Add support for attestations

Co-authored-by: Thomas Forbes <[email protected]>
astral-sh · Jan 7, 2025 · d87936f · d87936f
1 parent 3c4fe23
commit d87936f
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 0 deletions.
diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
@@ -169,6 +169,10 @@ jobs:
       - pythonbuild
       - image
     runs-on: depot-ubuntu-22.04
+    # Permissions used for actions/attest-build-provenance
+    permissions:
+      id-token: write
+      attestations: write
     strategy:
       matrix: ${{ fromJson(needs.generate-matrix.outputs.matrix) }}
       fail-fast: false
@@ -230,6 +234,12 @@ jobs:
 
           build/pythonbuild validate-distribution ${EXTRA_ARGS} dist/*.tar.zst
 
+      - name: Generate attestations
+        uses: actions/attest-build-provenance@v2
+        if: ${{ github.ref == 'refs/heads/main' }}
+        with:
+          subject-path: dist/*
+
       - name: Upload Distribution
         if: ${{ ! matrix.dry-run }}
         uses: actions/upload-artifact@v4

diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml
@@ -91,6 +91,10 @@ jobs:
       matrix: ${{ fromJson(needs.generate-matrix.outputs.matrix) }}
       fail-fast: false
     runs-on: depot-macos-latest
+    # Permissions used for actions/attest-build-provenance
+    permissions:
+      id-token: write
+      attestations: write
     name: ${{ matrix.target_triple }} / ${{ matrix.python }} / ${{ matrix.build_options }}
     steps:
       - uses: actions/checkout@v4
@@ -122,6 +126,12 @@ jobs:
 
           ./build-macos.py --target-triple ${{ matrix.target_triple }} --python cpython-${{ matrix.python }} --options ${{ matrix.build_options }}
 
+      - name: Generate attestations
+        uses: actions/attest-build-provenance@v2
+        if: ${{ github.ref == 'refs/heads/main' }}
+        with:
+          subject-path: dist/*
+
       - name: Upload Distributions
         if: ${{ ! matrix.dry-run }}
         uses: actions/upload-artifact@v4

diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
@@ -89,6 +89,10 @@ jobs:
       - generate-matrix
       - pythonbuild
     runs-on: windows-latest-large
+    # Permissions used for actions/attest-build-provenance
+    permissions:
+      id-token: write
+      attestations: write
     strategy:
       matrix: ${{ fromJson(needs.generate-matrix.outputs.matrix) }}
       fail-fast: false
@@ -132,6 +136,12 @@ jobs:
           $Dists = Resolve-Path -Path "dist/*.tar.zst" -Relative
           .\pythonbuild.exe validate-distribution --run $Dists
 
+      - name: Generate attestations
+        uses: actions/attest-build-provenance@v2
+        if: ${{ github.ref == 'refs/heads/main' }}
+        with:
+          subject-path: dist/*
+
       - name: Upload Distributions
         uses: actions/upload-artifact@v4
         with: