Skip to content

Commit

Permalink
ci: Add GitHub artifact attestations to package distribution (#3126)
Browse files Browse the repository at this point in the history
* chore: update pre-commit hooks

updates:
- github.com/python-jsonschema/check-jsonschema: v0.28.2 → v0.28.4

* ci: Add GitHub artifact attestations to package distribution

* Add generation of GitHub artifact attestations to built sdist and wheel
  before upload.
  c.f.:
   - https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/
   - https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
* Add verification of artifact attestation before publishing awkward to PyPI
  using the 'gh attestation verify' CLI API, added in v2.49.0.
   - c.f. https://github.com/cli/cli/releases/tag/v2.49.0
  • Loading branch information
matthewfeickert authored May 22, 2024
1 parent a096f3d commit ff31fd7
Show file tree
Hide file tree
Showing 3 changed files with 30 additions and 1 deletion.
7 changes: 7 additions & 0 deletions .github/workflows/deploy-cpp.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ jobs:
if: inputs.publish-pypi
permissions:
id-token: write
attestations: write
contents: read
environment:
name: "pypi"
url: "https://pypi.org/project/awkward-cpp/"
Expand All @@ -32,4 +34,9 @@ jobs:
- name: List distributions to be deployed
run: ls -l dist/

- name: Generate artifact attestation for sdist and wheel
uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
with:
subject-path: "dist/awkward-cpp-*"

- uses: pypa/gh-action-pypi-publish@v1.8.14
22 changes: 22 additions & 0 deletions .github/workflows/deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,10 @@ jobs:
name: "Build wheel & sdist"
runs-on: ubuntu-latest
needs: [determine-source-date-epoch]
permissions:
id-token: write
attestations: write
contents: read
env:
SOURCE_DATE_EPOCH: ${{ needs.determine-source-date-epoch.outputs.source-date-epoch }}
steps:
Expand All @@ -83,6 +87,11 @@ jobs:
- name: Check metadata
run: pipx run twine check dist/*

- name: Generate artifact attestation for sdist and wheel
uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
with:
subject-path: "dist/awkward-*"

- uses: actions/upload-artifact@v4
with:
name: distributions
Expand Down Expand Up @@ -113,6 +122,19 @@ jobs:
name: distributions
path: dist

- name: List distributions to be deployed
run: ls -l dist/

- name: Verify sdist artifact attestation
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh attestation verify dist/awkward-*.tar.gz --repo ${{ github.repository }}

- name: Verify wheel artifact attestation
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh attestation verify dist/awkward-*.whl --repo ${{ github.repository }}

- uses: pypa/gh-action-pypi-publish@v1.8.14

publish-headers:
Expand Down
2 changes: 1 addition & 1 deletion .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ repos:
files: ^tests/

- repo: https://github.com/python-jsonschema/check-jsonschema
rev: 0.28.2
rev: 0.28.4
hooks:
- id: check-github-workflows
args: ["--verbose"]
Expand Down

0 comments on commit ff31fd7

Please sign in to comment.