ci(backport): Add GitHub artifact attestations to package distribution (#2496)

meeseeksmachine · matthewfeickert · web-flow · commit efa0cbb7c74d · 2024-05-30T01:54:24.000-05:00
* Backport: - PR #2473 - PR #2478 --------- Co-authored-by: Matthew Feickert <matthew.feickert@cern.ch>
diff --git a/.github/workflows/publish-package.yml b/.github/workflows/publish-package.yml
@@ -29,6 +29,11 @@ jobs:
   build:
     name: Build Python distribution
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      attestations: write
+      contents: read
+
     steps:
     - uses: actions/checkout@v4
       with:
@@ -96,6 +101,16 @@ jobs:
     - name: List contents of wheel
       run: python -m zipfile --list dist/pyhf-*.whl
 
+    - name: Generate artifact attestation for sdist and wheel
+      # If publishing to TestPyPI or PyPI
+      if: >-
+        (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && github.repository == 'scikit-hep/pyhf')
+        || (github.event_name == 'workflow_dispatch' && github.event.inputs.publish == 'true' && github.repository == 'scikit-hep/pyhf')
+        || (github.event_name == 'release' && github.event.action == 'published' && github.repository == 'scikit-hep/pyhf')
+      uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
+      with:
+        subject-path: "dist/pyhf-*"
+
     - name: Upload distribution artifact
       uses: actions/upload-artifact@v4
       with:
@@ -125,6 +140,26 @@ jobs:
     - name: List all files
       run: ls -lh dist
 
+    - name: Verify sdist artifact attestation
+      # If publishing to TestPyPI or PyPI
+      if: >-
+        (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && github.repository == 'scikit-hep/pyhf')
+        || (github.event_name == 'workflow_dispatch' && github.event.inputs.publish == 'true' && github.repository == 'scikit-hep/pyhf')
+        || (github.event_name == 'release' && github.event.action == 'published' && github.repository == 'scikit-hep/pyhf')
+      env:
+        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: gh attestation verify dist/pyhf-*.tar.gz --repo ${{ github.repository }}
+
+    - name: Verify wheel artifact attestation
+      # If publishing to TestPyPI or PyPI
+      if: >-
+        (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && github.repository == 'scikit-hep/pyhf')
+        || (github.event_name == 'workflow_dispatch' && github.event.inputs.publish == 'true' && github.repository == 'scikit-hep/pyhf')
+        || (github.event_name == 'release' && github.event.action == 'published' && github.repository == 'scikit-hep/pyhf')
+      env:
+        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: gh attestation verify dist/pyhf-*.whl --repo ${{ github.repository }}
+
     - name: Publish distribution 📦 to Test PyPI
       # Publish to TestPyPI on tag events of if manually triggered
       # Compare to 'true' string as booleans get turned into strings in the console
