Closed shenxianpeng closed 3 weeks ago
It would probably be a good idea to save the generated digest as artifacts (for now).
I suppose no need to save generated digest as artifacts because it has already save at https://github.com/cpp-linter/clang-tools-static-binaries/attestations
But that is just for the static binaries. This workflow is for python publishing. Am I still misunderstanding attestations?
For Python .whl
package should be the same as static binaries. For example https://github.com/commit-check/commit-check/attestations, user can download .whl
and verify attestations like
pip download commit-check
Collecting commit-check
Using cached commit_check-0.8.0-py3-none-any.whl.metadata (8.8 kB)
Collecting pyyaml (from commit-check)
Using cached PyYAML-6.0.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.metadata (2.1 kB)
Using cached commit_check-0.8.0-py3-none-any.whl (11 kB)
Using cached PyYAML-6.0.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (705 kB)
Saved ./commit_check-0.8.0-py3-none-any.whl
Saved ./PyYAML-6.0.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Successfully downloaded commit-check pyyaml
gh attestation verify commit_check-0.8.0-py3-none-any.whl -R commit-check/commit-check
Loaded digest sha256:bdab08d78123da1c20b38e96d485c5660c4e85fd26f4b026d6002dac3493676e for file://commit_check-0.8.0-py3-none-any.whl
Loaded 1 attestation from GitHub API
✓ Verification succeeded!
sha256:bdab08d78123da1c20b38e96d485c5660c4e85fd26f4b026d6002dac3493676e was attested by:
REPO PREDICATE_TYPE WORKFLOW
commit-check/commit-check https://slsa.dev/provenance/v1 .github/workflows/publish-package.yml@refs/tags/v0.8.0
Oh, ok. I didn't know you plan to use gh-cli to verify. According to the gh attestation verify
docs:
By default, the verify command will attempt to fetch attestations associated with the provided artifact from the GitHub API. If you would prefer to verify the artifact using attestations stored on disk (c.f. the
download
command), provide a path to the--bundle
flag.
I was expecting we'd have to keep track of the attestations locally. I did not know what tool you planned to use (or the tool's behavior).
Given the use of gh-cli, I guess it isn't necessary to save the attestation as downloadable artifacts. Still I'm unsure of where exactly the gh-cli tool is fetching the appropriate attestation. Obviously, I'll learn as I follow your progress 😉
I'm a newbie too, getting better together 😆
I assume all review comments are addressed and I feel ready to merge.
yep. LGTM
The attestation was created at https://github.com/cpp-linter/cpp-linter-hooks/attestations when the published job runs https://github.com/cpp-linter/cpp-linter-hooks/actions/runs/9608722570
ref to #28. update .github/workflows/py-publish.yml will allow all released Python packages in cpp-linter org can support generating attestations. then users can verify artifact attestations with GitHub CLI if they need to.