Attest built artifacts - Githubissues

frequenz-floss / frequenz-repo-config-python

Frequenz repository setup tools and common configuration for Python

https://frequenz-floss.github.io/frequenz-repo-config-python/

MIT License

3 stars 7 forks source link

Attest built artifacts #267

Open llucax opened 2 months ago

llucax commented 2 months ago

What's needed?

GitHub has a new option to add artifact attestation to establish provenance for builds and we should use it.

Proposed solution

Add an extra step to attest the generated files:

- name: Generate artifact attestation
  uses: actions/attest-build-provenance@v1
  with:
    subject-path: 'PATH/TO/ARTIFACT'

Use cases

Generated docs
Generated Python wheels and source distribution files

Alternatives and workarounds

No response

Additional context