Use GitHub attestation to validate no changes

* If twine became comprimised and altered the distributions _after_ they had an attestation created for them then the attestation check would fail.
scikit-image · May 23, 2024 · 4dbbab8 · 4dbbab8
1 parent 36e5753
commit 4dbbab8
Showing 1 changed file with 15 additions and 3 deletions.
diff --git a/.github/workflows/wheel_tests_and_release.yml b/.github/workflows/wheel_tests_and_release.yml
@@ -45,14 +45,26 @@ jobs:
           python -m build --no-isolation --skip-dependency-check --sdist .
           ls -la ${{ github.workspace }}/dist
 
-      - name: Verify the distribution
-        run: pipx run twine check --strict dist/*
-
       - name: Generate artifact attestation for sdist and wheels
         uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
         with:
           subject-path: "dist/scikit_image-*"
 
+      - name: Verify the distribution
+        run: pipx run twine check --strict dist/*
+
+      # Ensure that a comprimised twine couldn't have altered the distributions
+      # Required to resolved sdist and whl separately
+      - name: Verify sdist artifact attestation
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: gh attestation verify dist/scikit_image-*.tar.gz --repo ${{ github.repository }}
+
+      - name: Verify wheel artifact attestation
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: gh attestation verify dist/scikit_image-*.whl --repo ${{ github.repository }}
+
       # We prefer to release wheels before source because otherwise there is a
       # small window during which users who pip install scikit-image will require compilation.
       - name: Publish package distributions to PyPI