From 29b5f2fc84545c51b2c7b5fa63159f38702e0407 Mon Sep 17 00:00:00 2001 From: samypr100 <3933065+samypr100@users.noreply.github.com> Date: Mon, 6 Jan 2025 19:50:59 -0500 Subject: [PATCH] Add support for attestations Co-authored-by: Thomas Forbes --- .github/workflows/linux.yml | 14 ++++++++++++-- .github/workflows/macos.yml | 12 +++++++++++- .github/workflows/windows.yml | 14 ++++++++++++-- 3 files changed, 35 insertions(+), 5 deletions(-) diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index 901233ad..79991645 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -130,7 +130,7 @@ jobs: pythonbuild_changed: ${{ steps.changed.outputs.pythonbuild_any_changed }} steps: - uses: actions/checkout@v4 - + - name: Set up Python uses: astral-sh/setup-uv@v4 @@ -140,7 +140,7 @@ jobs: # Convert GitHub labels array to comma-separated string LABELS=$(echo '${{ toJson(github.event.pull_request.labels.*.name) }}' | jq -r 'join(",")') echo "labels=$LABELS" >> $GITHUB_OUTPUT - + - name: Generate build matrix id: set-matrix run: | @@ -168,6 +168,10 @@ jobs: - generate-matrix - pythonbuild - image + # Permissions used for actions/attest-build-provenance + permissions: + id-token: write + attestations: write runs-on: ${{ matrix.runner }} strategy: matrix: ${{ fromJson(needs.generate-matrix.outputs.matrix) }} @@ -230,6 +234,12 @@ jobs: build/pythonbuild validate-distribution ${EXTRA_ARGS} dist/*.tar.zst + - name: Generate attestations + uses: actions/attest-build-provenance@v2 + if: ${{ github.ref == 'refs/heads/main' }} + with: + subject-path: dist/* + - name: Upload Distribution if: ${{ ! matrix.dry-run }} uses: actions/upload-artifact@v4 diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml index 7aafefa9..50345e0e 100644 --- a/.github/workflows/macos.yml +++ b/.github/workflows/macos.yml @@ -87,10 +87,14 @@ jobs: needs: - generate-matrix - pythonbuild + # Permissions used for actions/attest-build-provenance + permissions: + id-token: write + attestations: write + runs-on: ${{ matrix.runner }} strategy: matrix: ${{ fromJson(needs.generate-matrix.outputs.matrix) }} fail-fast: false - runs-on: ${{ matrix.runner }} name: ${{ matrix.target_triple }} / ${{ matrix.python }} / ${{ matrix.build_options }} steps: - uses: actions/checkout@v4 @@ -122,6 +126,12 @@ jobs: ./build-macos.py --target-triple ${{ matrix.target_triple }} --python cpython-${{ matrix.python }} --options ${{ matrix.build_options }} + - name: Generate attestations + uses: actions/attest-build-provenance@v2 + if: ${{ github.ref == 'refs/heads/main' }} + with: + subject-path: dist/* + - name: Upload Distributions if: ${{ ! matrix.dry-run }} uses: actions/upload-artifact@v4 diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index c625b410..179cfb99 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -51,7 +51,7 @@ jobs: pythonbuild_changed: ${{ steps.changed.outputs.pythonbuild_any_changed }} steps: - uses: actions/checkout@v4 - + - name: Set up Python uses: astral-sh/setup-uv@v4 @@ -61,7 +61,7 @@ jobs: # Convert GitHub labels array to comma-separated string LABELS=$(echo '${{ toJson(github.event.pull_request.labels.*.name) }}' | jq -r 'join(",")') echo "labels=$LABELS" >> $GITHUB_OUTPUT - + - name: Generate build matrix id: set-matrix run: | @@ -88,6 +88,10 @@ jobs: needs: - generate-matrix - pythonbuild + # Permissions used for actions/attest-build-provenance + permissions: + id-token: write + attestations: write runs-on: ${{ matrix.runner }} strategy: matrix: ${{ fromJson(needs.generate-matrix.outputs.matrix) }} @@ -132,6 +136,12 @@ jobs: $Dists = Resolve-Path -Path "dist/*.tar.zst" -Relative .\pythonbuild.exe validate-distribution --run $Dists + - name: Generate attestations + uses: actions/attest-build-provenance@v2 + if: ${{ github.ref == 'refs/heads/main' }} + with: + subject-path: dist/* + - name: Upload Distributions uses: actions/upload-artifact@v4 with: