Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Build attestations improvements #501

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Build attestations improvements #501

wants to merge 2 commits into from

Conversation

samypr100
Copy link
Contributor

@samypr100 samypr100 commented Jan 19, 2025
edited
Loading

Per #343 (comment)

  • Adds attestations to build-0 of the linux matrix (due to recent refactor)
  • Adds attestations to release artifacts which include install only derived builds.

zanieb
zanieb reviewed Jan 19, 2025
View reviewed changes
.github/workflows/linux.yml
@@ -245,6 +245,12 @@ jobs:
build/pythonbuild validate-distribution ${EXTRA_ARGS} dist/*.tar.zst
- name: Generate attestations
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Whoops! Thank you!

zanieb
zanieb reviewed Jan 19, 2025
View reviewed changes
.github/workflows/release.yml Outdated
uses: actions/attest-build-provenance@v2
if: ${{ github.event.inputs.dry-run == 'false' }}
with:
subject-path: dist/*
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm worried about the 1024 subject limit https://github.com/actions/attest-build-provenance?tab=readme-ov-file#subject-limits

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(1131 artifacts in the last release)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch. We could arguably divide the attestation groups by python versions.

Copy link
Contributor Author

@samypr100 samypr100 Jan 19, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adjusted the glob to skip .sha256 files as I don't think they benefit from attestation. Given this purely from a count perspective we can stay within the quota ~564

Note, the glob is targeted at minimatch js library which is what actions/glob supports which this action uses underneath.

@samypr100 samypr100 marked this pull request as ready for review January 20, 2025 00:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zanieb zanieb zanieb left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@samypr100 @zanieb