Add support for build attestations (#481)

Follow up on feedback from #371 and the previous work from @orf which I cherry-picked. This adds build attestations for the builds using [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance). Closes #343 ### Test Plan Did a trial CI run which results in attestations like below for `cpython-3.10-aarch64-unknown-linux-gnu-lto` * https://github.com/samypr100/python-build-standalone/attestations/4246020 * https://search.sigstore.dev/?logIndex=160192732 Co-authored-by: Thomas Forbes <[email protected]> Co-authored-by: Zanie Blue <[email protected]>
astral-sh · Jan 10, 2025 · e1deaa1 · e1deaa1
1 parent e985fa1
commit e1deaa1
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 5 deletions.
diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
@@ -130,7 +130,7 @@ jobs:
       pythonbuild_changed: ${{ steps.changed.outputs.pythonbuild_any_changed }}
     steps:
       - uses: actions/checkout@v4
-      
+
       - name: Set up Python
         uses: astral-sh/setup-uv@v4
 
@@ -140,7 +140,7 @@ jobs:
           # Convert GitHub labels array to comma-separated string
           LABELS=$(echo '${{ toJson(github.event.pull_request.labels.*.name) }}' | jq -r 'join(",")')
           echo "labels=$LABELS" >> $GITHUB_OUTPUT
-          
+
       - name: Generate build matrix
         id: set-matrix
         run: |
@@ -168,6 +168,10 @@ jobs:
       - generate-matrix
       - pythonbuild
       - image
+    # Permissions used for actions/attest-build-provenance
+    permissions:
+      id-token: write
+      attestations: write
     runs-on: ${{ matrix.runner }}
     strategy:
       matrix: ${{ fromJson(needs.generate-matrix.outputs.matrix) }}
@@ -230,6 +234,12 @@ jobs:
 
           build/pythonbuild validate-distribution ${EXTRA_ARGS} dist/*.tar.zst
 
+      - name: Generate attestations
+        uses: actions/attest-build-provenance@v2
+        if: ${{ github.ref == 'refs/heads/main' }}
+        with:
+          subject-path: dist/*
+
       - name: Upload Distribution
         if: ${{ ! matrix.dry-run }}
         uses: actions/upload-artifact@v4

diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml
@@ -87,10 +87,14 @@ jobs:
     needs:
       - generate-matrix
       - pythonbuild
+    # Permissions used for actions/attest-build-provenance
+    permissions:
+      id-token: write
+      attestations: write
+    runs-on: ${{ matrix.runner }}
     strategy:
       matrix: ${{ fromJson(needs.generate-matrix.outputs.matrix) }}
       fail-fast: false
-    runs-on: ${{ matrix.runner }}
     name: ${{ matrix.target_triple }} / ${{ matrix.python }} / ${{ matrix.build_options }}
     steps:
       - uses: actions/checkout@v4
@@ -122,6 +126,12 @@ jobs:
 
           ./build-macos.py --target-triple ${{ matrix.target_triple }} --python cpython-${{ matrix.python }} --options ${{ matrix.build_options }}
 
+      - name: Generate attestations
+        uses: actions/attest-build-provenance@v2
+        if: ${{ github.ref == 'refs/heads/main' }}
+        with:
+          subject-path: dist/*
+
       - name: Upload Distributions
         if: ${{ ! matrix.dry-run }}
         uses: actions/upload-artifact@v4

diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
@@ -51,7 +51,7 @@ jobs:
       pythonbuild_changed: ${{ steps.changed.outputs.pythonbuild_any_changed }}
     steps:
       - uses: actions/checkout@v4
-      
+
       - name: Set up Python
         uses: astral-sh/setup-uv@v4
 
@@ -61,7 +61,7 @@ jobs:
           # Convert GitHub labels array to comma-separated string
           LABELS=$(echo '${{ toJson(github.event.pull_request.labels.*.name) }}' | jq -r 'join(",")')
           echo "labels=$LABELS" >> $GITHUB_OUTPUT
-          
+
       - name: Generate build matrix
         id: set-matrix
         run: |
@@ -88,6 +88,10 @@ jobs:
     needs:
       - generate-matrix
       - pythonbuild
+    # Permissions used for actions/attest-build-provenance
+    permissions:
+      id-token: write
+      attestations: write
     runs-on: ${{ matrix.runner }}
     strategy:
       matrix: ${{ fromJson(needs.generate-matrix.outputs.matrix) }}
@@ -132,6 +136,12 @@ jobs:
           $Dists = Resolve-Path -Path "dist/*.tar.zst" -Relative
           .\pythonbuild.exe validate-distribution --run $Dists
 
+      - name: Generate attestations
+        uses: actions/attest-build-provenance@v2
+        if: ${{ github.ref == 'refs/heads/main' }}
+        with:
+          subject-path: dist/*
+
       - name: Upload Distributions
         uses: actions/upload-artifact@v4
         with: