Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support PEP-740 attestations for GitLab CI/CD #17125

Merged
merged 4 commits into from
Nov 20, 2024
Merged

Add support PEP-740 attestations for GitLab CI/CD #17125

merged 4 commits into from
Nov 20, 2024

Conversation

facutuesca
Copy link
Contributor

@facutuesca facutuesca commented Nov 19, 2024
edited
Loading

Adds support for uploading PEP-740 attestations generated from a GitLab CI/CD workflow.
The actual verification is done inside pypi-attestations, similar to GitHub.

Tested locally with an attestation signed from GitLab CI/CD:
image

Rekor entry: https://search.sigstore.dev/?logIndex=149980684

Part of #17001

cc @woodruffw @di

@facutuesca
bump pypi-attestattions to 0.0.17
dd6a647 
Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
@facutuesca facutuesca requested a review from a team as a code owner November 19, 2024 22:50
@facutuesca
Copy link
Contributor Author

facutuesca commented Nov 19, 2024
edited
Loading

TODO: Once merged, I'll open a PR adding documentation on how to generate the attestations from a GitLab workflow
docs PR here: #17133

@woodruffw woodruffw mentioned this pull request Nov 19, 2024
Open
12 tasks
@facutuesca facutuesca force-pushed the ft/gitlab-pep740-attestations branch from 944fb69 to 42462d5 Compare November 19, 2024 22:58
woodruffw
woodruffw approved these changes Nov 19, 2024
View reviewed changes
Copy link
Member

@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, great work @facutuesca!

@woodruffw
Copy link
Member

Flagging one thing (could be done now or in a follow-up): the publisher macro also needs to be updated:

warehouse/warehouse/templates/includes/file-details.html

Lines 15 to 24 in dde8b3d

{% macro publisher(publ) -%}
{% if publ.kind == "GitHub" %}
<p>
Publisher: <a href="https://github.com/{{ publ.repository }}/blob/HEAD/.github/workflows/{{ publ.workflow }}">
<i class="fa-brands fa-github" aria-hidden="true"></i>
<code>{{ publ.workflow }}</code> on {{ publ.repository }}
</a>
</p>
{% endif %}
{%- endmacro %}

@facutuesca
attestations: add support for upload from GitLab CI/CD
72a62a8 
Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
@facutuesca facutuesca force-pushed the ft/gitlab-pep740-attestations branch from 42462d5 to 72a62a8 Compare November 19, 2024 23:11
@facutuesca
Copy link
Contributor Author

Flagging one thing (could be done now or in a follow-up): the publisher macro also needs to be updated:

Good catch, fixed!

@facutuesca
locale: re-generate translations
eb8d190 
Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
@facutuesca facutuesca mentioned this pull request Nov 20, 2024
Merged
@facutuesca
Copy link
Contributor Author

Opened PR for the docs here: #17133

@di di enabled auto-merge (squash) November 20, 2024 17:52
@di di merged commit 69f3af7 into pypi:main Nov 20, 2024
20 checks passed
@di di deleted the ft/gitlab-pep740-attestations branch November 20, 2024 18:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@woodruffw woodruffw woodruffw approved these changes

@di di di approved these changes

Assignees

@facutuesca facutuesca

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@facutuesca @woodruffw @di