From c89aaceb06df65d2aba8f95cf28a744fbe955a1c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20Ram=C3=ADrez-Mondrag=C3=B3n?= Date: Fri, 3 May 2024 20:27:40 -0600 Subject: [PATCH 1/4] ci: Use GitHub attestations --- .github/workflows/build.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 749fc1c2..2a2c4f61 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -44,6 +44,24 @@ jobs: path: dist - uses: pypa/gh-action-pypi-publish@81e9d935c883d0b210363ab89cf05f3894778450 + attestations: + name: Attest Build Provenance + runs-on: ubuntu-latest + needs: [build] + permissions: + contents: read + id-token: write + attestations: write + + steps: + - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e + with: + name: Packages + path: dist + - uses: actions/attest-build-provenance@eab7f69317b589ac05272d67712fdd10ab3d4d1d + with: + subject-path: "./dist/citric*" + # Move this up when PyPI supports signing sign: name: Sign the distribution package From 17a50c2af5ba5e5711100def92a992b80e9e7704 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20Ram=C3=ADrez-Mondrag=C3=B3n?= Date: Fri, 3 May 2024 21:21:31 -0600 Subject: [PATCH 2/4] Replace old step --- .github/workflows/build.yml | 32 +++++++------------------------- 1 file changed, 7 insertions(+), 25 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2a2c4f61..5d2a0732 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -44,24 +44,6 @@ jobs: path: dist - uses: pypa/gh-action-pypi-publish@81e9d935c883d0b210363ab89cf05f3894778450 - attestations: - name: Attest Build Provenance - runs-on: ubuntu-latest - needs: [build] - permissions: - contents: read - id-token: write - attestations: write - - steps: - - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e - with: - name: Packages - path: dist - - uses: actions/attest-build-provenance@eab7f69317b589ac05272d67712fdd10ab3d4d1d - with: - subject-path: "./dist/citric*" - # Move this up when PyPI supports signing sign: name: Sign the distribution package @@ -69,22 +51,22 @@ jobs: runs-on: ubuntu-latest needs: [build] permissions: - contents: write # IMPORTANT: mandatory for making GitHub Releases - id-token: write # IMPORTANT: mandatory for sigstore + contents: write # IMPORTANT: mandatory for making GitHub Releases + id-token: write # IMPORTANT: mandatory for attestations + attestations: write # IMPORTANT: mandatory for attestations steps: - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e with: name: Packages path: dist - - uses: sigstore/gh-action-sigstore-python@61f6a500bbfdd9a2a339cf033e5421951fbc1cd2 + - uses: actions/attest-build-provenance@eab7f69317b589ac05272d67712fdd10ab3d4d1d + id: attest with: - inputs: >- - ./dist/*.tar.gz - ./dist/*.whl + subject-path: "./dist/citric*" - uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd with: - file: dist/** + file: ${{ steps.attest.outputs.bundle-path }} tag: ${{ github.event.inputs.tag || github.ref }} overwrite: false file_glob: true From be9b19dad640ae9d7ce07dca57ee9d326ae4351b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20Ram=C3=ADrez-Mondrag=C3=B3n?= Date: Fri, 3 May 2024 21:43:58 -0600 Subject: [PATCH 3/4] Upload artifacts to release --- .github/workflows/build.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5d2a0732..a3dd776f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -26,6 +26,26 @@ jobs: ref: ${{ github.event.inputs.tag || github.ref }} - uses: hynek/build-and-inspect-python-package@eb6b0c7cc5e1f38eec42c970925e1b3420faa015 + upload-to-release: + name: Upload to GitHub Release + if: startsWith(github.ref, 'refs/tags/') || github.event_name == 'workflow_dispatch' + runs-on: ubuntu-latest + needs: [build] + permissions: + contents: write # IMPORTANT: mandatory for making GitHub Releases + + steps: + - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e + with: + name: Packages + path: dist + - uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd + with: + file: dist/** + tag: ${{ github.event.inputs.tag || github.ref }} + overwrite: false + file_glob: true + publish: name: Publish to PyPI if: startsWith(github.ref, 'refs/tags/') || github.event.inputs.publish == 'true' From 516f0966c00dc74c9f9e12ab0a74c50f0c4c16c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20Ram=C3=ADrez-Mondrag=C3=B3n?= Date: Thu, 9 May 2024 21:19:35 -0600 Subject: [PATCH 4/4] Change the asset name --- .github/workflows/build.yml | 2 +- .pre-commit-config.yaml | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a3dd776f..f03ff0aa 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -89,4 +89,4 @@ jobs: file: ${{ steps.attest.outputs.bundle-path }} tag: ${{ github.event.inputs.tag || github.ref }} overwrite: false - file_glob: true + asset_name: attestations.intoto.jsonl diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f740cd81..603cdbdb 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -41,6 +41,9 @@ repos: rev: v2.2.6 hooks: - id: codespell + # TODO: Use inline ignores, e.g. # codespell:ignore intoto + # https://github.com/codespell-project/codespell/issues/3387 + args: [-L, intoto] additional_dependencies: - tomli