (and possible other Conda projects; especially those in the incubator), could benefit we may want to set this up in a shared space
Why is this needed?
This would provide clarity to consumers of our source artifacts how they were generated with checksums, links to the GHA workflow used, author, etc.
Generally this should help provide consumers more trust around our artifact process
What should happen?
AIUI there are 2 main pieces, the
upload.yml
workflow that produces our source artifacts would need these permission changesThen after the source artifact is created, we would add this step to generate the attestations
Have copied and tweaked these from the GitHub blogpost above
Additional Context
No response
The text was updated successfully, but these errors were encountered: