github-action: enable provenance (#2014)

.github/actions/build-distribution/action.yml

@@ -0,0 +1,21 @@
+---
+
+name: common build distribution tasks
+description: Run the build distribution
+
+runs:
+  using: "composite"
+  steps:
+    - uses: actions/setup-python@v5
+      with:
+        python-version: "3.10"
+
+    - name: Build lambda layer zip
+      run: ./dev-utils/make-distribution.sh
+      shell: bash
+
+    - uses: actions/upload-artifact@v4
+      with:
+        name: build-distribution
+        path: ./build/
+        if-no-files-found: error

.github/actions/packages/action.yml

@@ -0,0 +1,31 @@
+---
+
+name: common package tasks
+description: Run the packages
+
+runs:
+  using: "composite"
+  steps:
+    - uses: actions/setup-python@v5
+      with:
+        python-version: "3.10"
+    - name: Override the version if there is no tag release.
+      run: |
+        if [[ "${GITHUB_REF}" != refs/tags/* ]]; then
+          echo "ELASTIC_CI_POST_VERSION=${{ github.run_id }}" >> "${GITHUB_ENV}"
+        fi
+      shell: bash
+    - name: Build packages
+      run: ./dev-utils/make-packages.sh
+      shell: bash
+    - name: Upload Packages
+      uses: actions/upload-artifact@v4
+      with:
+        name: packages
+        path: |
+          dist/*.whl
+          dist/*tar.gz
+    - name: generate build provenance
+      uses: github-early-access/generate-build-provenance@main
+      with:
+        subject-path: "${{ github.workspace }}/dist/*"

.github/dependabot.yml

@@ -29,3 +29,30 @@ updates:
       github-actions:
         patterns:
           - "*"
+
+  # GitHub composite actions
+  - package-ecosystem: "github-actions"
+    directory: "/.github/actions/packages"
+    reviewers:
+      - "elastic/observablt-ci"
+    schedule:
+      interval: "weekly"
+      day: "sunday"
+      time: "22:00"
+    groups:
+      github-actions:
+        patterns:
+          - "*"
+
+  - package-ecosystem: "github-actions"
+    directory: "/.github/actions/build-distribution"
+    reviewers:
+      - "elastic/observablt-ci"
+    schedule:
+      interval: "weekly"
+      day: "sunday"
+      time: "22:00"
+    groups:
+      github-actions:
+        patterns:
+          - "*"

.github/workflows/packages.yml

@@ -18,27 +18,10 @@ permissions:
 
 jobs:
   build:
+    permissions:
+      id-token: write
+      contents: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
-        with:
-          python-version: "3.10"
-      - name: Override the version if there is no tag release.
-        run: |
-          if [[ "${GITHUB_REF}" != refs/tags/* ]]; then
-            echo "ELASTIC_CI_POST_VERSION=${{ github.run_id }}" >> "${GITHUB_ENV}"
-          fi
-      - name: Install wheel
-        run: pip install --user wheel
-      - name: Building universal wheel
-        run: python setup.py bdist_wheel
-      - name: Building source distribution
-        run: python setup.py sdist
-      - name: Upload Packages
-        uses: actions/upload-artifact@v4
-        with:
-          name: packages
-          path: |
-            dist/*.whl
-            dist/*tar.gz
+      - uses: ./.github/actions/packages

.github/workflows/release.yml

@@ -18,7 +18,13 @@ jobs:
       enabled: ${{ startsWith(github.ref, 'refs/tags') }}
 
   packages:
-    uses: ./.github/workflows/packages.yml
+    permissions:
+      id-token: write
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/packages
 
   publish-pypi:
     needs:
@@ -46,7 +52,17 @@ jobs:
           repository-url: https://test.pypi.org/legacy/
 
   build-distribution:
-    uses: ./.github/workflows/build-distribution.yml
+    permissions:
+      id-token: write
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/build-distribution
+      - name: generate build provenance
+        uses: github-early-access/generate-build-provenance@main
+        with:
+          subject-path: "${{ github.workspace }}/build/dist/elastic-apm-python-lambda-layer.zip"
 
   publish-lambda-layers:
     needs:
@@ -63,7 +79,7 @@ jobs:
           secrets: |
             secret/observability-team/ci/service-account/apm-agent-python access_key_id | AWS_ACCESS_KEY_ID ;
             secret/observability-team/ci/service-account/apm-agent-python secret_access_key | AWS_SECRET_ACCESS_KEY
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v4
         with:
           name: build-distribution
           path: ./build
@@ -86,6 +102,9 @@ jobs:
     needs:
       - build-distribution
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
     env:
       DOCKER_IMAGE_NAME: docker.elastic.co/observability/apm-agent-python
     steps:
@@ -97,7 +116,7 @@ jobs:
           url: ${{ secrets.VAULT_ADDR }}
           roleId: ${{ secrets.VAULT_ROLE_ID }}
           secretId: ${{ secrets.VAULT_SECRET_ID }}
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v4
         with:
           name: build-distribution
           path: ./build
@@ -107,25 +126,30 @@ jobs:
           if [ "${{ startsWith(github.ref, 'refs/tags') }}" == "false" ] ; then
             # for testing purposes
             echo "tag=test" >> "${GITHUB_OUTPUT}"
+            echo "latest=test-latest" >> "${GITHUB_OUTPUT}"
           else
             # version without v prefix (e.g. 1.2.3)
             echo "tag=${GITHUB_REF_NAME/v/}" >> "${GITHUB_OUTPUT}"
+            echo "latest=latest" >> "${GITHUB_OUTPUT}"
           fi
-      - name: Docker build
-        run: >-
-          docker build
-          -t ${{ env.DOCKER_IMAGE_NAME }}:${{ steps.setup-docker.outputs.tag }}
-          --build-arg AGENT_DIR=./build/dist/package/python
-          .
-      - name: Docker retag
-        run: >-
-          docker tag
-          ${{ env.DOCKER_IMAGE_NAME }}:${{ steps.setup-docker.outputs.tag }}
-          ${{ env.DOCKER_IMAGE_NAME }}:latest
-      - name: Docker push
-        if: startsWith(github.ref, 'refs/tags')
-        run: |-
-          docker push --all-tags ${{ env.DOCKER_IMAGE_NAME }}
+      - name: Build and push image
+        id: push
+        uses: docker/build-push-action@v5.3.0
+        with:
+          context: .
+          push: true
+          tags: |
+            ${{ env.DOCKER_IMAGE_NAME }}:${{ steps.setup-docker.outputs.tag }}
+            ${{ env.DOCKER_IMAGE_NAME }}:${{ steps.setup-docker.outputs.latest }}
+          build-args: |
+            AGENT_DIR=./build/dist/package/python
+
+      - name: Attest image
+        uses: github-early-access/generate-build-provenance@main
+        with:
+          subject-name: "${{ env.DOCKER_IMAGE_NAME }}:${{ steps.setup-docker.outputs.tag }}"
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: false
 
   github-draft:
     permissions:

.github/workflows/test.yml

@@ -35,7 +35,11 @@ permissions:
 
 jobs:
   build-distribution:
-    uses: ./.github/workflows/build-distribution.yml
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/build-distribution
+
 
   create-matrix:
     runs-on: ubuntu-latest

dev-utils/make-packages.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+#
+# Make a Python APM agent distribution
+#
+
+echo "::group::Install wheel"
+pip install --user wheel
+echo "::endgroup::"
+
+echo "::group::Building universal wheel"
+python setup.py bdist_wheel
+echo "::endgroup::"
+
+echo "::group::Building source distribution"
+python setup.py sdist
+echo "::endgroup::"