ci: Add GitHub artifact attestations to package distribution

[matthewfeickert]

• Add generation of GitHub artifact attestations to built sdist and wheel before upload.
  c.f.:
  • https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/
  • https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
• Update python-jsonschema/check-jsonschema pre-commit hook to recognize attestations permissions key.

[HDembinski]

Thanks, this will be tested on next release.

[matthewfeickert]

Once this runs during a release the attestations will be uploaded to https://github.com/scikit-hep/iminuit/attestations and can be verified from a wheel or sdist using the gh attestation verify CLI API. c.f. scikit-hep/pyhf#2473 for examples of that.

[HDembinski]

@matthewfeickert The release failed in the upload stage, see https://github.com/scikit-hep/iminuit/actions/runs/9349824358/job/25732717796
Do you have an idea? I am asking because you changed some permissions in the release script. The change looked ok to me, but we did not test it.

[HDembinski]

Nevermind, I have not yet added github as trusted publisher for iminuit. I did this for resample but apparently not iminuit.

[matthewfeickert]

https://github.com/scikit-hep/iminuit/attestations are now up and working. 👍

$ python -m pip download --no-binary :all: --no-deps iminuit
Collecting iminuit
  Downloading iminuit-2.26.0.tar.gz (2.9 MB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.9/2.9 MB 16.2 MB/s eta 0:00:00
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Installing backend dependencies ... done
  Preparing metadata (pyproject.toml) ... done
Saved ./iminuit-2.26.0.tar.gz
Successfully downloaded iminuit
$ gh attestation verify iminuit-*.tar.gz --repo scikit-hep/iminuit
Loaded digest sha256:a51233fbf1c2e008aa584f9eea65b6c30ed56624e4dea5d4e53370ccd84c9b4e for file://iminuit-2.26.0.tar.gz
Loaded 1 attestation from GitHub API
✓ Verification succeeded!

sha256:a51233fbf1c2e008aa584f9eea65b6c30ed56624e4dea5d4e53370ccd84c9b4e was attested by:
REPO                PREDICATE_TYPE                  WORKFLOW                                     
scikit-hep/iminuit  https://slsa.dev/provenance/v1  .github/workflows/release.yml@refs/heads/main
$ python -m pip download --no-deps iminuit
Collecting iminuit
  Downloading iminuit-2.26.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.metadata (11 kB)
Downloading iminuit-2.26.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (428 kB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 428.6/428.6 kB 4.4 MB/s eta 0:00:00
Saved ./iminuit-2.26.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Successfully downloaded iminuit
$ gh attestation verify iminuit-*.whl --repo scikit-hep/iminuit
Loaded digest sha256:8b32825029cebbc0df3b85cbdb389d7edf4bf608bd09d1f19efa098fbbfefaf4 for file://iminuit-2.26.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Loaded 1 attestation from GitHub API
✓ Verification succeeded!

sha256:8b32825029cebbc0df3b85cbdb389d7edf4bf608bd09d1f19efa098fbbfefaf4 was attested by:
REPO                PREDICATE_TYPE                  WORKFLOW                                     
scikit-hep/iminuit  https://slsa.dev/provenance/v1  .github/workflows/release.yml@refs/heads/main

Thanks for the release, @HDembinski!