Skip to content

Commit

Permalink
add GitHub artifact attestations for releases (#21953)
Browse files Browse the repository at this point in the history 
Add GitHub release attestations using the https://github.com/actions/attest-build-provenance/ action.
  • Loading branch information
@tdyas
tdyas authored Feb 17, 2025
1 parent 5af291d commit 4e3f86f
Show file tree
Hide file tree
Showing 3 changed files with 166 additions and 18 deletions.
122 changes: 106 additions & 16 deletions .github/workflows/release.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,10 @@ jobs:
name: Build wheels (Linux-ARM64)
needs:
- release_info
permissions:
attestations: write
contents: read
id-token: write
runs-on:
- self-hosted
- runs-on
Expand Down Expand Up @@ -73,17 +77,34 @@ jobs:
name: logs-wheels-and-pex-Linux-ARM64
overwrite: 'true'
path: .pants.d/workdir/*.log
- if: needs.release_info.outputs.is-release == 'true'
name: Attest the pantsbuild.pants wheel
uses: actions/attest-build-provenance@v2
with:
subject-path: dist/deploy/wheels/pantsbuild.pants/**/pantsbuild.pants-*.whl
- if: needs.release_info.outputs.is-release == 'true'
name: Rename the Pants Pex to its final name for upload
run: 'PEX_FILENAME=pants.$PANTS_VER-$PY_VER-$PLAT.pex
mv dist/src.python.pants/pants-pex.pex dist/src.python.pants/$PEX_FILENAME
'
- continue-on-error: true
if: needs.release_info.outputs.is-release == 'true'
name: Attest the Pants Pex artifact
uses: actions/attest-build-provenance@v2
with:
subject-path: dist/src.python.pants/*.pex
- if: needs.release_info.outputs.is-release == 'true'
name: Upload Wheel and Pex
run: "PANTS_VER=$(PEX_INTERPRETER=1 dist/src.python.pants/pants-pex.pex -c \"\
import pants.version;print(pants.version.VERSION)\")\nPY_VER=$(PEX_INTERPRETER=1\
\ dist/src.python.pants/pants-pex.pex -c \"import sys;print(f'cp{sys.version_info[0]}{sys.version_info[1]}')\"\
)\nPLAT=$(PEX_INTERPRETER=1 dist/src.python.pants/pants-pex.pex -c \"import\
\ os;print(f'{os.uname().sysname.lower()}_{os.uname().machine.lower()}')\"\
)\nPEX_FILENAME=pants.$PANTS_VER-$PY_VER-$PLAT.pex\n\nmv dist/src.python.pants/pants-pex.pex\
\ dist/src.python.pants/$PEX_FILENAME\n\ncurl -L --fail \\\n -X POST \\\
\n -H \"Authorization: Bearer ${{ github.token }}\" \\\n -H \"Content-Type:\
\ application/octet-stream\" \\\n ${{ needs.release_info.outputs.release-asset-upload-url\
)\nPEX_FILENAME=pants.$PANTS_VER-$PY_VER-$PLAT.pex\n\ncurl -L --fail \\\n\
\ -X POST \\\n -H \"Authorization: Bearer ${{ github.token }}\" \\\n\
\ -H \"Content-Type: application/octet-stream\" \\\n ${{ needs.release_info.outputs.release-asset-upload-url\
\ }}?name=$PEX_FILENAME \\\n --data-binary \"@dist/src.python.pants/$PEX_FILENAME\"\
\n\nWHL=$(find dist/deploy/wheels/pantsbuild.pants -type f -name \"pantsbuild.pants-*.whl\"\
)\ncurl -L --fail \\\n -X POST \\\n -H \"Authorization: Bearer ${{ github.token\
Expand All @@ -102,6 +123,10 @@ jobs:
name: Build wheels (Linux-x86_64)
needs:
- release_info
permissions:
attestations: write
contents: read
id-token: write
runs-on:
- ubuntu-22.04
steps:
Expand Down Expand Up @@ -160,23 +185,46 @@ jobs:
name: logs-wheels-and-pex-Linux-x86_64
overwrite: 'true'
path: .pants.d/workdir/*.log
- if: needs.release_info.outputs.is-release == 'true'
name: Attest the pantsbuild.pants wheel
uses: actions/attest-build-provenance@v2
with:
subject-path: dist/deploy/wheels/pantsbuild.pants/**/pantsbuild.pants-*.whl
- if: needs.release_info.outputs.is-release == 'true'
name: Rename the Pants Pex to its final name for upload
run: 'PEX_FILENAME=pants.$PANTS_VER-$PY_VER-$PLAT.pex
mv dist/src.python.pants/pants-pex.pex dist/src.python.pants/$PEX_FILENAME
'
- continue-on-error: true
if: needs.release_info.outputs.is-release == 'true'
name: Attest the Pants Pex artifact
uses: actions/attest-build-provenance@v2
with:
subject-path: dist/src.python.pants/*.pex
- if: needs.release_info.outputs.is-release == 'true'
name: Upload Wheel and Pex
run: "PANTS_VER=$(PEX_INTERPRETER=1 dist/src.python.pants/pants-pex.pex -c \"\
import pants.version;print(pants.version.VERSION)\")\nPY_VER=$(PEX_INTERPRETER=1\
\ dist/src.python.pants/pants-pex.pex -c \"import sys;print(f'cp{sys.version_info[0]}{sys.version_info[1]}')\"\
)\nPLAT=$(PEX_INTERPRETER=1 dist/src.python.pants/pants-pex.pex -c \"import\
\ os;print(f'{os.uname().sysname.lower()}_{os.uname().machine.lower()}')\"\
)\nPEX_FILENAME=pants.$PANTS_VER-$PY_VER-$PLAT.pex\n\nmv dist/src.python.pants/pants-pex.pex\
\ dist/src.python.pants/$PEX_FILENAME\n\ncurl -L --fail \\\n -X POST \\\
\n -H \"Authorization: Bearer ${{ github.token }}\" \\\n -H \"Content-Type:\
\ application/octet-stream\" \\\n ${{ needs.release_info.outputs.release-asset-upload-url\
)\nPEX_FILENAME=pants.$PANTS_VER-$PY_VER-$PLAT.pex\n\ncurl -L --fail \\\n\
\ -X POST \\\n -H \"Authorization: Bearer ${{ github.token }}\" \\\n\
\ -H \"Content-Type: application/octet-stream\" \\\n ${{ needs.release_info.outputs.release-asset-upload-url\
\ }}?name=$PEX_FILENAME \\\n --data-binary \"@dist/src.python.pants/$PEX_FILENAME\"\
\n\nWHL=$(find dist/deploy/wheels/pantsbuild.pants -type f -name \"pantsbuild.pants-*.whl\"\
)\ncurl -L --fail \\\n -X POST \\\n -H \"Authorization: Bearer ${{ github.token\
\ }}\" \\\n -H \"Content-Type: application/octet-stream\" \\\n \"${{\
\ needs.release_info.outputs.release-asset-upload-url }}?name=$(basename $WHL)\"\
\ \\\n --data-binary \"@$WHL\";\n"
- continue-on-error: true
if: needs.release_info.outputs.is-release == 'true'
name: Attest the pantsbuild.pants.testutil wheel
uses: actions/attest-build-provenance@v2
with:
subject-path: dist/deploy/wheels/pantsbuild.pants/**/pantsbuild.pants.testutil*.whl
- if: needs.release_info.outputs.is-release == 'true'
name: Upload testutil Wheel
run: "WHL=$(find dist/deploy/wheels/pantsbuild.pants -type f -name \"pantsbuild.pants.testutil*.whl\"\
Expand All @@ -194,6 +242,10 @@ jobs:
name: Build wheels (macOS13-x86_64)
needs:
- release_info
permissions:
attestations: write
contents: read
id-token: write
runs-on:
- macos-13
steps:
Expand Down Expand Up @@ -270,17 +322,34 @@ jobs:
name: logs-wheels-and-pex-macOS13-x86_64
overwrite: 'true'
path: .pants.d/workdir/*.log
- if: needs.release_info.outputs.is-release == 'true'
name: Attest the pantsbuild.pants wheel
uses: actions/attest-build-provenance@v2
with:
subject-path: dist/deploy/wheels/pantsbuild.pants/**/pantsbuild.pants-*.whl
- if: needs.release_info.outputs.is-release == 'true'
name: Rename the Pants Pex to its final name for upload
run: 'PEX_FILENAME=pants.$PANTS_VER-$PY_VER-$PLAT.pex
mv dist/src.python.pants/pants-pex.pex dist/src.python.pants/$PEX_FILENAME
'
- continue-on-error: true
if: needs.release_info.outputs.is-release == 'true'
name: Attest the Pants Pex artifact
uses: actions/attest-build-provenance@v2
with:
subject-path: dist/src.python.pants/*.pex
- if: needs.release_info.outputs.is-release == 'true'
name: Upload Wheel and Pex
run: "PANTS_VER=$(PEX_INTERPRETER=1 dist/src.python.pants/pants-pex.pex -c \"\
import pants.version;print(pants.version.VERSION)\")\nPY_VER=$(PEX_INTERPRETER=1\
\ dist/src.python.pants/pants-pex.pex -c \"import sys;print(f'cp{sys.version_info[0]}{sys.version_info[1]}')\"\
)\nPLAT=$(PEX_INTERPRETER=1 dist/src.python.pants/pants-pex.pex -c \"import\
\ os;print(f'{os.uname().sysname.lower()}_{os.uname().machine.lower()}')\"\
)\nPEX_FILENAME=pants.$PANTS_VER-$PY_VER-$PLAT.pex\n\nmv dist/src.python.pants/pants-pex.pex\
\ dist/src.python.pants/$PEX_FILENAME\n\ncurl -L --fail \\\n -X POST \\\
\n -H \"Authorization: Bearer ${{ github.token }}\" \\\n -H \"Content-Type:\
\ application/octet-stream\" \\\n ${{ needs.release_info.outputs.release-asset-upload-url\
)\nPEX_FILENAME=pants.$PANTS_VER-$PY_VER-$PLAT.pex\n\ncurl -L --fail \\\n\
\ -X POST \\\n -H \"Authorization: Bearer ${{ github.token }}\" \\\n\
\ -H \"Content-Type: application/octet-stream\" \\\n ${{ needs.release_info.outputs.release-asset-upload-url\
\ }}?name=$PEX_FILENAME \\\n --data-binary \"@dist/src.python.pants/$PEX_FILENAME\"\
\n\nWHL=$(find dist/deploy/wheels/pantsbuild.pants -type f -name \"pantsbuild.pants-*.whl\"\
)\ncurl -L --fail \\\n -X POST \\\n -H \"Authorization: Bearer ${{ github.token\
Expand All @@ -297,6 +366,10 @@ jobs:
name: Build wheels (macOS14-ARM64)
needs:
- release_info
permissions:
attestations: write
contents: read
id-token: write
runs-on:
- macos-14
steps:
Expand Down Expand Up @@ -369,17 +442,34 @@ jobs:
name: logs-wheels-and-pex-macOS14-ARM64
overwrite: 'true'
path: .pants.d/workdir/*.log
- if: needs.release_info.outputs.is-release == 'true'
name: Attest the pantsbuild.pants wheel
uses: actions/attest-build-provenance@v2
with:
subject-path: dist/deploy/wheels/pantsbuild.pants/**/pantsbuild.pants-*.whl
- if: needs.release_info.outputs.is-release == 'true'
name: Rename the Pants Pex to its final name for upload
run: 'PEX_FILENAME=pants.$PANTS_VER-$PY_VER-$PLAT.pex
mv dist/src.python.pants/pants-pex.pex dist/src.python.pants/$PEX_FILENAME
'
- continue-on-error: true
if: needs.release_info.outputs.is-release == 'true'
name: Attest the Pants Pex artifact
uses: actions/attest-build-provenance@v2
with:
subject-path: dist/src.python.pants/*.pex
- if: needs.release_info.outputs.is-release == 'true'
name: Upload Wheel and Pex
run: "PANTS_VER=$(PEX_INTERPRETER=1 dist/src.python.pants/pants-pex.pex -c \"\
import pants.version;print(pants.version.VERSION)\")\nPY_VER=$(PEX_INTERPRETER=1\
\ dist/src.python.pants/pants-pex.pex -c \"import sys;print(f'cp{sys.version_info[0]}{sys.version_info[1]}')\"\
)\nPLAT=$(PEX_INTERPRETER=1 dist/src.python.pants/pants-pex.pex -c \"import\
\ os;print(f'{os.uname().sysname.lower()}_{os.uname().machine.lower()}')\"\
)\nPEX_FILENAME=pants.$PANTS_VER-$PY_VER-$PLAT.pex\n\nmv dist/src.python.pants/pants-pex.pex\
\ dist/src.python.pants/$PEX_FILENAME\n\ncurl -L --fail \\\n -X POST \\\
\n -H \"Authorization: Bearer ${{ github.token }}\" \\\n -H \"Content-Type:\
\ application/octet-stream\" \\\n ${{ needs.release_info.outputs.release-asset-upload-url\
)\nPEX_FILENAME=pants.$PANTS_VER-$PY_VER-$PLAT.pex\n\ncurl -L --fail \\\n\
\ -X POST \\\n -H \"Authorization: Bearer ${{ github.token }}\" \\\n\
\ -H \"Content-Type: application/octet-stream\" \\\n ${{ needs.release_info.outputs.release-asset-upload-url\
\ }}?name=$PEX_FILENAME \\\n --data-binary \"@dist/src.python.pants/$PEX_FILENAME\"\
\n\nWHL=$(find dist/deploy/wheels/pantsbuild.pants -type f -name \"pantsbuild.pants-*.whl\"\
)\ncurl -L --fail \\\n -X POST \\\n -H \"Authorization: Bearer ${{ github.token\
Expand Down
16 changes: 16 additions & 0 deletions .github/workflows/test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -336,6 +336,10 @@ jobs:
name: Build wheels (Linux-ARM64)
needs:
- classify_changes
permissions:
attestations: write
contents: read
id-token: write
runs-on:
- self-hosted
- runs-on
Expand Down Expand Up @@ -406,6 +410,10 @@ jobs:
name: Build wheels (Linux-x86_64)
needs:
- classify_changes
permissions:
attestations: write
contents: read
id-token: write
runs-on:
- ubuntu-22.04
steps:
Expand Down Expand Up @@ -474,6 +482,10 @@ jobs:
name: Build wheels (macOS13-x86_64)
needs:
- classify_changes
permissions:
attestations: write
contents: read
id-token: write
runs-on:
- macos-13
steps:
Expand Down Expand Up @@ -560,6 +572,10 @@ jobs:
name: Build wheels (macOS14-ARM64)
needs:
- classify_changes
permissions:
attestations: write
contents: read
id-token: write
runs-on:
- macos-14
steps:
Expand Down
46 changes: 44 additions & 2 deletions src/python/pants_release/generate_github_workflows.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
def action(name: str) -> str:
version_map = {
"action-send-mail": "dawidd6/[email protected]",
"attest-build-provenance": "actions/attest-build-provenance@v2",
"cache": "actions/cache@v4",
"checkout": "actions/checkout@v4",
"download-artifact": "actions/download-artifact@v4",
Expand Down Expand Up @@ -880,6 +881,11 @@ def build_wheels_job(
"if": if_condition,
"name": f"Build wheels ({str(platform.value)})",
"runs-on": helper.runs_on(),
"permissions": {
"id-token": "write",
"contents": "read",
"attestations": "write",
},
**({"container": container} if container else {}),
**({"needs": needs} if needs else {}),
"timeout-minutes": 90,
Expand Down Expand Up @@ -913,6 +919,34 @@ def build_wheels_job(
helper.upload_log_artifacts(name="wheels-and-pex"),
*(
[
{
"name": "Attest the pantsbuild.pants wheel",
"if": "needs.release_info.outputs.is-release == 'true'",
"uses": action("attest-build-provenance"),
"with": {
"subject-path": "dist/deploy/wheels/pantsbuild.pants/**/pantsbuild.pants-*.whl",
},
},
{
"name": "Rename the Pants Pex to its final name for upload",
"if": "needs.release_info.outputs.is-release == 'true'",
"run": dedent(
"""\
PEX_FILENAME=pants.$PANTS_VER-$PY_VER-$PLAT.pex
mv dist/src.python.pants/pants-pex.pex dist/src.python.pants/$PEX_FILENAME
"""
),
},
{
"name": "Attest the Pants Pex artifact",
"if": "needs.release_info.outputs.is-release == 'true'",
"uses": action("attest-build-provenance"),
"with": {
"subject-path": "dist/src.python.pants/*.pex",
},
# Temporary: Allow errors in this step while we test the release workflow.
"continue-on-error": True,
},
{
"name": "Upload Wheel and Pex",
"if": "needs.release_info.outputs.is-release == 'true'",
Expand All @@ -927,8 +961,6 @@ def build_wheels_job(
PLAT=$(PEX_INTERPRETER=1 dist/src.python.pants/pants-pex.pex -c "import os;print(f'{os.uname().sysname.lower()}_{os.uname().machine.lower()}')")
PEX_FILENAME=pants.$PANTS_VER-$PY_VER-$PLAT.pex
mv dist/src.python.pants/pants-pex.pex dist/src.python.pants/$PEX_FILENAME
curl -L --fail \\
-X POST \\
-H "Authorization: Bearer ${{ github.token }}" \\
Expand All @@ -948,6 +980,16 @@ def build_wheels_job(
},
*(
[
{
"name": "Attest the pantsbuild.pants.testutil wheel",
"if": "needs.release_info.outputs.is-release == 'true'",
"uses": action("attest-build-provenance"),
"with": {
"subject-path": "dist/deploy/wheels/pantsbuild.pants/**/pantsbuild.pants.testutil*.whl",
},
# Temporary: Allow errors in this step while we test the release workflow.
"continue-on-error": True,
},
{
"name": "Upload testutil Wheel",
"if": "needs.release_info.outputs.is-release == 'true'",
Expand Down

0 comments on commit 4e3f86f

Please sign in to comment.