ci: Add GitHub artifact attestations to package distribution

matthewfeickert commented 3 months ago

Description

Add generation of GitHub artifact attestations to built sdist and wheel before upload. c.f.:
- https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/
- https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
Add verification of artifact attestation before publishing vector to PyPI using the 'gh attestation verify' CLI API, added in v2.49.0.
- c.f. https://github.com/cli/cli/releases/tag/v2.49.0

Checklist

[x] Have you followed the guidelines in our Contributing document?
[x] Have you checked to ensure there aren't any other open Pull Requests for the required change?
[x] Does your submission pass pre-commit? ($ pre-commit run --all-files or $ nox -s lint)
[x] Does your submission pass tests? ($ pytest or $ nox -s tests)
[x] Does the documentation build with your changes? ($ cd docs; make clean; make html or $ nox -s docs)
[x] Does your submission pass the doctests? ($ pytest --doctest-plus src/vector/ or $ nox -s doctests)

Before Merging

[x] Summarize the commit messages into a brief review of the Pull request.

* Add generation of GitHub artifact attestations to built sdist and wheel
  before upload.
  c.f.:
   - https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/
   - https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
* Add verification of artifact attestation before publishing vector to PyPI
  using the 'gh attestation verify' CLI API, added in v2.49.0.
   - c.f. https://github.com/cli/cli/releases/tag/v2.49.0

codecov[bot] commented 3 months ago

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 86.77%. Comparing base (88c308d) to head (be5c27f). Report is 25 commits behind head on main.

Additional details and impacted files

```diff @@ Coverage Diff @@ ## main #470 +/- ## ======================================= Coverage 86.77% 86.77% ======================================= Files 98 98 Lines 11927 11927 ======================================= Hits 10350 10350 Misses 1577 1577 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

matthewfeickert commented 3 months ago

AFAICT, the attestation isn't being uploaded anywhere yet?

@henryiii Correct, as these workflows only run on publication and workflow dispatch

https://github.com/scikit-hep/vector/blob/88c308db9a58b2d88703d699c38f340274fddaad/.github/workflows/cd.yml#L3-L7

Once they do run, the attestations will be uploaded to https://github.com/scikit-hep/vector/attestations . c.f. https://github.com/scikit-hep/pyhf/pull/2473 for additional reference / discussion.

scikit-hep / vector