feat: add attestations (#445)

Signed-off-by: Henry Schreiner <[email protected]>
scientific-python · Jun 28, 2024 · 23926fe · 23926fe
1 parent 72cd9b3
commit 23926fe
Show file tree

Hide file tree

Showing 5 changed files with 53 additions and 1 deletion.
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
@@ -26,6 +26,8 @@ jobs:
       url: https://pypi.org/p/sp-repo-review
     permissions:
       id-token: write
+      attestations: write
+      contents: read
     runs-on: ubuntu-latest
     if: github.event_name == 'release' && github.event.action == 'published'
     steps:
@@ -34,4 +36,9 @@ jobs:
           name: Packages
           path: dist
 
+      - name: Generate artifact attestation for sdist and wheel
+        uses: actions/[email protected]
+        with:
+          subject-path: "dist/*"
+
       - uses: pypa/gh-action-pypi-publish@release/v1
diff --git a/docs/pages/guides/gha_pure.md b/docs/pages/guides/gha_pure.md
@@ -143,6 +143,8 @@ publish:
   environment: pypi
   permissions:
     id-token: write
+    attestations: write
+    contents: read
   runs-on: ubuntu-latest
   if: github.event_name == 'release' && github.event.action == 'published'
   steps:
@@ -151,6 +153,11 @@ publish:
         name: Packages
         path: dist
 
+    - name: Generate artifact attestation for sdist and wheel
+      uses: actions/[email protected]
+      with:
+        subject-path: "dist/*"
+
     - uses: pypa/gh-action-pypi-publish@release/v1
 ```
 
@@ -162,6 +169,9 @@ allow pushes from GitHub. If it's the first time you've published a package, go
 to the [PyPI trusted publisher docs] for instructions on preparing PyPI to
 accept your initial package publish.
 
+We are also generating artifact attestations, which can allow users to verify
+that the artifacts were built on your actions.
+
 {% endtab %} {% tab token Token %}
 
 {% raw %}
@@ -230,6 +240,8 @@ jobs:
     environment: pypi
     permissions:
       id-token: write
+      attestations: write
+      contents: read
     runs-on: ubuntu-latest
     if: github.event_name == 'release' && github.event.action == 'published'
 
@@ -239,6 +251,11 @@ jobs:
           name: Packages
           path: dist
 
+      - name: Generate artifact attestation for sdist and wheel
+        uses: actions/[email protected]
+        with:
+          subject-path: "dist/*"
+
       - uses: pypa/gh-action-pypi-publish@release/v1
 ```
 

diff --git a/docs/pages/guides/gha_wheels.md b/docs/pages/guides/gha_wheels.md
@@ -91,7 +91,7 @@ make_sdist:
 ```
 
 You can instead install build via pip and use `python -m build --sdist`. You can
-also pin the version with `pipx run --spec build==... build`.
+also pin the version with `pipx run build==<version>`.
 
 ## The core job (3 main OS's)
 
@@ -150,6 +150,9 @@ you want a different supported image, set `CIBW_MANYLINUX_X86_64_IMAGE`,
 `CIBW_MANYLINUX_I686_IMAGE`, etc. If you always need a specific image, you can
 set that in the `pyproject.toml` file instead.
 
+You can speed up the build by specifying the `build[uv]` build-frontend option
+and pre-installing `uv` on the runners.
+
 ## Publishing
 
 {% tabs %} {% tab oidc Trusted Publishing %}
@@ -162,6 +165,9 @@ upload_all:
   environment: pypi
   permissions:
     id-token: write
+    attestations: write
+    contents: read
+
   runs-on: ubuntu-latest
   if: github.event_name == 'release' && github.event.action == 'published'
   steps:
@@ -171,6 +177,11 @@ upload_all:
         path: dist
         merge-multiple: true
 
+    - name: Generate artifact attestations
+      uses: actions/[email protected]
+      with:
+        subject-path: "dist/*"
+
     - uses: pypa/gh-action-pypi-publish@release/v1
 ```
 
@@ -182,6 +193,9 @@ allow pushes from GitHub. If it's the first time you've published a package, go
 to the [PyPI trusted publisher docs] for instructions on preparing PyPI to
 accept your initial package publish.
 
+We are also generating artifact attestations, which can allow users to verify
+that the artifacts were built on your actions.
+
 {% endtab %} {% tab token Token %}
 
 {% raw %}

diff --git a/...roject_name}}/.github/workflows/{% if cookiecutter.__type!='compiled' %}cd.yml{% endif %} b/...roject_name}}/.github/workflows/{% if cookiecutter.__type!='compiled' %}cd.yml{% endif %}
@@ -37,6 +37,8 @@ jobs:
     environment: pypi
     permissions:
       id-token: write
+      attestations: write
+      contents: read
     runs-on: ubuntu-latest
     if: github.event_name == 'release' && github.event.action == 'published'
 
@@ -46,6 +48,11 @@ jobs:
           name: Packages
           path: dist
 
+      - name: Generate artifact attestation for sdist and wheel
+        uses: actions/[email protected]
+        with:
+          subject-path: "dist/*"
+
       - uses: pypa/gh-action-pypi-publish@release/v1
         with:
           # Remember to tell (test-)pypi about this repo before publishing

diff --git a/...roject_name}}/.github/workflows/{% if cookiecutter.__type=='compiled' %}cd.yml{% endif %} b/...roject_name}}/.github/workflows/{% if cookiecutter.__type=='compiled' %}cd.yml{% endif %}
@@ -61,6 +61,8 @@ jobs:
     environment: pypi
     permissions:
       id-token: write
+      attestations: write
+      contents: read
     runs-on: ubuntu-latest
     if: github.event_name == 'release' && github.event.action == 'published'
 
@@ -71,6 +73,11 @@ jobs:
           path: dist
           merge-multiple: true
 
+      - name: Generate artifact attestations
+        uses: actions/[email protected]
+        with:
+          subject-path: "dist/*"
+
       - uses: pypa/gh-action-pypi-publish@release/v1
         with:
           # Remember to tell (test-)pypi about this repo before publishing