Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[pyos meta repo] Use GitHub Artifact Attestations #165

Open
blink1073 opened this issue Jun 27, 2024 · 5 comments
Open

[pyos meta repo] Use GitHub Artifact Attestations #165

blink1073 opened this issue Jun 27, 2024 · 5 comments

Comments

@blink1073
Copy link
Collaborator

GitHub now has full support for Artifact Attestations: https://github.blog/changelog/2024-06-25-artifact-attestations-is-generally-available/

The feature supersedes our usage of SigStore (#156), since it uses SigStore under the hood and has built-in support in the GitHub API/cli, e.g. gh attestation verify PATH/TO/ARTIFACT -o myorganization.

I am happy to make this change if there is agreement.

cc @webknjaz

@webknjaz
Copy link

Either that, or the official action. Keep the old job for making releases, perhaps reduce its privileges and add a new job with new privileges.

I actually filed an issue to update this in PyPUG yesterday, too.

The upload attestations will be built into the publish action once that work is completed, by the way.

@blink1073
Copy link
Collaborator Author

By official action do you mean actions/attest-build-provenance or sigstore/gh-action-sigstore-python?

You're saying it might get folded into gh-action-pypi-publish?

@blink1073
Copy link
Collaborator Author

As of https://github.com/pypa/gh-action-pypi-publish/releases/tag/v1.11.0, sigstore attestations enabled by default. pypa/gh-action-pypi-publish#288 is for adding them to GitHub Attestations as well.

@webknjaz
Copy link

webknjaz commented Nov 8, 2024

By official action do you mean actions/attest-build-provenance or sigstore/gh-action-sigstore-python?

Oh, I missed this question. I think I meant pypi-publish back then.

You're saying it might get folded into gh-action-pypi-publish?

Kind of. I want to try uploading the same attestations that are sent to PyPI, to GitHub as well. However, the difference with actions/attest-build-provenance is that technically GH advertises that theirs is for “build provenance” and ours is for “upload provenance”. This is because pypi-publish does not know where your dists are coming from — you might've built them elsewhere and configured GHA to download them into the job from S3 or some other place + publish from there. So within the action we know that we “sign what's published”, but we don't know if we “sign what's built within the same workflow”. As a user, you know what you configured, so you could say that this is build provenance as well.

What I dislike about actions/attest-build-provenance is that they demonstrate running it from test/build jobs and setting elevated privileges there. If you're to use it, I'd recommend still going through the GH workflow artifacts route and signing them in a separate job.

Here's an example of doing this + producing SLSA artifacts as well: https://github.com/ansible/awx-plugins/blob/678ea69/.github/workflows/ci-cd.yml#L925-L1115.

@webknjaz
Copy link

webknjaz commented Nov 8, 2024

[...] sigstore/gh-action-sigstore-python?

You're saying it might get folded into gh-action-pypi-publish?

Oh, and yes, pypi-publish attestations do use sigstore under the hood (as does GitHub's attestations action). So we could say that we absorbed this. Although, there might be slight differences. Still, you could probably extract those files since they end up under dist/ on disk, next to the dists, and upload them to GH Releases instead of the manual signing invocation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants