Add attestations for release artifacts and Docker images#23111
Add attestations for release artifacts and Docker images#23111ntBre merged 3 commits intoastral-sh:mainfrom
Conversation
|
If this gets through, I'd be happy to make an analogous change to ty's release workflows, or create verification documentation similar to https://docs.astral.sh/uv/guides/integration/docker/#verifying-image-provenance |
|
Thanks @shaanmajid, I'll be able to give this a review in the coming days. |
|
No rush! FWIW, I heavily referenced uv's existing attestation setup when making this change (although uv's Docker build workflow is necessarily considerably more complicated -- this change is quite simple in comparison :D ). Also, quick heads up that I intentionally omitted the WASM build artifacts from the attestation filter in |
woodruffw
left a comment
There was a problem hiding this comment.
Thanks @shaanmajid! This LGTM overall, I left a note about how we'll want to skip attestations on non-release runs of the Docker build workflow.
woodruffw
left a comment
There was a problem hiding this comment.
Whoops, meant to mark as needing changes.
|
Thank you! And thanks William for the review! |
|
Thanks to both of y'all for getting this through! Now that this is merged, would a similar PR adding attestations to ty's release workflows be welcome? Happy to put that together if so :) |
Yes, thanks! Feel free to ping me on it and I'll own review. |
|
Awesome, will do! |
* main: (43 commits) [`ruff`] Suppress diagnostic for strings with backslashes in interpolations before Python 3.12 (`RUF027`) (#21069) [flake8-bugbear] Fix B023 false positive for immediately-invoked lambdas (#23294) [ty] Add `Final` mdtests for loops and redeclaration (#23331) [`flake8-pyi`] Also check string annotations (`PYI041`) (#19023) Remove AlexWaygood as a flake8-pyi codeowner (#23347) [ty] Add comments to clarify the purpose of `NominalInstanceType::class_name` and `NominalInstanceType::class_module_name` (#23339) Add attestations for release artifacts and Docker images (#23111) [ty] Fix `assert_type` diagnostic messages (#23342) [ty] Force-update all insta snapshots (#23343) Add Q004 to the list of conflicting rules (#23340) [ty] Fix `invalid-match-pattern` false positives (#23338) [ty] new diagnostic called-match-pattern-must-be-a-type (#22939) [ty] Update flaky projects (#23337) [ty] Increase timeout for ecosystem report to 40 min (#23336) Bump ecosystem-analyzer pin (#23335) [ty] Replace `strsim` with CPython-based Levenshtein implementation (#23291) [ty] Add mdtest for staticmethod assigned in class body (#23330) [ty] fix inferring type variable from string literal argument (#23326) [ty] bytes literal is a sequence of integers (#23329) Update rand and getrandom (#23333) ...
Summary
Adds GitHub artifact attestations (SLSA provenance) for release artifacts and Docker images.
Users will be able to verify artifacts with:
Test Plan
Tested end-to-end releases and attestation verification on my fork. (Note, some finagling was necessary to successfully publish without a dedicated depot runner, see a5d9838)
Verify release artifacts:
gh release download 0.15.0 --repo shaanmajid/ruff --pattern "ruff-x86_64-unknown-linux-gnu.tar.gz" --dir /tmp gh attestation verify /tmp/ruff-x86_64-unknown-linux-gnu.tar.gz --repo shaanmajid/ruffVerify Docker images:
Notes
actions/attest-build-provenancewas preexisting indist-workspace.tomlbut was unused, so the upgrade across major versions is safe