-
-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Attest package provenance #12333
Attest package provenance #12333
Conversation
This uses the new build provenance support added in [build-and-inspect-python-package 2.5.0](https://github.com/hynek/build-and-inspect-python-package/blob/main/CHANGELOG.md#250---2024-05-13). More information: https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/ Tested also in pytest-dev/pytest-mock#431. Note: even though it is technically necessary only for the `deploy` workflow, as the `test` workflow does not publish its packages, decided to always attest the provenance in both cases to avoid any surprises related to this (say a misconfiguration) when deploying.
for more information, see https://pre-commit.ci
Provenance information created: https://github.com/pytest-dev/pytest/actions/runs/9111218324/attempts/1#summary-25047879854 |
LGTM. I tested that I can verify the files, and also that if I corrupt one of the files it doesn't verify. Maybe add a release note telling people that we're now doing that? (Perhaps call it "experimental")
I think maybe we shouldn't create "useless" attestations like these:
|
Hmm that's strange, perhaps that's the merge commit? 🤔 EDIT: Yep, that's 3fd5b86 from this branch merged with fdf3aa3 (main when that executed). For our actual releases this should not be a problem, as they are triggered directly from the branch, not from a PR. |
Done, wording suggestions are welcome.
Good points, undid it for |
Co-authored-by: Ran Benita <ran@unusedvar.com>
This uses the new build provenance support added in build-and-inspect-python-package 2.5.0.
More information: https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/
Tested also in pytest-dev/pytest-mock#431.
Note: even though it is technically necessary only for the
deploy
workflow, as thetest
workflow does not publish its packages, decided to always attest the provenance in both cases to avoid any surprises related to this (say a misconfiguration) when deploying.