Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Roadmap] Implement PEP 740 #15871

Closed
24 of 25 tasks
woodruffw opened this issue Apr 26, 2024 · 38 comments · Fixed by #17070
Closed
24 of 25 tasks

[Roadmap] Implement PEP 740 #15871

woodruffw opened this issue Apr 26, 2024 · 38 comments · Fixed by #17070

Comments

@woodruffw
Copy link
Member

woodruffw commented Apr 26, 2024

PEP 740 is in a final but not yet approved state. This issue is intended to lay out the dependencies/subcomponents of its implementing, including things that can be done in a preliminary manner.

Index side

Uploader/publish side

Docs & UI

CC @di @webknjaz @facutuesca for visibility

@webknjaz
Copy link
Member

I've gone ahead and filed a tracking issue in pip-tools as well: jazzband/pip-tools#2080.

@webknjaz
Copy link
Member

  • Concretely, this means gh-action-pypi-publish should use sigstore-python to sign the attestation payload defined in PEP 740

With the exciting changes suggested in pypa/gh-action-pypi-publish#230, it looks like we'll be able to leverage bits of composite actions and call the action even (if it makes sense to do so, as an alternative to using a Python lib within the container like the rest of stuff).

@webknjaz
Copy link
Member

  • Concretely, this means gh-action-pypi-publish should use sigstore-python to sign the attestation payload defined in PEP 740

Should this be done by the uploader, though? My initial feeling was that this should be done right after the job building the artifacts. Though, perhaps not by pypa/build (because of the privilege elevation concerns I often complain about). Are we going to treat the artifacts that the uploader gets as coming from trusted sources? Should we be emphasizing the security considerations and teaching the users more about the least privilege principle?

@woodruffw
Copy link
Member Author

Should this be done by the uploader, though?

Hmm -- I suppose it doesn't have to be, although for targeting publish provenance (and getting provenance generation exposed to the largest number of users) I think it's the most straightforward path.

Long term, PEP 740 is designed to enable multiple attestations: the building step(s) can generate one, as can the publishing step. But I believe getting that into a workable state will require a decent bit more coordination, so I want to target an MVP of "the artifact is signed by the same identity that pushed it to the index" 😅

@webknjaz
Copy link
Member

@woodruffw fair! I just wanted to make sure we're on the same page.

@sethmlarson
Copy link
Contributor

@webknjaz Glad you're thinking about build provenance already, I'm interested in tackling build provenance for Python too 🚀

These initial attestations are similar to NPM's publish provenance so is best done by the uploader. If the attestation can show "this artifact was uploaded by this workflow which matches a Trusted Publisher configuration for the project" we can already build some interesting things like verified GitHub URLs, exposing which artifacts have Trusted Publishers configured to users, monitoring for changes in provenance, etc

@webknjaz
Copy link
Member

@sethmlarson fair enough! I remember similar ideas being brought up during the initial private beta of trusted publishing. It's nice to have some more or less specified goals recorded and synchronized, though, which is why I posted my thoughts :)

Looking back, I'm glad that I encouraged implementing it in my action from the very beginning, months before it's gone GA so everybody could start using it right away with almost no changes. So I'm hoping that the Sigstore integration happens in a similar fashion, enabling any early adopters to start uploading signatures with zero changes to their workflows (if they already use trusted publishing, they have the OIDC access set up).

@di
Copy link
Member

di commented Apr 29, 2024

Should this be done by the uploader, though? My initial feeling was that this should be done right after the job building the artifacts.

I think your initial feeling is valid: since it's not guaranteed that the workflow using the publish action is also the workflow that built the artifacts, this isn't necessarily "build provenance".

That said, having an attestation ('publish provenance') from the uploader in the absence of any other attestation being provided to it would still be very valuable here I think, especially for projects that aren't using Trusted Publishing yet.

@facutuesca
Copy link
Contributor

@woodruffw What behavior do we want when uploading attestations to a file already in PyPI? Currently, the behavior for duplicate files is either stop the upload process and return OK (if the new file is the same as the existing one), or fail (if the files don't match).
How do we want to deal with those cases when the request also includes attestations?

@woodruffw
Copy link
Member Author

What behavior do we want when uploading attestations to a file already in PyPI? Currently, the behavior for duplicate files is either stop the upload process and return OK (if the new file is the same as the existing one), or fail (if the files don't match).

For the MVP, I think we want to skip if the distribution file already exists, for consistency with the existing upload API behavior.

Longer term, this probably falls under the "Upload 2.0 API" PEP -- we'll want a way to augment existing uploaded distributions with new attestations. But that's out of scope for now, IMO 🙂

@webknjaz
Copy link
Member

FYI: there's some new developments within GitHub, it seems — pypa/gh-action-pypi-publish#236 (comment).

@webknjaz
Copy link
Member

* [ ]  Update PyPUG and adjacent documentation to remove references to `gh-action-sigstore-python`

I think this one is somewhat separate — it signs built artifacts (in that snippet) while the pypi-publish integration signs whatever's uploaded (no matter if it was built within the workflow or downloaded).

@woodruffw
Copy link
Member Author

Something that @haydentherapper raised: Trusted Publishing supports private repos.

This isn't a "disclosure" issue at the moment since we don't expose the Trusted Publisher metadata anywhere, but with PEP 740 we will.

Some points:

  1. No matter what, we will continue supporting Trusted Publishing from private repos.
  2. Conceptually, there's nothing stopping someone from generating a private attestation, although its semantics are unclear (since a publish or build attestation from a private repo can't be really analyzed by third parties, besides a basic "GitHub promises this is right" check.)
  3. There's a (fair) PII concern about leaking a private repository name.

Some engineering details:

  • Both GitLab and GitHub provide a visibility type claim, which either PyPI or the publishing workflow could filter on in terms of including attestations. It should probably be PyPI though, since PyPI is already handling the JWT claims.

@woodruffw
Copy link
Member Author

Per NPM's docs, it looks like they require a public repo for provenance:

Ensure your package.json is configured with a public repository that matches (case-sensitive) where you are publishing with provenance from.

This doesn't quite mesh with PyPI's model since each distribution file has its own metadata, but in theory we could check them all for consistency. But that is potentially more brittle than just rejecting attestations if the accompanying OIDC JWT doesn't have the right visibility.

@woodruffw
Copy link
Member Author

From discussion in the Sigstore Slack: one route forward here is to reject attestations from private repositories, unless the project explicitly is explicitly configured (either on PyPI or the project metadata) to allow them. This eliminates the risk of a user inadvertently leaking a private repository name (or similar) through their Trusted Publisher configuration and subsequent publish attestations.

If configured on PyPI, this could be something like a new checkbox under /manage/<project>/settings, e.g. "allow attestations from private Trusted Publishers."

If configured via project metadata, things get a little hairier (since the metadata is duplicated once per distribution, and there's no free-form metadata at the moment). So doing it via PyPI is probably easier.

@woodruffw
Copy link
Member Author

@facutuesca and I had a conversation about the persistence side of this the other day; summarizing:

  • For the time being, we should treat publish provenance as a baseline: in other words: PyPI can accept SLSA Provenance as well if provided, but every attestation set should come with a Publish Provenance attestation at the minimum (since they're all coming from Trusted Publishing)
  • With Publish Provenance as a baseline, we can add a File <-> OIDCPublisher relationship that tracks the Trusted Publisher that was verified to have published the given File
  • That relationship then allows us to bootstrap verified URLs, etc.

Some related thoughts:

  • Having a File <-> OIDCPublisher relationship means that OIDCPublishers are never deleted once one or more files are published against them, even if no Project has that OIDCPublisher registered as an active publisher anymore. This may or may not be an issue; just highlighting as a "lifetime" change.
  • We need to determine the appropriate "policy" for rendering things like provenance markers on the project-level page (i.e. /p/<project>): in addition to verified URLs, we might want a little checkmark similar to NPM's that says the project is provenanced. For that, it probably make senses to require all files in latest release to have publish attestations, even if the data layer underneath doesn't prohibit "heterogenous" uploads.

@facutuesca
Copy link
Contributor

facutuesca commented Jun 20, 2024

Having a File <-> OIDCPublisher relationship means that OIDCPublishers are never deleted once one or more files are published against them, even if no Project has that OIDCPublisher registered as an active publisher anymore

This might add some complexity, since right now there is no way of modelling an "inactive" publisher: if a publisher exists in the DB, then it's active. Do we want to add a new column to the table, an is_active field that becomes False if the user deletes the corresponding Trusted Publisher? (more specifically, it becomes False iff the user deletes it and there exists at least one file that was uploaded with a publish attestation signed by that publisher)

@woodruffw
Copy link
Member Author

This might be problematic, since right now there is no way of modelling an "inactive" publisher: if a publisher exists in the DB, then it's active.

Hmm, I hadn't thought of this. A new is_active column makes sense to me, or alternatively we could define an is_active helper that checks whether len(projects) != 0. I think the latter would work approximately as well, without requiring a DB migration, although I might have missed something 🙂

@sethmlarson
Copy link
Contributor

With Publish Provenance as a baseline, we can add a File <-> OIDCPublisher relationship that tracks the Trusted Publisher that was verified to have published the given File

I was imagining a separate model for a "verified attestation" that's separate from the publisher, due to the publisher potentially changing over time.

@webknjaz
Copy link
Member

webknjaz commented Sep 4, 2024

Oh, does that mean that workflow/project management tools can start implementing distribution verification against it?

@woodruffw
Copy link
Member Author

Oh, does that mean that workflow/project management tools can start implementing distribution verification against it?

Unfortunately not quite -- we had to revert that last PR due to performance regressions on the simple index + some incorrect assumptions about being able to stream from PyPI's object storage 😅. We're reworking the implementation to use just the DB instead; I'll update this issue with the stack of PRs for that.

hogo6002 referenced this issue in google/osv.dev Sep 5, 2024
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[actions/setup-python](https://redirect.github.com/actions/setup-python)
| action | minor | `v5.1.1` -> `v5.2.0` |
|
[actions/upload-artifact](https://redirect.github.com/actions/upload-artifact)
| action | minor | `v3.1.3` -> `v3.2.1` |
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
| action | minor | `v2.25.12` -> `v2.26.6` |
|
[ossf/scorecard-action](https://redirect.github.com/ossf/scorecard-action)
| action | minor | `v2.3.3` -> `v2.4.0` |
|
[pypa/gh-action-pypi-publish](https://redirect.github.com/pypa/gh-action-pypi-publish)
| action | minor | `v1.9.0` -> `v1.10.1` |

---

### Release Notes

<details>
<summary>actions/setup-python (actions/setup-python)</summary>

###
[`v5.2.0`](https://redirect.github.com/actions/setup-python/compare/v5.1.1...v5.2.0)

[Compare
Source](https://redirect.github.com/actions/setup-python/compare/v5.1.1...v5.2.0)

</details>

<details>
<summary>actions/upload-artifact (actions/upload-artifact)</summary>

###
[`v3.2.1`](https://redirect.github.com/actions/upload-artifact/releases/tag/v3.2.1)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v3.2.0...v3.2.1)

#### What's Changed

This fixes the `include-hidden-files` input introduced in
https://github.com/actions/upload-artifact/releases/tag/v3.2.0

- Ensure hidden files input is used by
[@&#8203;joshmgross](https://redirect.github.com/joshmgross) in
[https://github.com/actions/upload-artifact/pull/609](https://redirect.github.com/actions/upload-artifact/pull/609)

**Full Changelog**:
actions/upload-artifact@v3.2.0...v3.2.1

###
[`v3.2.0`](https://redirect.github.com/actions/upload-artifact/releases/tag/v3.2.0)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v3.1.3...v3.2.0)

#### Notice: Breaking Changes ⚠️

We will no longer include hidden files and folders by default in the
`upload-artifact` action of this version. This reduces the risk that
credentials are accidentally uploaded into artifacts. Customers who need
to continue to upload these files can use a new option,
`include-hidden-files`, to continue to do so.

See ["Notice of upcoming deprecations and breaking changes in GitHub
Actions
runners"](https://github.blog/changelog/2024-08-19-notice-of-upcoming-deprecations-and-breaking-changes-in-github-actions-runners/)
changelog and [this
issue](https://redirect.github.com/actions/upload-artifact/issues/602)
for more details.

#### What's Changed

- V3 backport: Exclude hidden files by default by
[@&#8203;SrRyan](https://redirect.github.com/SrRyan) in
[https://github.com/actions/upload-artifact/pull/604](https://redirect.github.com/actions/upload-artifact/pull/604)

**Full Changelog**:
actions/upload-artifact@v3.1.3...v3.2.0

</details>

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v2.26.6`](https://redirect.github.com/github/codeql-action/compare/v2.26.5...v2.26.6)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v2.26.5...v2.26.6)

###
[`v2.26.5`](https://redirect.github.com/github/codeql-action/compare/v2.26.4...v2.26.5)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v2.26.4...v2.26.5)

###
[`v2.26.4`](https://redirect.github.com/github/codeql-action/compare/v2.26.3...v2.26.4)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v2.26.3...v2.26.4)

###
[`v2.26.3`](https://redirect.github.com/github/codeql-action/compare/v2.26.2...v2.26.3)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v2.26.2...v2.26.3)

###
[`v2.26.2`](https://redirect.github.com/github/codeql-action/compare/v2.26.1...v2.26.2)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v2.26.1...v2.26.2)

###
[`v2.26.1`](https://redirect.github.com/github/codeql-action/compare/v2.26.0...v2.26.1)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v2.26.0...v2.26.1)

###
[`v2.26.0`](https://redirect.github.com/github/codeql-action/compare/v2.25.15...v2.26.0)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v2.25.15...v2.26.0)

###
[`v2.25.15`](https://redirect.github.com/github/codeql-action/compare/v2.25.14...v2.25.15)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v2.25.14...v2.25.15)

###
[`v2.25.14`](https://redirect.github.com/github/codeql-action/compare/v2.25.13...v2.25.14)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v2.25.13...v2.25.14)

###
[`v2.25.13`](https://redirect.github.com/github/codeql-action/compare/v2.25.12...v2.25.13)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v2.25.12...v2.25.13)

</details>

<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>

###
[`v2.4.0`](https://redirect.github.com/ossf/scorecard-action/releases/tag/v2.4.0)

[Compare
Source](https://redirect.github.com/ossf/scorecard-action/compare/v2.3.3...v2.4.0)

#### What's Changed

This update bumps the Scorecard version to the v5 release. For a
complete list of changes, please refer to the [v5.0.0 release
notes](https://redirect.github.com/ossf/scorecard/releases/tag/v5.0.0).
Of special note to Scorecard Action is the Maintainer Annotation
feature, which can be used to suppress some Code Scanning false
positives. Alerts will not be generated for any Scorecard Check with an
annotation.

- 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to v5.0.0
by [@&#8203;spencerschrock](https://redirect.github.com/spencerschrock)
in
[https://github.com/ossf/scorecard-action/pull/1410](https://redirect.github.com/ossf/scorecard-action/pull/1410)
- 🐛 lower license sarif alert threshold to 9 by
[@&#8203;spencerschrock](https://redirect.github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1411](https://redirect.github.com/ossf/scorecard-action/pull/1411)

##### Documentation

- docs: dogfooding badge by
[@&#8203;jkowalleck](https://redirect.github.com/jkowalleck) in
[https://github.com/ossf/scorecard-action/pull/1399](https://redirect.github.com/ossf/scorecard-action/pull/1399)

#### New Contributors

- [@&#8203;jkowalleck](https://redirect.github.com/jkowalleck) made
their first contribution in
[https://github.com/ossf/scorecard-action/pull/1399](https://redirect.github.com/ossf/scorecard-action/pull/1399)

**Full Changelog**:
ossf/scorecard-action@v2.3.3...v2.4.0

</details>

<details>
<summary>pypa/gh-action-pypi-publish
(pypa/gh-action-pypi-publish)</summary>

###
[`v1.10.1`](https://redirect.github.com/pypa/gh-action-pypi-publish/releases/tag/v1.10.1)

[Compare
Source](https://redirect.github.com/pypa/gh-action-pypi-publish/compare/v1.10.0...v1.10.1)

#### 🚑🔏 Oopsie... We missed a tiny bug in the attestations feature the
other day

The problem was that the distribution file validity check was failing on
any valid distribution being present and ready to be signed. What a
silly mistake! It's now been fixed via
pypa/gh-action-pypi-publish@0ab0b79, though.
So everything's good!

\--
[@&#8203;webknjaz](https://redirect.github.com/webknjaz)[💰](https://redirect.github.com/sponsors/webknjaz)

> \[!IMPORTANT]
> ✨ Despite this minor hiccup, we invite you to still opt into trying
this feature out early. [It can be
enabled](https://redirect.github.com/marketplace/actions/pypi-publish#generating-and-uploading-attestations)
like this:
>
> ```yml
>   with:
>     attestations: true
> ```
>
> Leave feedback in [the v1.10.0 release
discussion](https://redirect.github.com/pypa/gh-action-pypi-publish/discussions/255)
or [the
PR](https://redirect.github.com/pypa/gh-action-pypi-publish/pull/236).

**🪞 Full Diff**:
pypa/gh-action-pypi-publish@v1.10.0...v1.10.1

**🧔‍♂️ Release Manager:** [@&#8203;webknjaz
🇺🇦](https://redirect.github.com/sponsors/webknjaz)

**🙏 Special Thanks** to
[@&#8203;hugovk](https://redirect.github.com/hugovk)[💰](https://redirect.github.com/sponsors/hugovk)
for [promptly validating the bug
fix](https://redirect.github.com/pypa/gh-action-pypi-publish/issues/256#issuecomment-2325925847),
mere minutes after I pushed it — I even haven't finished writing this
text by then!

###
[`v1.10.0`](https://redirect.github.com/pypa/gh-action-pypi-publish/releases/tag/v1.10.0)

[Compare
Source](https://redirect.github.com/pypa/gh-action-pypi-publish/compare/v1.9.0...v1.10.0)

#### 🔏 Anything fancy, eh?

This time,
[@&#8203;woodruffw](https://redirect.github.com/woodruffw)[💰](https://redirect.github.com/sponsors/woodruffw)
implemented support for [PEP 740] attestations functionality in
[#&#8203;236](https://redirect.github.com/pypa/gh-action-pypi-publish/issues/236)
and
[#&#8203;245](https://redirect.github.com/pypa/gh-action-pypi-publish/issues/245).
This is a big deal, as it is a huge step forward to replacing what the
deprecated GPG signatures used to provide in a more meaningful way.

> \[!IMPORTANT]
> ✨ Please, do opt into trying this feature out early. [It can be
enabled](https://redirect.github.com/marketplace/actions/pypi-publish#generating-and-uploading-attestations)
as follows:
>
> ```yml
>   with:
>     attestations: true
> ```
>
> Leave any feedback on this in [this release
discussion](https://redirect.github.com/pypa/gh-action-pypi-publish/discussions/255)
or [the
PR](https://redirect.github.com/pypa/gh-action-pypi-publish/pull/236).

🙏 And please, thank William for working on this amazing improvement for
the ecosystem! The overall effort is tracked
@&#[https://github.com/pypi/warehouse/issues/15871](https://redirect.github.com/pypi/warehouse/issues/15871)/15871,
by the way.

**🪞 Full Diff**:
pypa/gh-action-pypi-publish@v1.9.0...v1.10.0

**🧔‍♂️ Release Manager:** [@&#8203;webknjaz
🇺🇦](https://redirect.github.com/sponsors/webknjaz)

[PEP 740]: https://peps.python.org/pep-0740/

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 6am on wednesday" in timezone
Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/google/osv.dev).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC41OS4yIiwidXBkYXRlZEluVmVyIjoiMzguNTkuMiIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
cuixq referenced this issue in google/osv.dev Sep 11, 2024
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[actions/setup-python](https://redirect.github.com/actions/setup-python)
| action | minor | `v5.1.1` -> `v5.2.0` |
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
| action | minor | `v2.25.12` -> `v2.26.6` |
|
[ossf/scorecard-action](https://redirect.github.com/ossf/scorecard-action)
| action | minor | `v2.3.3` -> `v2.4.0` |
|
[pypa/gh-action-pypi-publish](https://redirect.github.com/pypa/gh-action-pypi-publish)
| action | minor | `v1.9.0` -> `v1.10.1` |

---

### Release Notes

<details>
<summary>actions/setup-python (actions/setup-python)</summary>

###
[`v5.2.0`](https://redirect.github.com/actions/setup-python/compare/v5.1.1...v5.2.0)

[Compare
Source](https://redirect.github.com/actions/setup-python/compare/v5.1.1...v5.2.0)

</details>

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v2.26.6`](https://redirect.github.com/github/codeql-action/compare/v2.26.5...v2.26.6)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v2.26.5...v2.26.6)

###
[`v2.26.5`](https://redirect.github.com/github/codeql-action/compare/v2.26.4...v2.26.5)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v2.26.4...v2.26.5)

###
[`v2.26.4`](https://redirect.github.com/github/codeql-action/compare/v2.26.3...v2.26.4)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v2.26.3...v2.26.4)

###
[`v2.26.3`](https://redirect.github.com/github/codeql-action/compare/v2.26.2...v2.26.3)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v2.26.2...v2.26.3)

###
[`v2.26.2`](https://redirect.github.com/github/codeql-action/compare/v2.26.1...v2.26.2)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v2.26.1...v2.26.2)

###
[`v2.26.1`](https://redirect.github.com/github/codeql-action/compare/v2.26.0...v2.26.1)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v2.26.0...v2.26.1)

###
[`v2.26.0`](https://redirect.github.com/github/codeql-action/compare/v2.25.15...v2.26.0)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v2.25.15...v2.26.0)

###
[`v2.25.15`](https://redirect.github.com/github/codeql-action/compare/v2.25.14...v2.25.15)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v2.25.14...v2.25.15)

###
[`v2.25.14`](https://redirect.github.com/github/codeql-action/compare/v2.25.13...v2.25.14)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v2.25.13...v2.25.14)

###
[`v2.25.13`](https://redirect.github.com/github/codeql-action/compare/v2.25.12...v2.25.13)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v2.25.12...v2.25.13)

</details>

<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>

###
[`v2.4.0`](https://redirect.github.com/ossf/scorecard-action/releases/tag/v2.4.0)

[Compare
Source](https://redirect.github.com/ossf/scorecard-action/compare/v2.3.3...v2.4.0)

#### What's Changed

This update bumps the Scorecard version to the v5 release. For a
complete list of changes, please refer to the [v5.0.0 release
notes](https://redirect.github.com/ossf/scorecard/releases/tag/v5.0.0).
Of special note to Scorecard Action is the Maintainer Annotation
feature, which can be used to suppress some Code Scanning false
positives. Alerts will not be generated for any Scorecard Check with an
annotation.

- 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to v5.0.0
by [@&#8203;spencerschrock](https://redirect.github.com/spencerschrock)
in
[https://github.com/ossf/scorecard-action/pull/1410](https://redirect.github.com/ossf/scorecard-action/pull/1410)
- 🐛 lower license sarif alert threshold to 9 by
[@&#8203;spencerschrock](https://redirect.github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1411](https://redirect.github.com/ossf/scorecard-action/pull/1411)

##### Documentation

- docs: dogfooding badge by
[@&#8203;jkowalleck](https://redirect.github.com/jkowalleck) in
[https://github.com/ossf/scorecard-action/pull/1399](https://redirect.github.com/ossf/scorecard-action/pull/1399)

#### New Contributors

- [@&#8203;jkowalleck](https://redirect.github.com/jkowalleck) made
their first contribution in
[https://github.com/ossf/scorecard-action/pull/1399](https://redirect.github.com/ossf/scorecard-action/pull/1399)

**Full Changelog**:
ossf/scorecard-action@v2.3.3...v2.4.0

</details>

<details>
<summary>pypa/gh-action-pypi-publish
(pypa/gh-action-pypi-publish)</summary>

###
[`v1.10.1`](https://redirect.github.com/pypa/gh-action-pypi-publish/releases/tag/v1.10.1)

[Compare
Source](https://redirect.github.com/pypa/gh-action-pypi-publish/compare/v1.10.0...v1.10.1)

#### 🚑🔏 Oopsie... We missed a tiny bug in the attestations feature the
other day

The problem was that the distribution file validity check was failing on
any valid distribution being present and ready to be signed. What a
silly mistake! It's now been fixed via
pypa/gh-action-pypi-publish@0ab0b79, though.
So everything's good!

\--
[@&#8203;webknjaz](https://redirect.github.com/webknjaz)[💰](https://redirect.github.com/sponsors/webknjaz)

> \[!IMPORTANT]
> ✨ Despite this minor hiccup, we invite you to still opt into trying
this feature out early. [It can be
enabled](https://redirect.github.com/marketplace/actions/pypi-publish#generating-and-uploading-attestations)
like this:
>
> ```yml
>   with:
>     attestations: true
> ```
>
> Leave feedback in [the v1.10.0 release
discussion](https://redirect.github.com/pypa/gh-action-pypi-publish/discussions/255)
or [the
PR](https://redirect.github.com/pypa/gh-action-pypi-publish/pull/236).

**🪞 Full Diff**:
pypa/gh-action-pypi-publish@v1.10.0...v1.10.1

**🧔‍♂️ Release Manager:** [@&#8203;webknjaz
🇺🇦](https://redirect.github.com/sponsors/webknjaz)

**🙏 Special Thanks** to
[@&#8203;hugovk](https://redirect.github.com/hugovk)[💰](https://redirect.github.com/sponsors/hugovk)
for [promptly validating the bug
fix](https://redirect.github.com/pypa/gh-action-pypi-publish/issues/256#issuecomment-2325925847),
mere minutes after I pushed it — I even haven't finished writing this
text by then!

###
[`v1.10.0`](https://redirect.github.com/pypa/gh-action-pypi-publish/releases/tag/v1.10.0)

[Compare
Source](https://redirect.github.com/pypa/gh-action-pypi-publish/compare/v1.9.0...v1.10.0)

#### 🔏 Anything fancy, eh?

This time,
[@&#8203;woodruffw](https://redirect.github.com/woodruffw)[💰](https://redirect.github.com/sponsors/woodruffw)
implemented support for [PEP 740] attestations functionality in
[#&#8203;236](https://redirect.github.com/pypa/gh-action-pypi-publish/issues/236)
and
[#&#8203;245](https://redirect.github.com/pypa/gh-action-pypi-publish/issues/245).
This is a big deal, as it is a huge step forward to replacing what the
deprecated GPG signatures used to provide in a more meaningful way.

> \[!IMPORTANT]
> ✨ Please, do opt into trying this feature out early. [It can be
enabled](https://redirect.github.com/marketplace/actions/pypi-publish#generating-and-uploading-attestations)
as follows:
>
> ```yml
>   with:
>     attestations: true
> ```
>
> Leave any feedback on this in [this release
discussion](https://redirect.github.com/pypa/gh-action-pypi-publish/discussions/255)
or [the
PR](https://redirect.github.com/pypa/gh-action-pypi-publish/pull/236).

🙏 And please, thank William for working on this amazing improvement for
the ecosystem! The overall effort is tracked
@&#[https://github.com/pypi/warehouse/issues/15871](https://redirect.github.com/pypi/warehouse/issues/15871)/15871,
by the way.

**🪞 Full Diff**:
pypa/gh-action-pypi-publish@v1.9.0...v1.10.0

**🧔‍♂️ Release Manager:** [@&#8203;webknjaz
🇺🇦](https://redirect.github.com/sponsors/webknjaz)

[PEP 740]: https://peps.python.org/pep-0740/

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 6am on wednesday" in timezone
Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/google/osv.dev).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC41OS4yIiwidXBkYXRlZEluVmVyIjoiMzguNTkuMiIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
@woodruffw
Copy link
Member Author

woodruffw commented Sep 27, 2024

Tracking: the last two PRs for index support are now up:

The latter is still drafted since it'll need to be rebased once the former is merged.

Once those are in, there are some follow-ons that we should pursue:

  • Relax the predicate check: right now we reject anything besides PyPI "publish" attestations, but we should also accept SLSA attestations.

@woodruffw
Copy link
Member Author

pypa/gh-action-pypi-publish#277 is the last moving piece on the publishing side: that'll make generating attestations the default.

@webknjaz
Copy link
Member

We can cross that off the list now!

pypa/gh-action-pypi-publish#281

@webknjaz
Copy link
Member

webknjaz commented Nov 5, 2024

@woodruffw I filed a tracking issue for uploading attestations to GitHub: pypa/gh-action-pypi-publish#288.

@jpl-jengelke

This comment has been minimized.

@webknjaz

This comment has been minimized.

@jpl-jengelke

This comment has been minimized.

@woodruffw
Copy link
Member Author

The roadmap in this issue is fully complete, except for the UI elements (which are not part of PEP 740). As a result, I've opened the PEP acceptance PR: python/peps#4114

@di di mentioned this issue Nov 12, 2024
1 task
@di di closed this as completed in #17070 Nov 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants