Closed matthewfeickert closed 4 months ago
Currently blocked by https://github.com/actions/runner-images/issues/9784, without updating ubuntu-latest
to ubuntu-24.04
.
All modified and coverable lines are covered by tests :white_check_mark:
Project coverage is 98.21%. Comparing base (
ecd0613
) to head (1b0191c
). Report is 29 commits behind head on main.
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
GitHub CLI is updated to v2.49.2
in https://github.com/actions/runner-images/issues/9784 and so should work now.
So it seems that the most important takeaway is described in https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/#a-more-secure-future, and while it seems that this should mean that the number of attestations generated isn't relevant as everything will be machine generated, it seems that it might(?) be useful to keep https://github.com/scikit-hep/pyhf/attestations containing mostly only releases.
@woodruffw @di, not to bug you with things that go beyond https://github.com/sigstore/sigstore-python, but is this the correct take (that we should only be publishing attestations for releases)?
Also cc @sethmlarson given very helpful feedback on https://github.com/scientific-python/summit-2024/issues/9#issuecomment-2107536124.
Thanks for the ping @matthewfeickert!
IMO, the number of attestations generated is not currently relevant: these attestations don't appear on PyPI and are "generic" in nature (i.e. don't express a specific intent to build, release, etc.), so having multiple of them doesn't accomplish much at the moment.
However, to take a step back: we're building PEP 740 on the same foundations (Sigstore + sigstore-python
), and it will have support for multiple attestations, e.g. for distinguishing publish, release, and also third-party counter-attestations. That PEP uses the same underlying technologies as GitHub's Attestations feature but requires attestations to be uploaded to PyPI as well, which means we'll be building it into the standard PyPA tooling.
That's still a little out and not directly related to what you asked though 😅. But the TL;DR: IMO one GitHub attestation is fine, and in the future PEP 740 will also allow your tools to (automatically) load multiple attestations per-file onto PyPI.
we're building PEP 740 on the same foundations (Sigstore +
sigstore-python
), and it will have support for multiple attestations, e.g. for distinguishing publish, release, and also third-party counter-attestations. That PEP uses the same underlying technologies as GitHub's Attestations feature but requires attestations to be uploaded to PyPI as well, which means we'll be building it into the standard PyPA tooling.
Amazing! Thank you very much for all of this work and this is actually quite useful to know about. :+1: I also now have some reading to do. :) https://peps.python.org/pep-0740/
But the TL;DR: IMO one GitHub attestation is fine, and in the future PEP 740 will also allow your tools to (automatically) load multiple attestations per-file onto PyPI.
Okay thanks this is useful. My question was more in the context of the fact that https://github.com/scikit-hep/pyhf/attestations is a log of all attestations, and if I was to remove the if
guards that I place here it would generate attestations for each run of the CI, which just seems like it would be noisy. So while not a problem I'll leave the if
guards in and do similar things as I propagate this out across other Scikit-HEP libraries and to Scientific Python libraries. :+1:
@meeseeksdev backport to release/v0.7.x
Description
gh attestation verify
CLI API, added inv2.49.0
.Checklist Before Requesting Reviewer
Before Merging
For the PR Assignees: