Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Attest package provenance #12333

Merged
merged 5 commits into from
May 17, 2024
Merged

Attest package provenance #12333

merged 5 commits into from
May 17, 2024
+10 −2

Conversation

nicoddemus
Copy link
Member

This uses the new build provenance support added in build-and-inspect-python-package 2.5.0.

More information: https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/

Tested also in pytest-dev/pytest-mock#431.

Note: even though it is technically necessary only for the deploy workflow, as the test workflow does not publish its packages, decided to always attest the provenance in both cases to avoid any surprises related to this (say a misconfiguration) when deploying.

nicoddemus and others added 2 commits May 16, 2024 08:08
@nicoddemus
Attest package provenance
2812a61 
This uses the new build provenance support added in [build-and-inspect-python-package 2.5.0](https://github.com/hynek/build-and-inspect-python-package/blob/main/CHANGELOG.md#250---2024-05-13).

More information: https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/

Tested also in pytest-dev/pytest-mock#431.

Note: even though it is technically necessary only for the `deploy` workflow, as the `test` workflow does not publish its packages, decided to always attest the provenance in both cases to avoid any surprises related to this (say a misconfiguration) when deploying.
@pre-commit-ci
[pre-commit.ci] auto fixes from pre-commit.com hooks
3fd5b86 
for more information, see https://pre-commit.ci
@nicoddemus
Copy link
Member Author

Provenance information created: https://github.com/pytest-dev/pytest/actions/runs/9111218324/attempts/1#summary-25047879854

@bluetech
Copy link
Member

LGTM. I tested that I can verify the files, and also that if I corrupt one of the files it doesn't verify.

Maybe add a release note telling people that we're now doing that? (Perhaps call it "experimental")

Note: even though it is technically necessary only for the deploy workflow, as the test workflow does not publish its packages, decided to always attest the provenance in both cases to avoid any surprises related to this (say a misconfiguration) when deploying.

I think maybe we shouldn't create "useless" attestations like these:

  • It feels to me like something that should only be done for files that are truly intended to be distributed, this way we have the property "distributed <=> signed" rather than just "distributed => signed" which seems vaguely useful.
  • Each attestation like this will basically be stored in several immutable stores forever and it seems maybe not so nice to do it for every random workflow run...
  • The commit in the attestation seems to lead nowhere, I guess it's because it's a PR?

@nicoddemus
Copy link
Member Author

nicoddemus commented May 16, 2024
edited

The commit in the attestation seems to lead nowhere, I guess it's because it's a PR?

Hmm that's strange, perhaps that's the merge commit? 🤔

EDIT:

image

Yep, that's 3fd5b86 from this branch merged with fdf3aa3 (main when that executed).

For our actual releases this should not be a problem, as they are triggered directly from the branch, not from a PR.

@nicoddemus
Copy link
Member Author

Maybe add a release note telling people that we're now doing that? (Perhaps call it "experimental")

Done, wording suggestions are welcome.

It feels to me like something that should only be done for files that are truly intended to be distributed, this way we have the property "distributed <=> signed" rather than just "distributed => signed" which seems vaguely useful.

Each attestation like this will basically be stored in several immutable stores forever and it seems maybe not so nice to do it for every random workflow run...

Good points, undid it for test.yml.

bluetech
bluetech approved these changes May 17, 2024
View reviewed changes
changelog/12333.trivial.rst Outdated Show resolved Hide resolved
@nicoddemus @bluetech
Update changelog/12333.trivial.rst
f0a84d3 
Co-authored-by: Ran Benita <ran@unusedvar.com>
@nicoddemus nicoddemus merged commit 635fbe2 into main May 17, 2024
23 checks passed
@nicoddemus nicoddemus deleted the attest-build-provenance branch May 17, 2024 11:19
@nicoddemus nicoddemus added the backport 8.2.x Apply on merged PRs, backports the changes to the 8.2.x branch label May 17, 2024
@github-actions github-actions bot mentioned this pull request May 17, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@RonnyPfannschmidt RonnyPfannschmidt RonnyPfannschmidt approved these changes

@bluetech bluetech bluetech approved these changes

Assignees
No one assigned
Labels
backport 8.2.x Apply on merged PRs, backports the changes to the 8.2.x branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@nicoddemus @bluetech @RonnyPfannschmidt