Expose PEP 740 attestations functionality #236
Conversation
|
I've confirmed that the basic version of this works as expected ( |
|
@woodruffw I just bumped Twine FYI. And pre-commit is fine now. Rebasing should get the blockers out of the way. |
Good timing, so did @facutuesca 😅 |
Signed-off-by: William Woodruff <william@trailofbits.com>
|
I'm squashing and rebasing this branch now |
facutuesca
force-pushed
the
ww/attestations
branch
from
46986ef
to
b526ff8
Compare
Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
|
@woodruffw @webknjaz The remaining lint failure is due to an error message string ( |
That's what I was thinking originally, although I think the "clean" thing to do here would be to turn the Python files here into a project structure that gets installed as part of the Docker image's build. But that's a little heavyweight, so @webknjaz may have another idea 🙂 |
|
I'm leaning towards just being available on |
|
@woodruffw hey, it looks like GitHub rolled out their own attestations in beta: https://github.com/actions/attest-build-provenance / https://github.com/pypa/gh-action-pypi-publish/attestations / https://github.com/orgs/community/discussions/122028. I wonder if we could somehow integrate with that... And it seems like there's even a new privilege |
|
(Sorry, was on PTO -- catching up on mentions now)
Yep, I've been thinking about how to make integrate the two -- the last comment on the PEP discussion thread suggests an approach that would allow GitHub-generated attestations to be compatible with this PEP. TL;DR: I think our options here are:
|
|
Just to update here: I've begun updating PEP 740 to be compatible with what GitHub's artifact attestations feature is doing, and it looks like it'll be pretty smooth. That then leaves the question of how to approach attestation generation here 🙂:
steps:
- name: attest
# does not exist yet!
uses: pypa/gh-action-pypi-attest
with:
# this would be the default; just for illustration
packages-dir: dist/
- name: publish
uses: pypa/gh-action-pypi-publish@release/v1The benefit to approach (2) is that it's more devolved and can be built up on top of Edit: for context, the reason we can't use |
|
Awesome stuff! I would much prefer option 1, we should prioritize UX. |
|
I agree with @ofek that ergonomics is the most important part here, requiring users add another action step means we will see delayed rollout of the feature compared to adding it on to the existing workflow. |
|
SG, I'll keep going with the current approach then 🙂 |
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
|
This is good for an initial review! To summarize:
|
|
@woodruffw Just double checking long-term strategy, is the |
Yes, exactly -- my thinking is that it's already non-default due to the tail of people using older versions of this action, so having it be (temporarily) opt-in makes experimenting easier while giving us the ability to flip the switch once everything is stable. |
|
Sorry I didn't react earlier. I also think that UX is important. Not sure how well it plays with uploading attestations to GitHub, though. Can we attempt relying on the Another thought: why do we need to make |
Feel free! It should be as easy as replacing the stable v1 ref with my fork + branch and enabling the (You may want to start with just TestPyPI, to avoid spamming the admins with alerts on production.) |
|
None of my projects officially use the test environment.😂 |
Signed-off-by: William Woodruff <william@trailofbits.com>
|
Gentle ping for review 🙂 -- we're getting close to enabling attestation persistence on PyPI, so being able to roll this out (with the current toggle) will help us smoke test the functionality there. |
Co-authored-by: Sviatoslav Sydorenko (Святослав Сидоренко) <wk.cvs.github@sydorenko.org.ua>
Co-authored-by: Sviatoslav Sydorenko (Святослав Сидоренко) <wk.cvs.github@sydorenko.org.ua>
...to make the linters happy. Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
| # Setting `attestations: true` with an index other than PyPI or TestPyPI | ||
| # indicates user confusion, since attestations are not supported on other | ||
| # indices presently. | ||
| if [[ ! "${INPUT_REPOSITORY_URL}" =~ pypi\.org ]] ; then | ||
| echo "${ATTESTATIONS_WRONG_INDEX_WARNING}" | ||
| INPUT_ATTESTATIONS="false" | ||
| fi |
There was a problem hiding this comment.
Is this necessary given pypa/twine#1099?
There was a problem hiding this comment.
It's not necessary, since twine will catch this case and produce an appropriate error. OTOH catching it here might make the error slightly more intelligible, since the twine error doesn't get propagated into a ::warning annotation like this one does.
This is similar to how the action pre-validates the dist directory, even though twine also validates it. But if you think it makes it makes things more confusing than necessary, I can drop this check 🙂
There was a problem hiding this comment.
I think it's probably fine for this to catch it before twine and give a more tailored error message, I'm mostly just thinking about the long-term pain of maintaining/updating this list of supported indexes in multiple places, but this is fine for now.
|
v1.10.0 is now live. Appologies that it took so long to merge this. |
|
No problem whatsoever! Thank you for your diligent reviews and for seeing this through! |
|
UPD: Upon seeing Dependabot sending bumps of this version to repositories, I improved the release notes to include a call to try out attestations with that code example so it's discoverable more easily. |
pypa/gh-action-pypi-publish#236 Co-authored-by: Hynek Schlawack <hs@ox.cx>
|
@woodruffw looks like the sanity check is broken — it exploded in attrs.. |
|
UPD: v1.10.1 fixed that bug via 0ab0b79 and Hugo reported that it works. |
attestations.py
Outdated
| for dist_path in dist_paths: | ||
| if not dist_path.is_file(): | ||
| die(f'Path looks like a distribution but is not a file: {dist_path}') | ||
| if (invalid_dists := [_path for _path in dist_paths if _path.is_file()]): |
There was a problem hiding this comment.
This is where the bug snuck in that needed fixing by 0ab0b79.
There was a problem hiding this comment.
🤦 thanks for fixing that.
…again (#1345) Opt into uploading PEP 740 digital publish attestations to PyPI pypa/gh-action-pypi-publish#236 Co-authored-by: Hynek Schlawack <hs@ox.cx>
) * Build(deps): Bump pypa/gh-action-pypi-publish from 1.9.0 to 1.10.0 Bumps [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish) from 1.9.0 to 1.10.0. - [Release notes](https://github.com/pypa/gh-action-pypi-publish/releases) - [Commits](pypa/gh-action-pypi-publish@v1.9.0...v1.10.0) --- updated-dependencies: - dependency-name: pypa/gh-action-pypi-publish dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * Opt into uploading PEP 740 digital publish attestations to PyPI pypa/gh-action-pypi-publish#236 * Bump `pypa/gh-action-pypi-publish` 1.10.1 --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Sviatoslav Sydorenko (Святослав Сидоренко) <wk@sydorenko.org.ua>
WIP, still experimenting here. Not ready for review 🙂This adds PEP 740 attestation generation to the workflow: when the Trusted Publishing flow is used, this will generate a publish attestation for each distribution being uploaded. These generated attestations are then fed into
twine, which newly supports them via--attestations.Breakdown:
twine --attestationsSee: pypi/warehouse#15871