[doc] Add example for Python (#1209)

Co-authored-by: Yi Dong Hui <[email protected]>
slsa-framework · Nov 7, 2022 · 50330c2 · 50330c2
1 parent b55f3fa
commit 50330c2
Showing 1 changed file with 103 additions and 0 deletions.
diff --git a/internal/builders/generic/README.md b/internal/builders/generic/README.md
@@ -894,6 +894,109 @@ jobs:
       upload-assets: true # Optional: Upload to a new release
 ```
 
+### Provenance for Python
+If you develop with Python you can
+easily generate SLSA3 provenance by updating your existing workflow with the
+steps indicated in the workflow below:
+
+1. Declare an outputs for the artifacts generated by the build and their hashes:
+```yaml
+jobs:
+  build:
+    name: "Build dists"    
+    runs-on: "ubuntu-latest"    
+    environment:      
+      name: "publish"
+      outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+```
+
+2. Add an id: build field to your python build step
+
+```yaml
+steps:
+  - name: "Checkout repository"        
+    uses: "actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b" # tag=v3
+
+  - name: "Setup Python"        
+    uses: "actions/setup-python@13ae5bb136fac2878aff31522b9efb785519f984" # tag=v4
+    with:  
+      python-version: "3.x"
+
+  - name: "Install dependencies"        
+    run: python -m pip install build
+
+  - name: Build using python
+    id: build
+    run: python -m build
+```
+
+3. Add a step to generate the provenance subjects as shown below. Update the sha256 sum arguments to include all binaries that you generate provenance for:
+
+```yaml
+- name: Generate subject
+  id: hash
+  run: |
+    cd dist && echo "::set-output name=hashes::$(sha256sum * | base64 -w0)"
+```
+
+4. Call the generic workflow to generate provenance by declaring the job below:
+```yaml
+provenance:
+  needs: [build]
+  permissions:
+    actions: read # To read the workflow path.
+    id-token: write # To sign the provenance.
+    contents: write # To add assets to a release.
+  uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+  with:
+    base64-subjects: "${{ needs.build.outputs.hashes }}"
+    upload-assets: true # Optional: Upload to a new release
+```
+All in all, it will look as the following:
+```yaml
+jobs:
+  build:
+    name: "Build dists"    
+    runs-on: "ubuntu-latest"    
+    environment:      
+      name: "publish"
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+  steps:
+    - name: "Checkout repository"        
+      uses: "actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b" # tag=v3
+
+    - name: "Setup Python"        
+      uses: "actions/setup-python@13ae5bb136fac2878aff31522b9efb785519f984" # tag=v4       
+      with:  
+        python-version: "3.x"
+
+    - name: "Install dependencies"        
+      run: python -m pip install build
+
+    - name: Build using Python
+      id: build
+      run: |
+        python -m build
+
+    - name: Generate subject
+    id: hash
+    run: |
+      cd dist && echo "::set-output name=hashes::$(sha256sum * | base64 -w0)"
+
+  provenance:
+    needs: [build]
+    permissions:
+      actions: read # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      base64-subjects: "${{ needs.build.outputs.hashes }}"
+      upload-assets: true # Optional: Upload to a new release
+```
+
 ## Known Issues
 
 ### error updating to TUF remote mirror: tuf: invalid key