Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Expose PEP 740 attestations functionality #236

Merged
merged 37 commits into from
Sep 1, 2024
Merged

Expose PEP 740 attestations functionality #236

Changes from 1 commit
Commits
Show all changes
37 commits
Select commit Hold shift + click to select a range
b526ff8
requirements: Add initial support for uploading PEP 740 attestations
woodruffw May 2, 2024
f267787
Misc lint fixes
facutuesca May 16, 2024
1571a0d
bump pypi_attestation_models, update usage
woodruffw Jun 11, 2024
27500cf
attestations: single quotes
woodruffw Jun 11, 2024
e9c72dd
attestations: simplify err
woodruffw Jun 11, 2024
3166978
Merge remote-tracking branch 'upstream/unstable/v1' into ww/attestations
woodruffw Jun 11, 2024
e7bd6ea
README: add a link
woodruffw Jun 11, 2024
5aa7e41
runtime: constrain pypi-attestation-models with a range
woodruffw Jun 18, 2024
4bc4ced
Merge branch 'unstable/v1' into ww/attestations
woodruffw Jun 18, 2024
0e2b9c9
runtime: bump range for pypi-attestation-models
woodruffw Jun 20, 2024
242d7e9
requirements: refreeze
woodruffw Jun 21, 2024
aa69903
Update requirements/runtime.in
woodruffw Jun 24, 2024
6b4d371
attestations: pre-validate dists as files
woodruffw Jun 24, 2024
16aa3a2
README: relocate PEP 740 info
woodruffw Jun 24, 2024
6dbccb5
README: PEP 740 -> "digital attestations"
woodruffw Jun 24, 2024
16b5dc1
README: explain that digital attestations require TP
woodruffw Jun 24, 2024
251402e
attestations: fix pylint
woodruffw Jun 24, 2024
1e91a3b
twine-upload: debug -> notice, rm PEP ref
woodruffw Jun 24, 2024
835d65d
attestations: debug dists before signing
woodruffw Jun 24, 2024
95be6b9
twine-upload: factor out TRUSTED_PUBLISHING
woodruffw Jun 24, 2024
176c905
pypi_attestation_models -> pypi_attestations
woodruffw Jun 28, 2024
9bac976
Merge remote-tracking branch 'upstream/unstable/v1' into ww/attestations
woodruffw Jul 9, 2024
6a808bf
runtime: bump constraints
woodruffw Jul 9, 2024
1bb6510
requirements: bump pypi-attestations
woodruffw Jul 10, 2024
8c640e3
bump to pypi-attestations==0.0.9
woodruffw Jul 17, 2024
e6556ab
attestations: use __main__ scope
woodruffw Jul 17, 2024
8094cdf
attestations: add main
woodruffw Jul 17, 2024
57dba07
attestations: please the linter
woodruffw Jul 17, 2024
af78f7a
README: emphasize beta
woodruffw Jul 22, 2024
bcc935f
twine-upload: emphasize attestations is a setting
woodruffw Jul 22, 2024
66f02b6
twine-upload: setting -> input
woodruffw Jul 22, 2024
28806ba
requirements: bump pypi-attestations, sigstore
woodruffw Jul 31, 2024
fed8784
requirements: bump sigstore, pypi-attestations
woodruffw Aug 20, 2024
61ffce1
Update attestations.py
woodruffw Aug 21, 2024
e1b63c3
Apply suggestions from code review
woodruffw Aug 21, 2024
15d9377
attestations: use Path.resolve(), break out dist collection
woodruffw Aug 21, 2024
473ca48
attestations: use exists() instead of is_file()
woodruffw Aug 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 6 additions & 3 deletions attestations.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,9 +91,12 @@ def main() -> None:

# Make sure everything that looks like a dist actually is one.
# We do this up-front to prevent partial signing.
for dist_path in dist_paths:
if not dist_path.is_file():
die(f'Path looks like a distribution but is not a file: {dist_path}')
if (invalid_dists := [_path for _path in dist_paths if _path.is_file()]):
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is where the bug snuck in that needed fixing by 0ab0b79.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤦 thanks for fixing that.

invalid_dist_list = ', '.join(map(str, invalid_dists))
die(
'The following paths look like distributions but '
f'are not actually files: {invalid_dist_list}',
)

with SigningContext.production().signer(identity, cache=True) as s:
debug(f'attesting to dists: {dist_paths}')
Expand Down
Loading