pypi / warehouse

The Python Package Index
https://pypi.org
Apache License 2.0
3.59k stars 968 forks source link

PEP 740: Post-deployment tasks #17001

Open woodruffw opened 1 day ago

woodruffw commented 1 day ago

The main roadmap for PEP 740 is in https://github.com/pypi/warehouse/issues/15871; this tracks related items that aren't blockers, but need to be thought about more and/or addressed in the medium-to-long term.

webknjaz commented 13 hours ago
  • Support for other attestation types. Right now the "PyPI Publish" and SLSA types are supported, although the SLSA type is currently gated off since nothing is uploading it yet. The latter should be enabled.

Is it possible to do this in a job following pypi-upload?

woodruffw commented 13 hours ago
  • Support for other attestation types. Right now the "PyPI Publish" and SLSA types are supported, although the SLSA type is currently gated off since nothing is uploading it yet. The latter should be enabled.

Is it possible to do this in a job following pypi-upload?

Not at the moment -- in principle we could add a separate upload endpoint/codepath for uploading attestations to an already-uploaded release, but that doesn't exist yet. For the time being, the assumption is that one or more attestations get uploaded with the release itself, so a user who wants to upload a SLSA attestation should put it in their dist/ alongside their publish attestation.

In other words, a dist/ structure like:

dist/
  foo-1.2.3.tar.gz
  foo-1.2.3.tar.gz.publish.attestation
  foo-1.2.3.tar.gz.slsa.attestation

(The interstitial .publish. and .slsa aren't semantically meaningful -- twine just looks for dist.*.attestation).