-
Notifications
You must be signed in to change notification settings - Fork 968
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Roadmap] Implement PEP 740 #15871
Comments
I've gone ahead and filed a tracking issue in pip-tools as well: jazzband/pip-tools#2080. |
With the exciting changes suggested in pypa/gh-action-pypi-publish#230, it looks like we'll be able to leverage bits of composite actions and call the action even (if it makes sense to do so, as an alternative to using a Python lib within the container like the rest of stuff). |
Should this be done by the uploader, though? My initial feeling was that this should be done right after the job building the artifacts. Though, perhaps not by pypa/build (because of the privilege elevation concerns I often complain about). Are we going to treat the artifacts that the uploader gets as coming from trusted sources? Should we be emphasizing the security considerations and teaching the users more about the least privilege principle? |
Hmm -- I suppose it doesn't have to be, although for targeting publish provenance (and getting provenance generation exposed to the largest number of users) I think it's the most straightforward path. Long term, PEP 740 is designed to enable multiple attestations: the building step(s) can generate one, as can the publishing step. But I believe getting that into a workable state will require a decent bit more coordination, so I want to target an MVP of "the artifact is signed by the same identity that pushed it to the index" 😅 |
@woodruffw fair! I just wanted to make sure we're on the same page. |
@webknjaz Glad you're thinking about build provenance already, I'm interested in tackling build provenance for Python too 🚀 These initial attestations are similar to NPM's publish provenance so is best done by the uploader. If the attestation can show "this artifact was uploaded by this workflow which matches a Trusted Publisher configuration for the project" we can already build some interesting things like verified GitHub URLs, exposing which artifacts have Trusted Publishers configured to users, monitoring for changes in provenance, etc |
@sethmlarson fair enough! I remember similar ideas being brought up during the initial private beta of trusted publishing. It's nice to have some more or less specified goals recorded and synchronized, though, which is why I posted my thoughts :) Looking back, I'm glad that I encouraged implementing it in my action from the very beginning, months before it's gone GA so everybody could start using it right away with almost no changes. So I'm hoping that the Sigstore integration happens in a similar fashion, enabling any early adopters to start uploading signatures with zero changes to their workflows (if they already use trusted publishing, they have the OIDC access set up). |
I think your initial feeling is valid: since it's not guaranteed that the workflow using the publish action is also the workflow that built the artifacts, this isn't necessarily "build provenance". That said, having an attestation ('publish provenance') from the uploader in the absence of any other attestation being provided to it would still be very valuable here I think, especially for projects that aren't using Trusted Publishing yet. |
@woodruffw What behavior do we want when uploading attestations to a file already in PyPI? Currently, the behavior for duplicate files is either stop the upload process and return OK (if the new file is the same as the existing one), or fail (if the files don't match). |
For the MVP, I think we want to skip if the distribution file already exists, for consistency with the existing upload API behavior. Longer term, this probably falls under the "Upload 2.0 API" PEP -- we'll want a way to augment existing uploaded distributions with new attestations. But that's out of scope for now, IMO 🙂 |
FYI: there's some new developments within GitHub, it seems — pypa/gh-action-pypi-publish#236 (comment). |
I think this one is somewhat separate — it signs built artifacts (in that snippet) while the |
Something that @haydentherapper raised: Trusted Publishing supports private repos. This isn't a "disclosure" issue at the moment since we don't expose the Trusted Publisher metadata anywhere, but with PEP 740 we will. Some points:
Some engineering details:
|
Per NPM's docs, it looks like they require a public repo for provenance:
This doesn't quite mesh with PyPI's model since each distribution file has its own metadata, but in theory we could check them all for consistency. But that is potentially more brittle than just rejecting attestations if the accompanying OIDC JWT doesn't have the right visibility. |
From discussion in the Sigstore Slack: one route forward here is to reject attestations from private repositories, unless the project explicitly is explicitly configured (either on PyPI or the project metadata) to allow them. This eliminates the risk of a user inadvertently leaking a private repository name (or similar) through their Trusted Publisher configuration and subsequent publish attestations. If configured on PyPI, this could be something like a new checkbox under If configured via project metadata, things get a little hairier (since the metadata is duplicated once per distribution, and there's no free-form metadata at the moment). So doing it via PyPI is probably easier. |
@facutuesca and I had a conversation about the persistence side of this the other day; summarizing:
Some related thoughts:
|
This might add some complexity, since right now there is no way of modelling an "inactive" publisher: if a publisher exists in the DB, then it's active. Do we want to add a new column to the table, an |
Hmm, I hadn't thought of this. A new |
I was imagining a separate model for a "verified attestation" that's separate from the publisher, due to the publisher potentially changing over time. |
Oh, does that mean that workflow/project management tools can start implementing distribution verification against it? |
Unfortunately not quite -- we had to revert that last PR due to performance regressions on the simple index + some incorrect assumptions about being able to stream from PyPI's object storage 😅. We're reworking the implementation to use just the DB instead; I'll update this issue with the stack of PRs for that. |
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/setup-python](https://redirect.github.com/actions/setup-python) | action | minor | `v5.1.1` -> `v5.2.0` | | [actions/upload-artifact](https://redirect.github.com/actions/upload-artifact) | action | minor | `v3.1.3` -> `v3.2.1` | | [github/codeql-action](https://redirect.github.com/github/codeql-action) | action | minor | `v2.25.12` -> `v2.26.6` | | [ossf/scorecard-action](https://redirect.github.com/ossf/scorecard-action) | action | minor | `v2.3.3` -> `v2.4.0` | | [pypa/gh-action-pypi-publish](https://redirect.github.com/pypa/gh-action-pypi-publish) | action | minor | `v1.9.0` -> `v1.10.1` | --- ### Release Notes <details> <summary>actions/setup-python (actions/setup-python)</summary> ### [`v5.2.0`](https://redirect.github.com/actions/setup-python/compare/v5.1.1...v5.2.0) [Compare Source](https://redirect.github.com/actions/setup-python/compare/v5.1.1...v5.2.0) </details> <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v3.2.1`](https://redirect.github.com/actions/upload-artifact/releases/tag/v3.2.1) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v3.2.0...v3.2.1) #### What's Changed This fixes the `include-hidden-files` input introduced in https://github.com/actions/upload-artifact/releases/tag/v3.2.0 - Ensure hidden files input is used by [@​joshmgross](https://redirect.github.com/joshmgross) in [https://github.com/actions/upload-artifact/pull/609](https://redirect.github.com/actions/upload-artifact/pull/609) **Full Changelog**: actions/upload-artifact@v3.2.0...v3.2.1 ### [`v3.2.0`](https://redirect.github.com/actions/upload-artifact/releases/tag/v3.2.0) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v3.1.3...v3.2.0) #### Notice: Breaking Changes⚠️ We will no longer include hidden files and folders by default in the `upload-artifact` action of this version. This reduces the risk that credentials are accidentally uploaded into artifacts. Customers who need to continue to upload these files can use a new option, `include-hidden-files`, to continue to do so. See ["Notice of upcoming deprecations and breaking changes in GitHub Actions runners"](https://github.blog/changelog/2024-08-19-notice-of-upcoming-deprecations-and-breaking-changes-in-github-actions-runners/) changelog and [this issue](https://redirect.github.com/actions/upload-artifact/issues/602) for more details. #### What's Changed - V3 backport: Exclude hidden files by default by [@​SrRyan](https://redirect.github.com/SrRyan) in [https://github.com/actions/upload-artifact/pull/604](https://redirect.github.com/actions/upload-artifact/pull/604) **Full Changelog**: actions/upload-artifact@v3.1.3...v3.2.0 </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.26.6`](https://redirect.github.com/github/codeql-action/compare/v2.26.5...v2.26.6) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v2.26.5...v2.26.6) ### [`v2.26.5`](https://redirect.github.com/github/codeql-action/compare/v2.26.4...v2.26.5) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v2.26.4...v2.26.5) ### [`v2.26.4`](https://redirect.github.com/github/codeql-action/compare/v2.26.3...v2.26.4) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v2.26.3...v2.26.4) ### [`v2.26.3`](https://redirect.github.com/github/codeql-action/compare/v2.26.2...v2.26.3) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v2.26.2...v2.26.3) ### [`v2.26.2`](https://redirect.github.com/github/codeql-action/compare/v2.26.1...v2.26.2) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v2.26.1...v2.26.2) ### [`v2.26.1`](https://redirect.github.com/github/codeql-action/compare/v2.26.0...v2.26.1) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v2.26.0...v2.26.1) ### [`v2.26.0`](https://redirect.github.com/github/codeql-action/compare/v2.25.15...v2.26.0) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v2.25.15...v2.26.0) ### [`v2.25.15`](https://redirect.github.com/github/codeql-action/compare/v2.25.14...v2.25.15) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v2.25.14...v2.25.15) ### [`v2.25.14`](https://redirect.github.com/github/codeql-action/compare/v2.25.13...v2.25.14) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v2.25.13...v2.25.14) ### [`v2.25.13`](https://redirect.github.com/github/codeql-action/compare/v2.25.12...v2.25.13) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v2.25.12...v2.25.13) </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.4.0`](https://redirect.github.com/ossf/scorecard-action/releases/tag/v2.4.0) [Compare Source](https://redirect.github.com/ossf/scorecard-action/compare/v2.3.3...v2.4.0) #### What's Changed This update bumps the Scorecard version to the v5 release. For a complete list of changes, please refer to the [v5.0.0 release notes](https://redirect.github.com/ossf/scorecard/releases/tag/v5.0.0). Of special note to Scorecard Action is the Maintainer Annotation feature, which can be used to suppress some Code Scanning false positives. Alerts will not be generated for any Scorecard Check with an annotation. - 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to v5.0.0 by [@​spencerschrock](https://redirect.github.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1410](https://redirect.github.com/ossf/scorecard-action/pull/1410) - 🐛 lower license sarif alert threshold to 9 by [@​spencerschrock](https://redirect.github.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1411](https://redirect.github.com/ossf/scorecard-action/pull/1411) ##### Documentation - docs: dogfooding badge by [@​jkowalleck](https://redirect.github.com/jkowalleck) in [https://github.com/ossf/scorecard-action/pull/1399](https://redirect.github.com/ossf/scorecard-action/pull/1399) #### New Contributors - [@​jkowalleck](https://redirect.github.com/jkowalleck) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1399](https://redirect.github.com/ossf/scorecard-action/pull/1399) **Full Changelog**: ossf/scorecard-action@v2.3.3...v2.4.0 </details> <details> <summary>pypa/gh-action-pypi-publish (pypa/gh-action-pypi-publish)</summary> ### [`v1.10.1`](https://redirect.github.com/pypa/gh-action-pypi-publish/releases/tag/v1.10.1) [Compare Source](https://redirect.github.com/pypa/gh-action-pypi-publish/compare/v1.10.0...v1.10.1) #### 🚑🔏 Oopsie... We missed a tiny bug in the attestations feature the other day The problem was that the distribution file validity check was failing on any valid distribution being present and ready to be signed. What a silly mistake! It's now been fixed via pypa/gh-action-pypi-publish@0ab0b79, though. So everything's good! \-- [@​webknjaz](https://redirect.github.com/webknjaz)[💰](https://redirect.github.com/sponsors/webknjaz) > \[!IMPORTANT] > ✨ Despite this minor hiccup, we invite you to still opt into trying this feature out early. [It can be enabled](https://redirect.github.com/marketplace/actions/pypi-publish#generating-and-uploading-attestations) like this: > > ```yml > with: > attestations: true > ``` > > Leave feedback in [the v1.10.0 release discussion](https://redirect.github.com/pypa/gh-action-pypi-publish/discussions/255) or [the PR](https://redirect.github.com/pypa/gh-action-pypi-publish/pull/236). **🪞 Full Diff**: pypa/gh-action-pypi-publish@v1.10.0...v1.10.1 **🧔♂️ Release Manager:** [@​webknjaz 🇺🇦](https://redirect.github.com/sponsors/webknjaz) **🙏 Special Thanks** to [@​hugovk](https://redirect.github.com/hugovk)[💰](https://redirect.github.com/sponsors/hugovk) for [promptly validating the bug fix](https://redirect.github.com/pypa/gh-action-pypi-publish/issues/256#issuecomment-2325925847), mere minutes after I pushed it — I even haven't finished writing this text by then! ### [`v1.10.0`](https://redirect.github.com/pypa/gh-action-pypi-publish/releases/tag/v1.10.0) [Compare Source](https://redirect.github.com/pypa/gh-action-pypi-publish/compare/v1.9.0...v1.10.0) #### 🔏 Anything fancy, eh? This time, [@​woodruffw](https://redirect.github.com/woodruffw)[💰](https://redirect.github.com/sponsors/woodruffw) implemented support for [PEP 740] attestations functionality in [#​236](https://redirect.github.com/pypa/gh-action-pypi-publish/issues/236) and [#​245](https://redirect.github.com/pypa/gh-action-pypi-publish/issues/245). This is a big deal, as it is a huge step forward to replacing what the deprecated GPG signatures used to provide in a more meaningful way. > \[!IMPORTANT] > ✨ Please, do opt into trying this feature out early. [It can be enabled](https://redirect.github.com/marketplace/actions/pypi-publish#generating-and-uploading-attestations) as follows: > > ```yml > with: > attestations: true > ``` > > Leave any feedback on this in [this release discussion](https://redirect.github.com/pypa/gh-action-pypi-publish/discussions/255) or [the PR](https://redirect.github.com/pypa/gh-action-pypi-publish/pull/236). 🙏 And please, thank William for working on this amazing improvement for the ecosystem! The overall effort is tracked @&#[https://github.com/pypi/warehouse/issues/15871](https://redirect.github.com/pypi/warehouse/issues/15871)/15871, by the way. **🪞 Full Diff**: pypa/gh-action-pypi-publish@v1.9.0...v1.10.0 **🧔♂️ Release Manager:** [@​webknjaz 🇺🇦](https://redirect.github.com/sponsors/webknjaz) [PEP 740]: https://peps.python.org/pep-0740/ </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on wednesday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/google/osv.dev). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC41OS4yIiwidXBkYXRlZEluVmVyIjoiMzguNTkuMiIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/setup-python](https://redirect.github.com/actions/setup-python) | action | minor | `v5.1.1` -> `v5.2.0` | | [github/codeql-action](https://redirect.github.com/github/codeql-action) | action | minor | `v2.25.12` -> `v2.26.6` | | [ossf/scorecard-action](https://redirect.github.com/ossf/scorecard-action) | action | minor | `v2.3.3` -> `v2.4.0` | | [pypa/gh-action-pypi-publish](https://redirect.github.com/pypa/gh-action-pypi-publish) | action | minor | `v1.9.0` -> `v1.10.1` | --- ### Release Notes <details> <summary>actions/setup-python (actions/setup-python)</summary> ### [`v5.2.0`](https://redirect.github.com/actions/setup-python/compare/v5.1.1...v5.2.0) [Compare Source](https://redirect.github.com/actions/setup-python/compare/v5.1.1...v5.2.0) </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.26.6`](https://redirect.github.com/github/codeql-action/compare/v2.26.5...v2.26.6) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v2.26.5...v2.26.6) ### [`v2.26.5`](https://redirect.github.com/github/codeql-action/compare/v2.26.4...v2.26.5) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v2.26.4...v2.26.5) ### [`v2.26.4`](https://redirect.github.com/github/codeql-action/compare/v2.26.3...v2.26.4) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v2.26.3...v2.26.4) ### [`v2.26.3`](https://redirect.github.com/github/codeql-action/compare/v2.26.2...v2.26.3) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v2.26.2...v2.26.3) ### [`v2.26.2`](https://redirect.github.com/github/codeql-action/compare/v2.26.1...v2.26.2) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v2.26.1...v2.26.2) ### [`v2.26.1`](https://redirect.github.com/github/codeql-action/compare/v2.26.0...v2.26.1) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v2.26.0...v2.26.1) ### [`v2.26.0`](https://redirect.github.com/github/codeql-action/compare/v2.25.15...v2.26.0) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v2.25.15...v2.26.0) ### [`v2.25.15`](https://redirect.github.com/github/codeql-action/compare/v2.25.14...v2.25.15) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v2.25.14...v2.25.15) ### [`v2.25.14`](https://redirect.github.com/github/codeql-action/compare/v2.25.13...v2.25.14) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v2.25.13...v2.25.14) ### [`v2.25.13`](https://redirect.github.com/github/codeql-action/compare/v2.25.12...v2.25.13) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v2.25.12...v2.25.13) </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.4.0`](https://redirect.github.com/ossf/scorecard-action/releases/tag/v2.4.0) [Compare Source](https://redirect.github.com/ossf/scorecard-action/compare/v2.3.3...v2.4.0) #### What's Changed This update bumps the Scorecard version to the v5 release. For a complete list of changes, please refer to the [v5.0.0 release notes](https://redirect.github.com/ossf/scorecard/releases/tag/v5.0.0). Of special note to Scorecard Action is the Maintainer Annotation feature, which can be used to suppress some Code Scanning false positives. Alerts will not be generated for any Scorecard Check with an annotation. - 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to v5.0.0 by [@​spencerschrock](https://redirect.github.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1410](https://redirect.github.com/ossf/scorecard-action/pull/1410) - 🐛 lower license sarif alert threshold to 9 by [@​spencerschrock](https://redirect.github.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1411](https://redirect.github.com/ossf/scorecard-action/pull/1411) ##### Documentation - docs: dogfooding badge by [@​jkowalleck](https://redirect.github.com/jkowalleck) in [https://github.com/ossf/scorecard-action/pull/1399](https://redirect.github.com/ossf/scorecard-action/pull/1399) #### New Contributors - [@​jkowalleck](https://redirect.github.com/jkowalleck) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1399](https://redirect.github.com/ossf/scorecard-action/pull/1399) **Full Changelog**: ossf/scorecard-action@v2.3.3...v2.4.0 </details> <details> <summary>pypa/gh-action-pypi-publish (pypa/gh-action-pypi-publish)</summary> ### [`v1.10.1`](https://redirect.github.com/pypa/gh-action-pypi-publish/releases/tag/v1.10.1) [Compare Source](https://redirect.github.com/pypa/gh-action-pypi-publish/compare/v1.10.0...v1.10.1) #### 🚑🔏 Oopsie... We missed a tiny bug in the attestations feature the other day The problem was that the distribution file validity check was failing on any valid distribution being present and ready to be signed. What a silly mistake! It's now been fixed via pypa/gh-action-pypi-publish@0ab0b79, though. So everything's good! \-- [@​webknjaz](https://redirect.github.com/webknjaz)[💰](https://redirect.github.com/sponsors/webknjaz) > \[!IMPORTANT] > ✨ Despite this minor hiccup, we invite you to still opt into trying this feature out early. [It can be enabled](https://redirect.github.com/marketplace/actions/pypi-publish#generating-and-uploading-attestations) like this: > > ```yml > with: > attestations: true > ``` > > Leave feedback in [the v1.10.0 release discussion](https://redirect.github.com/pypa/gh-action-pypi-publish/discussions/255) or [the PR](https://redirect.github.com/pypa/gh-action-pypi-publish/pull/236). **🪞 Full Diff**: pypa/gh-action-pypi-publish@v1.10.0...v1.10.1 **🧔♂️ Release Manager:** [@​webknjaz 🇺🇦](https://redirect.github.com/sponsors/webknjaz) **🙏 Special Thanks** to [@​hugovk](https://redirect.github.com/hugovk)[💰](https://redirect.github.com/sponsors/hugovk) for [promptly validating the bug fix](https://redirect.github.com/pypa/gh-action-pypi-publish/issues/256#issuecomment-2325925847), mere minutes after I pushed it — I even haven't finished writing this text by then! ### [`v1.10.0`](https://redirect.github.com/pypa/gh-action-pypi-publish/releases/tag/v1.10.0) [Compare Source](https://redirect.github.com/pypa/gh-action-pypi-publish/compare/v1.9.0...v1.10.0) #### 🔏 Anything fancy, eh? This time, [@​woodruffw](https://redirect.github.com/woodruffw)[💰](https://redirect.github.com/sponsors/woodruffw) implemented support for [PEP 740] attestations functionality in [#​236](https://redirect.github.com/pypa/gh-action-pypi-publish/issues/236) and [#​245](https://redirect.github.com/pypa/gh-action-pypi-publish/issues/245). This is a big deal, as it is a huge step forward to replacing what the deprecated GPG signatures used to provide in a more meaningful way. > \[!IMPORTANT] > ✨ Please, do opt into trying this feature out early. [It can be enabled](https://redirect.github.com/marketplace/actions/pypi-publish#generating-and-uploading-attestations) as follows: > > ```yml > with: > attestations: true > ``` > > Leave any feedback on this in [this release discussion](https://redirect.github.com/pypa/gh-action-pypi-publish/discussions/255) or [the PR](https://redirect.github.com/pypa/gh-action-pypi-publish/pull/236). 🙏 And please, thank William for working on this amazing improvement for the ecosystem! The overall effort is tracked @&#[https://github.com/pypi/warehouse/issues/15871](https://redirect.github.com/pypi/warehouse/issues/15871)/15871, by the way. **🪞 Full Diff**: pypa/gh-action-pypi-publish@v1.9.0...v1.10.0 **🧔♂️ Release Manager:** [@​webknjaz 🇺🇦](https://redirect.github.com/sponsors/webknjaz) [PEP 740]: https://peps.python.org/pep-0740/ </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on wednesday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/google/osv.dev). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC41OS4yIiwidXBkYXRlZEluVmVyIjoiMzguNTkuMiIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
Tracking: the last two PRs for index support are now up:
Once those are in, there are some follow-ons that we should pursue:
|
pypa/gh-action-pypi-publish#277 is the last moving piece on the publishing side: that'll make generating attestations the default. |
We can cross that off the list now! |
@woodruffw I filed a tracking issue for uploading attestations to GitHub: pypa/gh-action-pypi-publish#288. |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
The roadmap in this issue is fully complete, except for the UI elements (which are not part of PEP 740). As a result, I've opened the PEP acceptance PR: python/peps#4114 |
PEP 740 is in a final but not yet approved state. This issue is intended to lay out the dependencies/subcomponents of its implementing, including things that can be done in a preliminary manner.
Index side
attestations
form field in the current legacy upload endpointattestations
and verify each against the uploading trusted publisher; fail the file upload if any attestations are invalidUploader/publish side
gh-action-pypi-publish
gh-action-pypi-publish
should usesigstore-python
to sign the attestation payload defined in PEP 740twine
: Proposal: preliminary support for PEP 740 pypa/twine#1094twine
supports uploading,gh-action-pypi-publish
should use that support to actually upload the attestation objects it generates aboveDocs & UI
PEP 740: initial attestation docs #16063CC @di @webknjaz @facutuesca for visibility
The text was updated successfully, but these errors were encountered: