search

cpp-linter / .github

Global configurations for cpp-linter organization on GitHub
MIT License
0 stars 0 forks source link

Update py-publish.yml to generate build provenance attestations #29

Closed shenxianpeng closed 3 weeks ago

shenxianpeng commented 3 weeks ago

ref to #28. update .github/workflows/py-publish.yml will allow all released Python packages in cpp-linter org can support generating attestations. then users can verify artifact attestations with GitHub CLI if they need to.

shenxianpeng commented 3 weeks ago

It would probably be a good idea to save the generated digest as artifacts (for now).

I suppose no need to save generated digest as artifacts because it has already save at https://github.com/cpp-linter/clang-tools-static-binaries/attestations

2bndy5 commented 3 weeks ago

But that is just for the static binaries. This workflow is for python publishing. Am I still misunderstanding attestations?

shenxianpeng commented 3 weeks ago

For Python .whl package should be the same as static binaries. For example https://github.com/commit-check/commit-check/attestations, user can download .whl and verify attestations like

pip download commit-check
Collecting commit-check
  Using cached commit_check-0.8.0-py3-none-any.whl.metadata (8.8 kB)
Collecting pyyaml (from commit-check)
  Using cached PyYAML-6.0.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.metadata (2.1 kB)
Using cached commit_check-0.8.0-py3-none-any.whl (11 kB)
Using cached PyYAML-6.0.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (705 kB)
Saved ./commit_check-0.8.0-py3-none-any.whl
Saved ./PyYAML-6.0.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Successfully downloaded commit-check pyyaml

gh attestation verify commit_check-0.8.0-py3-none-any.whl -R commit-check/commit-check
Loaded digest sha256:bdab08d78123da1c20b38e96d485c5660c4e85fd26f4b026d6002dac3493676e for file://commit_check-0.8.0-py3-none-any.whl
Loaded 1 attestation from GitHub API
✓ Verification succeeded!

sha256:bdab08d78123da1c20b38e96d485c5660c4e85fd26f4b026d6002dac3493676e was attested by:
REPO                       PREDICATE_TYPE                  WORKFLOW                                              
commit-check/commit-check  https://slsa.dev/provenance/v1  .github/workflows/publish-package.yml@refs/tags/v0.8.0
2bndy5 commented 3 weeks ago

Oh, ok. I didn't know you plan to use gh-cli to verify. According to the gh attestation verify docs:

By default, the verify command will attempt to fetch attestations associated with the provided artifact from the GitHub API. If you would prefer to verify the artifact using attestations stored on disk (c.f. the download command), provide a path to the --bundle flag.

I was expecting we'd have to keep track of the attestations locally. I did not know what tool you planned to use (or the tool's behavior).

Given the use of gh-cli, I guess it isn't necessary to save the attestation as downloadable artifacts. Still I'm unsure of where exactly the gh-cli tool is fetching the appropriate attestation. Obviously, I'll learn as I follow your progress 😉

shenxianpeng commented 3 weeks ago

I'm a newbie too, getting better together 😆

shenxianpeng commented 3 weeks ago

I assume all review comments are addressed and I feel ready to merge.

2bndy5 commented 3 weeks ago

yep. LGTM

shenxianpeng commented 2 weeks ago

The attestation was created at https://github.com/cpp-linter/cpp-linter-hooks/attestations when the published job runs https://github.com/cpp-linter/cpp-linter-hooks/actions/runs/9608722570