From 23249111f57a23de145bde494fbcfae53b6a8fa9 Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Wed, 8 May 2024 17:06:05 +0300 Subject: [PATCH 1/5] Attest build provenance of artifacts --- README.md | 5 +++++ action.yml | 10 ++++++++++ 2 files changed, 15 insertions(+) diff --git a/README.md b/README.md index b20f1bb..680a486 100644 --- a/README.md +++ b/README.md @@ -95,6 +95,11 @@ While *build-and-inspect-python-package* will build a wheel for you by default, Use this if you want to build multiple packages in one workflow. (*optional*, default: `''`). +- `attest-build-provenance`: Whether to generate signed build provenance attestations for workflow artifacts using + [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance). + Requires `attestations: write` and `id-token: write` permissions. + The only meaningful value is `'true'` (note the quotes – GitHub Actions only allow string inputs) and everything else is treated as falsey. + (*optional*, default: `'false'`). ### Outputs diff --git a/action.yml b/action.yml index 9f297eb..7f18a75 100644 --- a/action.yml +++ b/action.yml @@ -19,6 +19,10 @@ inputs: description: Suffix to append to the artifact names. required: false default: "" + attest-build-provenance: + description: "Suffix to append to the artifact names. Requires 'attestations: write' and 'id-token: write' permissions." + required: false + default: 'false' outputs: dist: description: The location of the built packages. @@ -102,6 +106,12 @@ runs: shell: bash working-directory: ${{ inputs.path }} + - name: Attest build provenance + if: ${{ inputs.attest-build-provenance == 'true' }} + uses: actions/attest-build-provenance@v1 + with: + subject-path: "/tmp/baipp/dist/*" + - name: Set output id: dist-location-setter shell: bash From 925a5b0f963a1deb5282cdbe24fe6890eacd4271 Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Sat, 11 May 2024 17:12:38 +0300 Subject: [PATCH 2/5] Add attest-build-provenance input to changelog --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0a15b36..232cd1c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), ## [Unreleased](https://github.com/hynek/build-and-inspect-python-package/compare/v2.4.0...main) +### Added + +- New input: `attest-build-provenance` generates signed build provenance attestations for workflow artifacts. + [#122](https://github.com/hynek/build-and-inspect-python-package/pull/122) + + ## [2.4.0](https://github.com/hynek/build-and-inspect-python-package/compare/v2.3.0...v2.4.0) - 2024-04-11 ### Changed From 6a782e169f4bae1316d317fada835e1a62932aa7 Mon Sep 17 00:00:00 2001 From: Hynek Schlawack Date: Mon, 13 May 2024 08:26:52 +0200 Subject: [PATCH 3/5] Try out attestation in CI --- .github/workflows/ci.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 72a8c6e..fccc51a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -12,6 +12,10 @@ env: SETUPTOOLS_SCM_PRETEND_VERSION: "1.0" # avoid warnings about shallow checkout UV_SYSTEM_PYTHON: "true" # ensure action can deal with this set +permissions: + id-token: write + attestations: write + jobs: check-argon2-cffi-bindings: name: Build & verify the argon2-cffi-bindings package. @@ -53,6 +57,7 @@ jobs: with: path: structlog upload-name-suffix: "-structlog" + attest-build-provenance-github: "true" - run: echo Packages can be found at ${{ steps.baipp.outputs.dist }} From 2794b385aecf5b07ed10e56b1f97490cc6067f99 Mon Sep 17 00:00:00 2001 From: Hynek Schlawack Date: Mon, 13 May 2024 08:27:47 +0200 Subject: [PATCH 4/5] Clarify this is only GitHub attestation --- CHANGELOG.md | 2 +- README.md | 3 +-- action.yml | 8 ++++---- 3 files changed, 6 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 232cd1c..d56b42f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,7 +8,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), ### Added -- New input: `attest-build-provenance` generates signed build provenance attestations for workflow artifacts. +- New input: `attest-build-provenance-github` generates signed build provenance attestations for workflow artifacts. [#122](https://github.com/hynek/build-and-inspect-python-package/pull/122) diff --git a/README.md b/README.md index 680a486..ca53c08 100644 --- a/README.md +++ b/README.md @@ -95,8 +95,7 @@ While *build-and-inspect-python-package* will build a wheel for you by default, Use this if you want to build multiple packages in one workflow. (*optional*, default: `''`). -- `attest-build-provenance`: Whether to generate signed build provenance attestations for workflow artifacts using - [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance). +- `attest-build-provenance-github`: Whether to generate signed build provenance attestations for workflow artifacts using [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance). Requires `attestations: write` and `id-token: write` permissions. The only meaningful value is `'true'` (note the quotes – GitHub Actions only allow string inputs) and everything else is treated as falsey. (*optional*, default: `'false'`). diff --git a/action.yml b/action.yml index 7f18a75..d0b87fe 100644 --- a/action.yml +++ b/action.yml @@ -19,8 +19,8 @@ inputs: description: Suffix to append to the artifact names. required: false default: "" - attest-build-provenance: - description: "Suffix to append to the artifact names. Requires 'attestations: write' and 'id-token: write' permissions." + attest-build-provenance-github: + description: "Attest provenance using GitHub's own action. Requires 'attestations: write' and 'id-token: write' permissions." required: false default: 'false' outputs: @@ -106,8 +106,8 @@ runs: shell: bash working-directory: ${{ inputs.path }} - - name: Attest build provenance - if: ${{ inputs.attest-build-provenance == 'true' }} + - name: Attest GitHub build provenance + if: ${{ inputs.attest-build-provenance-github == 'true' }} uses: actions/attest-build-provenance@v1 with: subject-path: "/tmp/baipp/dist/*" From 4d197a2d6351b7e4ed8b54018f5a9ff34fbf968a Mon Sep 17 00:00:00 2001 From: Hynek Schlawack Date: Mon, 13 May 2024 17:01:10 +0200 Subject: [PATCH 5/5] Revert "Try out attestation in CI" This reverts commit 6a782e169f4bae1316d317fada835e1a62932aa7. --- .github/workflows/ci.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fccc51a..72a8c6e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -12,10 +12,6 @@ env: SETUPTOOLS_SCM_PRETEND_VERSION: "1.0" # avoid warnings about shallow checkout UV_SYSTEM_PYTHON: "true" # ensure action can deal with this set -permissions: - id-token: write - attestations: write - jobs: check-argon2-cffi-bindings: name: Build & verify the argon2-cffi-bindings package. @@ -57,7 +53,6 @@ jobs: with: path: structlog upload-name-suffix: "-structlog" - attest-build-provenance-github: "true" - run: echo Packages can be found at ${{ steps.baipp.outputs.dist }}