CI: Add GitHub artifact attestations to package distribution #28273

matthewfeickert · 2024-05-21T23:55:50Z

PR summary

Add generation of GitHub artifact attestations to built sdist and wheel before upload. c.f.:
- https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/
- https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds

This PR is related to scientific-python/summit-2024#9 so cc @QuLogic for review. c.f. scikit-hep/pyhf#2473 for reference.

PR checklist

[N/A] "closes #0000" is in the body of the PR description to link the related issue
[N/A] new and changed code is tested
[N/A] Plotting related features are demonstrated in an example
[N/A] New Features and API Changes are noted with a directive and release note
[N/A] Documentation complies with general and docstring guidelines

matthewfeickert · 2024-05-22T00:05:05Z

.pre-commit-config.yaml

@@ -79,7 +79,7 @@ repos:
      - id: yamllint
        args: ["--strict", "--config-file=.yamllint.yml"]
  - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 0.28.1
+    rev: 0.28.4


Without this pre-commit hook update, pre-commit will fail as attestation is a newer permissions key. To keep this atomic I'm only updating this hook instead of all of them.

updates: - [github.com/python-jsonschema/check-jsonschema: 0.28.1 → 0.28.4](python-jsonschema/check-jsonschema@0.28.1...0.28.4)

* Add generation of GitHub artifact attestations to built sdist and wheel before upload. c.f.: - https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/ - https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds

QuLogic · 2024-05-27T21:01:25Z

This of course doesn't run unless we're tagging a release. Does it make sense to have a separate job that always runs to do the attestation? Or is that overkill?

matthewfeickert · 2024-05-27T23:37:34Z

Does it make sense to have a separate job that always runs to do the attestation? Or is that overkill?

@QuLogic My understanding from scikit-hep/pyhf#2473 is that while there's nothing wrong with creating attestations for every run of the CI, there could value in keeping the number of attestations to a human readable number that just correspond to releases. As there doesn't seem to be a way to delete attestation records from GitHub I would advocate having attestations be 1-to-1 with published artifacts.

tacaswell · 2024-05-28T20:01:08Z

I think starting with just releases is the right call.

matthewfeickert · 2024-05-28T20:28:33Z

Example of a release of Awkward Array with signed artifacts, and how from a maintainer perspective keeping a clean visual list of release-only attestations would be nice:

scikit-hep/awkward#3126 (comment)

… package distribution

…273-on-v3.9.x Backport PR #28273 on branch v3.9.x (CI: Add GitHub artifact attestations to package distribution)

github-actions bot added the CI: Run cibuildwheel Run wheel building tests on a PR label May 21, 2024

matthewfeickert changed the title ~~ci: Add GitHub artifact attestations to package distribution~~ CI: Add GitHub artifact attestations to package distribution May 21, 2024

matthewfeickert force-pushed the ci/add-artifact-attestations branch from 427fe83 to e28c1f4 Compare May 22, 2024 00:03

matthewfeickert commented May 22, 2024

View reviewed changes

tacaswell added this to the v3.9.1 milestone May 22, 2024

tacaswell approved these changes May 22, 2024

View reviewed changes

matthewfeickert added 2 commits May 27, 2024 14:53

MNT: Update pre-commit hooks

5d1d64d

updates: - [github.com/python-jsonschema/check-jsonschema: 0.28.1 → 0.28.4](python-jsonschema/check-jsonschema@0.28.1...0.28.4)

matthewfeickert force-pushed the ci/add-artifact-attestations branch from e28c1f4 to a5e6e93 Compare May 27, 2024 19:54

QuLogic approved these changes May 29, 2024

View reviewed changes

QuLogic merged commit 394761a into matplotlib:main May 29, 2024
46 checks passed

meeseeksmachine pushed a commit to meeseeksmachine/matplotlib that referenced this pull request May 29, 2024

Backport PR matplotlib#28273: CI: Add GitHub artifact attestations to…

7462f5e

… package distribution

meeseeksmachine mentioned this pull request May 29, 2024

Backport PR #28273 on branch v3.9.x (CI: Add GitHub artifact attestations to package distribution) #28318

Merged

matthewfeickert deleted the ci/add-artifact-attestations branch May 29, 2024 19:06

ksunden added a commit that referenced this pull request May 29, 2024

Merge pull request #28318 from meeseeksmachine/auto-backport-of-pr-28…

5e0b83f

…273-on-v3.9.x Backport PR #28273 on branch v3.9.x (CI: Add GitHub artifact attestations to package distribution)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

CI: Add GitHub artifact attestations to package distribution #28273

CI: Add GitHub artifact attestations to package distribution #28273

Uh oh!

matthewfeickert commented May 21, 2024

Uh oh!

matthewfeickert May 22, 2024

Uh oh!

QuLogic commented May 27, 2024

Uh oh!

matthewfeickert commented May 27, 2024 •

edited

Loading

Uh oh!

tacaswell commented May 28, 2024

Uh oh!

matthewfeickert commented May 28, 2024

Uh oh!

Uh oh!

Uh oh!

Uh oh!

CI: Add GitHub artifact attestations to package distribution #28273

CI: Add GitHub artifact attestations to package distribution #28273

Uh oh!

Conversation

matthewfeickert commented May 21, 2024

PR summary

PR checklist

Uh oh!

matthewfeickert May 22, 2024

Choose a reason for hiding this comment

Uh oh!

QuLogic commented May 27, 2024

Uh oh!

matthewfeickert commented May 27, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

tacaswell commented May 28, 2024

Uh oh!

matthewfeickert commented May 28, 2024

Uh oh!

Uh oh!

Uh oh!

matthewfeickert commented May 27, 2024 •

edited

Loading