Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[TODO] Explore uploading attestations to GitHub as well #288

Open
webknjaz opened this issue Nov 5, 2024 · 8 comments
Open

[TODO] Explore uploading attestations to GitHub as well #288

webknjaz opened this issue Nov 5, 2024 · 8 comments
Assignees
Labels
enhancement New feature or request help wanted Extra attention is needed

Comments

@webknjaz
Copy link
Member

webknjaz commented Nov 5, 2024

This is how the official action does this: https://github.com/actions/toolkit/blob/77f247b/packages/attest/src/store.ts#L5-L44.

This is the API endpoint doc: https://docs.github.com/en/rest/repos/repos?apiVersion=2022-11-28#create-an-attestation.

@woodruffw
Copy link
Member

Yep, this should be straightforward to do -- the attestation will either need to be uploaded to GH before it's munged into the PEP 740 shape, or re-munged back into a Sigstore bundle for subsequent uploading.

One note: putting things in GH's attestations store also requires attestations: write, which is why I didn't look too closely at it initially for this action -- I didn't want to widen things beyond id-token: write, since that would be painful for users to upgrade to. However, it may be worth it (or something we can feature-test).

@webknjaz
Copy link
Member Author

webknjaz commented Nov 5, 2024

I haven't found a way to feature-test. So it'd probably be an upload attempt with error suppression...

@woodruffw
Copy link
Member

I haven't found a way to feature-test. So it'd probably be an upload attempt with error suppression...

Makes sense to me 🙂

@webknjaz
Copy link
Member Author

webknjaz commented Nov 8, 2024

@woodruffw it might be a good idea to also explore exposing the signatures to the end-users (maybe, via action outputs?). As in, beyond telling them to scan the dist/ folder for those files. This would let them upload a copy to GH Releases if they want to.

@woodruffw
Copy link
Member

Yeah, that's a good idea -- I haven't been 100% sure how to do it since it's a one-many relationship in theory (one dist, potentially multiple attestations), so action outputs become a little hacky. I'll think about that some more.

@webknjaz
Copy link
Member Author

Probably wrap it as a JSON string.

@woodruffw
Copy link
Member

Good idea! Outputs are limited to 1MB, but they should be well below that.

@webknjaz
Copy link
Member Author

Yeah, I tend to be wrestling with passing complex data into and out of the actions (like alls-green) for a long time. And I settled on JSON, especially since they have builtin functions available (toJSON()/fromJSON()). The only other option is probably putting things into files.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request help wanted Extra attention is needed
Projects
None yet
Development

No branches or pull requests

2 participants