CI: Add GitHub artifact attestations to package distribution #7427
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -22,6 +22,7 @@ jobs: | |
| permissions: | ||
| contents: write # for softprops/action-gh-release to create GitHub release | ||
| id-token: write # IMPORTANT: this permission is mandatory for trusted publishing | ||
| attestations: write # for GitHub attestations | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
|
|
@@ -31,10 +32,6 @@ jobs: | |
| with: | ||
| python-version: "3.12" | ||
|
|
||
| - uses: actions/download-artifact@v3 | ||
| id: download | ||
| with: | ||
|
|
@@ -48,6 +45,26 @@ jobs: | |
| python -m build --no-isolation --skip-dependency-check --sdist . | ||
| ls -la ${{ github.workspace }}/dist | ||
|
|
||
| - name: Generate artifact attestation for sdist and wheels | ||
| uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2 | ||
|
There was a problem hiding this comment. Would it make sense to create the attestation as close to artifact generation as possible, e.g. in the job There was a problem hiding this comment. @lagru Good question/point. I think that to some degree I would say yes, but if you want to only create attestations for releases and not just every run of the CI then you would either need to totally refactor the jobs:
call-workflow-build-wheels:
uses: ./.github/workflows/wheels_recipe.ymlworkflow to know about release situations (probably not worth it) or just do the slightly less perfect situation of this PR (signing the wheels just after download...the sdist is signed immediatley after build here at least). There was a problem hiding this comment. Okay, I thing we can probably come up with a solution that uses |
||
| with: | ||
| subject-path: "dist/scikit_image-*" | ||
|
Comment on lines
+48
to
+51
There was a problem hiding this comment. c.f. https://github.com/actions/attest-build-provenance for more information. Once this runs during a release the attestations will be uploaded to https://github.com/scikit-image/scikit-image/attestations and can be verified from a wheel or sdist artifact using the |
||
|
|
||
| - name: Verify the distribution | ||
| run: pipx run twine check --strict dist/* | ||
|
|
||
| # Ensure that a compromised twine couldn't have altered the distributions | ||
| # Required to resolve sdist and wheels separately | ||
| - name: Verify sdist artifact attestation | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: gh attestation verify dist/scikit_image-*.tar.gz --repo ${{ github.repository }} | ||
|
|
||
| - name: Verify wheel artifact attestation | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: gh attestation verify dist/scikit_image-*.whl --repo ${{ github.repository }} | ||
|
|
||
| # We prefer to release wheels before source because otherwise there is a | ||
| # small window during which users who pip install scikit-image will require compilation. | ||
| - name: Publish package distributions to PyPI | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, so they do require write access? 🙃
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, they require the following permissions:
c.f. https://github.com/actions/attest-build-provenance?tab=readme-ov-file#usage