Skip to content

Generate build provenance attestation during deployment #7419

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sc0ttkclark merged 2 commits into from
May 1, 2025
Merged

Generate build provenance attestation during deployment #7419

sc0ttkclark merged 2 commits into from
May 1, 2025

Conversation

@johnbillion
Copy link
Contributor

@johnbillion johnbillion commented Apr 23, 2025

Description

This uses the WordPress Plugin Attestation action to generate a build provenance attestation for the zip file of Pods. This ties the zip file on wordpress.org back to the GitHub Actions workflow that performed the deployment.

Testing instructions

This isn't testable in isolation because the workflow only runs when you publish a release, but it's used by several other plugins.

Changelog text for these changes

Enhancement: A build provenance attestation is now generated for each deployment to the wordpress.org plugin directory. (@johnbillion)

@sc0ttkclark sc0ttkclark added this to the Pods 3.2.9 milestone May 1, 2025
@sc0ttkclark sc0ttkclark merged commit 8d21545 into pods-framework:main May 1, 2025
@sc0ttkclark
Copy link
Member

sc0ttkclark commented May 1, 2025

Thanks @johnbillion!

@sc0ttkclark
Copy link
Member

sc0ttkclark commented May 1, 2025

@johnbillion experienced an issue here with this step https://github.com/pods-framework/pods/actions/runs/14779424219/job/41494876895#step:6:80

@sc0ttkclark
Copy link
Member

sc0ttkclark commented May 1, 2025 

Run unzip -q -d zip-deployed "${PLUGIN}.zip"
  unzip -q -d zip-deployed "${PLUGIN}.zip"
  shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
  env:
    PLUGIN_VERSION: 
    PLUGIN_HOST: downloads.wordpress.org
    PLUGIN: pods
  
Run unzip -q -d zip-generated "${ZIP_PATH}"
  unzip -q -d zip-generated "${ZIP_PATH}"
  shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
  env:
    PLUGIN_VERSION: 
    PLUGIN_HOST: downloads.wordpress.org
    ZIP_PATH: 
unzip:  cannot find or open , .zip or .ZIP.

@johnbillion
Copy link
Contributor Author

johnbillion commented May 1, 2025

I'll take a look

@johnbillion
Copy link
Contributor Author

johnbillion commented May 1, 2025

@sc0ttkclark You're using 10up/action-wordpress-plugin-deploy@master but the master branch of that repo hasn't been updated in six years! So its inputs don't match the latest release. If you want the latest it needs to be the develop branch, but I would pin it to a version such as @2.3.0 for safety.

@johnbillion johnbillion deleted the build-provenance branch May 2, 2025 11:59
@sc0ttkclark
Copy link
Member

sc0ttkclark commented May 2, 2025

@johnbillion Doh! Thanks :) Updated for the next release.

@sc0ttkclark
Copy link
Member

sc0ttkclark commented May 2, 2025

@johnbillion just ran another build but it failed, the original PR here did not have the permissions set in the action too:

permissions:
  id-token: write
  attestations: write

Added for next time.

@johnbillion
Copy link
Contributor Author

johnbillion commented May 2, 2025

Whoops I didn't follow my own instructions!

@szepeviktor
Copy link
Contributor

szepeviktor commented May 2, 2025

Where are attestations? https://github.com/pods-framework/pods/attestations

@sclark3-godaddy
Copy link

sclark3-godaddy commented May 2, 2025

@szepeviktor it hasn't run yet, on the next release it should make it all the way through.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sc0ttkclark sc0ttkclark sc0ttkclark approved these changes

@JoryHogeveen JoryHogeveen Awaiting requested review from JoryHogeveen JoryHogeveen is a code owner

Assignees

@johnbillion johnbillion

Labels

Type: Tools

Projects

None yet

Milestone

Pods 3.3

Development

Successfully merging this pull request may close these issues.

4 participants

@johnbillion @sc0ttkclark @szepeviktor @sclark3-godaddy