add GitHub artifact attestations for releases (#21953)

tdyas · web-flow · commit 4e3f86f887d2 · 2025-02-17T15:58:23.000-05:00
Add GitHub release attestations using the https://github.com/actions/attest-build-provenance/ action.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -15,6 +15,10 @@ jobs:
     name: Build wheels (Linux-ARM64)
     needs:
     - release_info
+    permissions:
+      attestations: write
+      contents: read
+      id-token: write
     runs-on:
     - self-hosted
     - runs-on
@@ -73,17 +77,34 @@ jobs:
         name: logs-wheels-and-pex-Linux-ARM64
         overwrite: 'true'
         path: .pants.d/workdir/*.log
+    - if: needs.release_info.outputs.is-release == 'true'
+      name: Attest the pantsbuild.pants wheel
+      uses: actions/attest-build-provenance@v2
+      with:
+        subject-path: dist/deploy/wheels/pantsbuild.pants/**/pantsbuild.pants-*.whl
+    - if: needs.release_info.outputs.is-release == 'true'
+      name: Rename the Pants Pex to its final name for upload
+      run: 'PEX_FILENAME=pants.$PANTS_VER-$PY_VER-$PLAT.pex
+
+        mv dist/src.python.pants/pants-pex.pex dist/src.python.pants/$PEX_FILENAME
+
+        '
+    - continue-on-error: true
+      if: needs.release_info.outputs.is-release == 'true'
+      name: Attest the Pants Pex artifact
+      uses: actions/attest-build-provenance@v2
+      with:
+        subject-path: dist/src.python.pants/*.pex
     - if: needs.release_info.outputs.is-release == 'true'
       name: Upload Wheel and Pex
       run: "PANTS_VER=$(PEX_INTERPRETER=1 dist/src.python.pants/pants-pex.pex -c \"\
         import pants.version;print(pants.version.VERSION)\")\nPY_VER=$(PEX_INTERPRETER=1\
         \ dist/src.python.pants/pants-pex.pex -c \"import sys;print(f'cp{sys.version_info[0]}{sys.version_info[1]}')\"\
         )\nPLAT=$(PEX_INTERPRETER=1 dist/src.python.pants/pants-pex.pex -c \"import\
         \ os;print(f'{os.uname().sysname.lower()}_{os.uname().machine.lower()}')\"\
-        )\nPEX_FILENAME=pants.$PANTS_VER-$PY_VER-$PLAT.pex\n\nmv dist/src.python.pants/pants-pex.pex\
-        \ dist/src.python.pants/$PEX_FILENAME\n\ncurl -L --fail \\\n    -X POST \\\
-        \n    -H \"Authorization: Bearer ${{ github.token }}\" \\\n    -H \"Content-Type:\
-        \ application/octet-stream\" \\\n    ${{ needs.release_info.outputs.release-asset-upload-url\
+        )\nPEX_FILENAME=pants.$PANTS_VER-$PY_VER-$PLAT.pex\n\ncurl -L --fail \\\n\
+        \    -X POST \\\n    -H \"Authorization: Bearer ${{ github.token }}\" \\\n\
+        \    -H \"Content-Type: application/octet-stream\" \\\n    ${{ needs.release_info.outputs.release-asset-upload-url\
         \ }}?name=$PEX_FILENAME \\\n    --data-binary \"@dist/src.python.pants/$PEX_FILENAME\"\
         \n\nWHL=$(find dist/deploy/wheels/pantsbuild.pants -type f -name \"pantsbuild.pants-*.whl\"\
         )\ncurl -L --fail \\\n    -X POST \\\n    -H \"Authorization: Bearer ${{ github.token\
@@ -102,6 +123,10 @@ jobs:
     name: Build wheels (Linux-x86_64)
     needs:
     - release_info
+    permissions:
+      attestations: write
+      contents: read
+      id-token: write
     runs-on:
     - ubuntu-22.04
     steps:
@@ -160,23 +185,46 @@ jobs:
         name: logs-wheels-and-pex-Linux-x86_64
         overwrite: 'true'
         path: .pants.d/workdir/*.log
+    - if: needs.release_info.outputs.is-release == 'true'
+      name: Attest the pantsbuild.pants wheel
+      uses: actions/attest-build-provenance@v2
+      with:
+        subject-path: dist/deploy/wheels/pantsbuild.pants/**/pantsbuild.pants-*.whl
+    - if: needs.release_info.outputs.is-release == 'true'
+      name: Rename the Pants Pex to its final name for upload
+      run: 'PEX_FILENAME=pants.$PANTS_VER-$PY_VER-$PLAT.pex
+
+        mv dist/src.python.pants/pants-pex.pex dist/src.python.pants/$PEX_FILENAME
+
+        '
+    - continue-on-error: true
+      if: needs.release_info.outputs.is-release == 'true'
+      name: Attest the Pants Pex artifact
+      uses: actions/attest-build-provenance@v2
+      with:
+        subject-path: dist/src.python.pants/*.pex
     - if: needs.release_info.outputs.is-release == 'true'
       name: Upload Wheel and Pex
       run: "PANTS_VER=$(PEX_INTERPRETER=1 dist/src.python.pants/pants-pex.pex -c \"\
         import pants.version;print(pants.version.VERSION)\")\nPY_VER=$(PEX_INTERPRETER=1\
         \ dist/src.python.pants/pants-pex.pex -c \"import sys;print(f'cp{sys.version_info[0]}{sys.version_info[1]}')\"\
         )\nPLAT=$(PEX_INTERPRETER=1 dist/src.python.pants/pants-pex.pex -c \"import\
         \ os;print(f'{os.uname().sysname.lower()}_{os.uname().machine.lower()}')\"\
-        )\nPEX_FILENAME=pants.$PANTS_VER-$PY_VER-$PLAT.pex\n\nmv dist/src.python.pants/pants-pex.pex\
-        \ dist/src.python.pants/$PEX_FILENAME\n\ncurl -L --fail \\\n    -X POST \\\
-        \n    -H \"Authorization: Bearer ${{ github.token }}\" \\\n    -H \"Content-Type:\
-        \ application/octet-stream\" \\\n    ${{ needs.release_info.outputs.release-asset-upload-url\
+        )\nPEX_FILENAME=pants.$PANTS_VER-$PY_VER-$PLAT.pex\n\ncurl -L --fail \\\n\
+        \    -X POST \\\n    -H \"Authorization: Bearer ${{ github.token }}\" \\\n\
+        \    -H \"Content-Type: application/octet-stream\" \\\n    ${{ needs.release_info.outputs.release-asset-upload-url\
         \ }}?name=$PEX_FILENAME \\\n    --data-binary \"@dist/src.python.pants/$PEX_FILENAME\"\
         \n\nWHL=$(find dist/deploy/wheels/pantsbuild.pants -type f -name \"pantsbuild.pants-*.whl\"\
         )\ncurl -L --fail \\\n    -X POST \\\n    -H \"Authorization: Bearer ${{ github.token\
         \ }}\" \\\n    -H \"Content-Type: application/octet-stream\" \\\n    \"${{\
         \ needs.release_info.outputs.release-asset-upload-url }}?name=$(basename $WHL)\"\
         \ \\\n    --data-binary \"@$WHL\";\n"
+    - continue-on-error: true
+      if: needs.release_info.outputs.is-release == 'true'
+      name: Attest the pantsbuild.pants.testutil wheel
+      uses: actions/attest-build-provenance@v2
+      with:
+        subject-path: dist/deploy/wheels/pantsbuild.pants/**/pantsbuild.pants.testutil*.whl
     - if: needs.release_info.outputs.is-release == 'true'
       name: Upload testutil Wheel
       run: "WHL=$(find dist/deploy/wheels/pantsbuild.pants -type f -name \"pantsbuild.pants.testutil*.whl\"\
@@ -194,6 +242,10 @@ jobs:
     name: Build wheels (macOS13-x86_64)
     needs:
     - release_info
+    permissions:
+      attestations: write
+      contents: read
+      id-token: write
     runs-on:
     - macos-13
     steps:
@@ -270,17 +322,34 @@ jobs:
         name: logs-wheels-and-pex-macOS13-x86_64
         overwrite: 'true'
         path: .pants.d/workdir/*.log
+    - if: needs.release_info.outputs.is-release == 'true'
+      name: Attest the pantsbuild.pants wheel
+      uses: actions/attest-build-provenance@v2
+      with:
+        subject-path: dist/deploy/wheels/pantsbuild.pants/**/pantsbuild.pants-*.whl
+    - if: needs.release_info.outputs.is-release == 'true'
+      name: Rename the Pants Pex to its final name for upload
+      run: 'PEX_FILENAME=pants.$PANTS_VER-$PY_VER-$PLAT.pex
+
+        mv dist/src.python.pants/pants-pex.pex dist/src.python.pants/$PEX_FILENAME
+
+        '
+    - continue-on-error: true
+      if: needs.release_info.outputs.is-release == 'true'
+      name: Attest the Pants Pex artifact
+      uses: actions/attest-build-provenance@v2
+      with:
+        subject-path: dist/src.python.pants/*.pex
     - if: needs.release_info.outputs.is-release == 'true'
       name: Upload Wheel and Pex
       run: "PANTS_VER=$(PEX_INTERPRETER=1 dist/src.python.pants/pants-pex.pex -c \"\
         import pants.version;print(pants.version.VERSION)\")\nPY_VER=$(PEX_INTERPRETER=1\
         \ dist/src.python.pants/pants-pex.pex -c \"import sys;print(f'cp{sys.version_info[0]}{sys.version_info[1]}')\"\
         )\nPLAT=$(PEX_INTERPRETER=1 dist/src.python.pants/pants-pex.pex -c \"import\
         \ os;print(f'{os.uname().sysname.lower()}_{os.uname().machine.lower()}')\"\
-        )\nPEX_FILENAME=pants.$PANTS_VER-$PY_VER-$PLAT.pex\n\nmv dist/src.python.pants/pants-pex.pex\
-        \ dist/src.python.pants/$PEX_FILENAME\n\ncurl -L --fail \\\n    -X POST \\\
-        \n    -H \"Authorization: Bearer ${{ github.token }}\" \\\n    -H \"Content-Type:\
-        \ application/octet-stream\" \\\n    ${{ needs.release_info.outputs.release-asset-upload-url\
+        )\nPEX_FILENAME=pants.$PANTS_VER-$PY_VER-$PLAT.pex\n\ncurl -L --fail \\\n\
+        \    -X POST \\\n    -H \"Authorization: Bearer ${{ github.token }}\" \\\n\
+        \    -H \"Content-Type: application/octet-stream\" \\\n    ${{ needs.release_info.outputs.release-asset-upload-url\
         \ }}?name=$PEX_FILENAME \\\n    --data-binary \"@dist/src.python.pants/$PEX_FILENAME\"\
         \n\nWHL=$(find dist/deploy/wheels/pantsbuild.pants -type f -name \"pantsbuild.pants-*.whl\"\
         )\ncurl -L --fail \\\n    -X POST \\\n    -H \"Authorization: Bearer ${{ github.token\
@@ -297,6 +366,10 @@ jobs:
     name: Build wheels (macOS14-ARM64)
     needs:
     - release_info
+    permissions:
+      attestations: write
+      contents: read
+      id-token: write
     runs-on:
     - macos-14
     steps:
@@ -369,17 +442,34 @@ jobs:
         name: logs-wheels-and-pex-macOS14-ARM64
         overwrite: 'true'
         path: .pants.d/workdir/*.log
+    - if: needs.release_info.outputs.is-release == 'true'
+      name: Attest the pantsbuild.pants wheel
+      uses: actions/attest-build-provenance@v2
+      with:
+        subject-path: dist/deploy/wheels/pantsbuild.pants/**/pantsbuild.pants-*.whl
+    - if: needs.release_info.outputs.is-release == 'true'
+      name: Rename the Pants Pex to its final name for upload
+      run: 'PEX_FILENAME=pants.$PANTS_VER-$PY_VER-$PLAT.pex
+
+        mv dist/src.python.pants/pants-pex.pex dist/src.python.pants/$PEX_FILENAME
+
+        '
+    - continue-on-error: true
+      if: needs.release_info.outputs.is-release == 'true'
+      name: Attest the Pants Pex artifact
+      uses: actions/attest-build-provenance@v2
+      with:
+        subject-path: dist/src.python.pants/*.pex
     - if: needs.release_info.outputs.is-release == 'true'
       name: Upload Wheel and Pex
       run: "PANTS_VER=$(PEX_INTERPRETER=1 dist/src.python.pants/pants-pex.pex -c \"\
         import pants.version;print(pants.version.VERSION)\")\nPY_VER=$(PEX_INTERPRETER=1\
         \ dist/src.python.pants/pants-pex.pex -c \"import sys;print(f'cp{sys.version_info[0]}{sys.version_info[1]}')\"\
         )\nPLAT=$(PEX_INTERPRETER=1 dist/src.python.pants/pants-pex.pex -c \"import\
         \ os;print(f'{os.uname().sysname.lower()}_{os.uname().machine.lower()}')\"\
-        )\nPEX_FILENAME=pants.$PANTS_VER-$PY_VER-$PLAT.pex\n\nmv dist/src.python.pants/pants-pex.pex\
-        \ dist/src.python.pants/$PEX_FILENAME\n\ncurl -L --fail \\\n    -X POST \\\
-        \n    -H \"Authorization: Bearer ${{ github.token }}\" \\\n    -H \"Content-Type:\
-        \ application/octet-stream\" \\\n    ${{ needs.release_info.outputs.release-asset-upload-url\
+        )\nPEX_FILENAME=pants.$PANTS_VER-$PY_VER-$PLAT.pex\n\ncurl -L --fail \\\n\
+        \    -X POST \\\n    -H \"Authorization: Bearer ${{ github.token }}\" \\\n\
+        \    -H \"Content-Type: application/octet-stream\" \\\n    ${{ needs.release_info.outputs.release-asset-upload-url\
         \ }}?name=$PEX_FILENAME \\\n    --data-binary \"@dist/src.python.pants/$PEX_FILENAME\"\
         \n\nWHL=$(find dist/deploy/wheels/pantsbuild.pants -type f -name \"pantsbuild.pants-*.whl\"\
         )\ncurl -L --fail \\\n    -X POST \\\n    -H \"Authorization: Bearer ${{ github.token\
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -336,6 +336,10 @@ jobs:
     name: Build wheels (Linux-ARM64)
     needs:
     - classify_changes
+    permissions:
+      attestations: write
+      contents: read
+      id-token: write
     runs-on:
     - self-hosted
     - runs-on
@@ -406,6 +410,10 @@ jobs:
     name: Build wheels (Linux-x86_64)
     needs:
     - classify_changes
+    permissions:
+      attestations: write
+      contents: read
+      id-token: write
     runs-on:
     - ubuntu-22.04
     steps:
@@ -474,6 +482,10 @@ jobs:
     name: Build wheels (macOS13-x86_64)
     needs:
     - classify_changes
+    permissions:
+      attestations: write
+      contents: read
+      id-token: write
     runs-on:
     - macos-13
     steps:
@@ -560,6 +572,10 @@ jobs:
     name: Build wheels (macOS14-ARM64)
     needs:
     - classify_changes
+    permissions:
+      attestations: write
+      contents: read
+      id-token: write
     runs-on:
     - macos-14
     steps:
diff --git a/src/python/pants_release/generate_github_workflows.py b/src/python/pants_release/generate_github_workflows.py
@@ -21,6 +21,7 @@
 def action(name: str) -> str:
     version_map = {
         "action-send-mail": "dawidd6/action-send-mail@v3.8.0",
+        "attest-build-provenance": "actions/attest-build-provenance@v2",
         "cache": "actions/cache@v4",
         "checkout": "actions/checkout@v4",
         "download-artifact": "actions/download-artifact@v4",
@@ -880,6 +881,11 @@ def build_wheels_job(
             "if": if_condition,
             "name": f"Build wheels ({str(platform.value)})",
             "runs-on": helper.runs_on(),
+            "permissions": {
+                "id-token": "write",
+                "contents": "read",
+                "attestations": "write",
+            },
             **({"container": container} if container else {}),
             **({"needs": needs} if needs else {}),
             "timeout-minutes": 90,
@@ -913,6 +919,34 @@ def build_wheels_job(
                 helper.upload_log_artifacts(name="wheels-and-pex"),
                 *(
                     [
+                        {
+                            "name": "Attest the pantsbuild.pants wheel",
+                            "if": "needs.release_info.outputs.is-release == 'true'",
+                            "uses": action("attest-build-provenance"),
+                            "with": {
+                                "subject-path": "dist/deploy/wheels/pantsbuild.pants/**/pantsbuild.pants-*.whl",
+                            },
+                        },
+                        {
+                            "name": "Rename the Pants Pex to its final name for upload",
+                            "if": "needs.release_info.outputs.is-release == 'true'",
+                            "run": dedent(
+                                """\
+                                PEX_FILENAME=pants.$PANTS_VER-$PY_VER-$PLAT.pex
+                                mv dist/src.python.pants/pants-pex.pex dist/src.python.pants/$PEX_FILENAME
+                                """
+                            ),
+                        },
+                        {
+                            "name": "Attest the Pants Pex artifact",
+                            "if": "needs.release_info.outputs.is-release == 'true'",
+                            "uses": action("attest-build-provenance"),
+                            "with": {
+                                "subject-path": "dist/src.python.pants/*.pex",
+                            },
+                            # Temporary: Allow errors in this step while we test the release workflow.
+                            "continue-on-error": True,
+                        },
                         {
                             "name": "Upload Wheel and Pex",
                             "if": "needs.release_info.outputs.is-release == 'true'",
@@ -927,8 +961,6 @@ def build_wheels_job(
                                 PLAT=$(PEX_INTERPRETER=1 dist/src.python.pants/pants-pex.pex -c "import os;print(f'{os.uname().sysname.lower()}_{os.uname().machine.lower()}')")
                                 PEX_FILENAME=pants.$PANTS_VER-$PY_VER-$PLAT.pex
 
-                                mv dist/src.python.pants/pants-pex.pex dist/src.python.pants/$PEX_FILENAME
-
                                 curl -L --fail \\
                                     -X POST \\
                                     -H "Authorization: Bearer ${{ github.token }}" \\
@@ -948,6 +980,16 @@ def build_wheels_job(
                         },
                         *(
                             [
+                                {
+                                    "name": "Attest the pantsbuild.pants.testutil wheel",
+                                    "if": "needs.release_info.outputs.is-release == 'true'",
+                                    "uses": action("attest-build-provenance"),
+                                    "with": {
+                                        "subject-path": "dist/deploy/wheels/pantsbuild.pants/**/pantsbuild.pants.testutil*.whl",
+                                    },
+                                    # Temporary: Allow errors in this step while we test the release workflow.
+                                    "continue-on-error": True,
+                                },
                                 {
                                     "name": "Upload testutil Wheel",
                                     "if": "needs.release_info.outputs.is-release == 'true'",
