-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CI: Add GitHub artifact attestations to package distribution #7427
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -22,6 +22,7 @@ jobs: | |
permissions: | ||
contents: write # for softprops/action-gh-release to create GitHub release | ||
id-token: write # IMPORTANT: this permission is mandatory for trusted publishing | ||
attestations: write # for GitHub attestations | ||
steps: | ||
- uses: actions/checkout@v4 | ||
with: | ||
|
@@ -31,10 +32,6 @@ jobs: | |
with: | ||
python-version: "3.12" | ||
|
||
- name: Install Twine | ||
run: | | ||
pip install twine | ||
|
||
- uses: actions/download-artifact@v3 | ||
id: download | ||
with: | ||
|
@@ -48,6 +45,26 @@ jobs: | |
python -m build --no-isolation --skip-dependency-check --sdist . | ||
ls -la ${{ github.workspace }}/dist | ||
|
||
- name: Generate artifact attestation for sdist and wheels | ||
uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2 | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Would it make sense to create the attestation as close to artifact generation as possible, e.g. in the job There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @lagru Good question/point. I think that to some degree I would say yes, but if you want to only create attestations for releases and not just every run of the CI then you would either need to totally refactor the jobs:
call-workflow-build-wheels:
uses: ./.github/workflows/wheels_recipe.yml workflow to know about release situations (probably not worth it) or just do the slightly less perfect situation of this PR (signing the wheels just after download...the sdist is signed immediatley after build here at least). There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Okay, I thing we can probably come up with a solution that uses |
||
with: | ||
subject-path: "dist/scikit_image-*" | ||
Comment on lines
+48
to
+51
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. c.f. https://github.com/actions/attest-build-provenance for more information. Once this runs during a release the attestations will be uploaded to https://github.com/scikit-image/scikit-image/attestations and can be verified from a wheel or sdist artifact using the |
||
|
||
- name: Verify the distribution | ||
run: pipx run twine check --strict dist/* | ||
|
||
# Ensure that a compromised twine couldn't have altered the distributions | ||
# Required to resolve sdist and wheels separately | ||
- name: Verify sdist artifact attestation | ||
env: | ||
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
run: gh attestation verify dist/scikit_image-*.tar.gz --repo ${{ github.repository }} | ||
|
||
- name: Verify wheel artifact attestation | ||
env: | ||
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
run: gh attestation verify dist/scikit_image-*.whl --repo ${{ github.repository }} | ||
|
||
# We prefer to release wheels before source because otherwise there is a | ||
# small window during which users who pip install scikit-image will require compilation. | ||
- name: Publish package distributions to PyPI | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, so they do require write access? 🙃
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, they require the following permissions:
c.f. https://github.com/actions/attest-build-provenance?tab=readme-ov-file#usage