Merge pull request #99 from snowflakedb/hdang/validation

SNOW-1758368: add readme for validation
snowflakedb · Nov 14, 2024 · cd2351a · cd2351a
2 parents 658ff04 + 936da5b
commit cd2351a
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 1 deletion.
diff --git a/.github/workflows/End2EndTest.yml b/.github/workflows/End2EndTest.yml
@@ -43,9 +43,10 @@ jobs:
 #          pytest --cov=./ --cov-report=xml --tb=native tests
 
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v1
+        uses: codecov/codecov-action@v4
         with:
           files: ./snowflake-ingest-python-coverage.xml
           name: codecov-snowpipe-python-sdk
           fail_ci_if_error: true
           verbose: true
+          token: ${{ secrets.CODECOV_TOKEN }}
diff --git a/DESCRIPTION.rst b/DESCRIPTION.rst
@@ -7,6 +7,10 @@ Source code is also available at: https://github.com/snowflakedb/snowflake-inges
 
 Release Notes
 -------------------------------------------------------------------------------
+- v1.0.10 (November 14, 2024)
+
+      - Update readme for artifact validation using cosign
+
 - v1.0.9 (September 10, 2024)
 
       - Fix casing for RFC-6750 conformity

diff --git a/README.rst b/README.rst
@@ -130,3 +130,21 @@ Here is a simple "hello world" example for using ingest sdk.
 
         print('\nHistory scan report: \n')
         print(history_range_resp)
+
+
+Artifact Validation
+=====
+Artifacts produced in this repository are signed by Snowflake and can be validated on the client side with the following steps.
+
+1. Install cosign following `these instructions <https://edu.chainguard.dev/open-source/sigstore/cosign/how-to-install-cosign>`_.
+2. Download the `.whl` from the repository like `pypi <https://pypi.org/project/snowflake-ingest/#files>`_.
+3. Download the `.crt` and `.sig` files for the version of artifact from the `release page <https://github.com/snowflakedb/snowflake-ingest-python/releases>`_.
+4. Validate with cosign. The following command is an example to validate the `.whl` file of version 1.0.9. If valid, a message "Verified OK" should be printed out.
+
+.. code-block:: bash
+
+    cosign verify-blob snowflake_ingest-1.0.9-py3-none-any.whl  \
+      --certificate snowflake_ingest-1.0.9-py3-none-any.whl.crt \
+      --certificate-identity https://github.com/snowflakedb/snowflake-ingest-python/.github/workflows/publish-python.yaml@refs/tags/v1.0.9 \
+      --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+      --signature snowflake_ingest-1.0.9-py3-none-any.whl.sig