[TODO] Explore uploading attestations to GitHub as well #288
Comments
webknjaz
added
enhancement
|
Yep, this should be straightforward to do -- the attestation will either need to be uploaded to GH before it's munged into the PEP 740 shape, or re-munged back into a Sigstore bundle for subsequent uploading. One note: putting things in GH's attestations store also requires |
|
I haven't found a way to feature-test. So it'd probably be an upload attempt with error suppression... |
Makes sense to me 🙂 |
|
@woodruffw it might be a good idea to also explore exposing the signatures to the end-users (maybe, via action outputs?). As in, beyond telling them to scan the |
|
Yeah, that's a good idea -- I haven't been 100% sure how to do it since it's a one-many relationship in theory (one dist, potentially multiple attestations), so action outputs become a little hacky. I'll think about that some more. |
|
Probably wrap it as a JSON string. |
|
Good idea! Outputs are limited to 1MB, but they should be well below that. |
|
Yeah, I tend to be wrestling with passing complex data into and out of the actions (like alls-green) for a long time. And I settled on JSON, especially since they have builtin functions available ( |
|
Another aspect of this: the other way around would be useful, i.e. taking SLSA/etc. attestations produced by GitHub's official actions and munging them into the PyPI attestation format. This should be pretty straightforward to do, especially now that (That's a bit of a tangent from the original topic here though, so I can file a separate issue for this if desired.) |
|
@woodruffw I'm concerned about steering people towards allowing OIDC in test jobs. This wouldn't be a problem with SLSA, I suppose, since it requires using their reusable workflow with is a bunch of separate jobs already. But not sure about other things. |
I might be missing a connection here, but what does this have to do with OIDC in test jobs? This would solely be a way to have GitHub's machinery produce the attestations, rather than the
I don't think this is a bad thing, per se: it results in "useless" signatures in the sense that they never appear on PyPI, but it doesn't compromise the security of the scheme (since a publish attestation conveys intent, and the intent was to publish, even if the upload fails or rejects the upload).
I think it depends on the kind of attestation 🙂 -- for things like build/publish provenance, IMO it makes sense for them to happen before the release: part of the design here includes signed timestamps, and it would be a red flag to have a release made at time On the other hand, third-party attestations (which aren't implemented yet), would probably happen post-release, almost by definition. For these the opposite would hold: having a release at TL;DR: I think build/publish attestations have valuable timeliness properties that only hold/are only meaningfully auditable if they occur before the release appears on PyPI. OTOH, other attestations have valuable timeliness properties in the opposite direction. (Another reason to have build/publish attestations before the release is "locality": the goal of an attestation is to capture both a signature and a detailed identity, which means performing the attestation as close to the operation it's attesting for as possible.) |
This is how the official action does this: https://github.com/actions/toolkit/blob/77f247b/packages/attest/src/store.ts#L5-L44.
This is the API endpoint doc: https://docs.github.com/en/rest/repos/repos?apiVersion=2022-11-28#create-an-attestation.
The text was updated successfully, but these errors were encountered: