Update py-publish.yml to generate build provenance attestations

[shenxianpeng]

ref to #28. update .github/workflows/py-publish.yml will allow all released Python packages in cpp-linter org can support generating attestations. then users can verify artifact attestations with GitHub CLI if they need to.

[2bndy5]

It would probably be a good idea to save the generated digest as artifacts (for now).

    - name: Save attestations as artifact
      uses: actions/upload-artifact@v4
      with:
        path: ${{ steps.create-attestations.outputs.bundle-path }}
        name: ${{ github.repository }}-attestation-bundle

Tip

The above suggestion assumes the step that creates attestations is given the id: create-attestations.

[shenxianpeng]

It would probably be a good idea to save the generated digest as artifacts (for now).

I suppose no need to save generated digest as artifacts because it has already save at https://github.com/cpp-linter/clang-tools-static-binaries/attestations

[2bndy5]

But that is just for the static binaries. This workflow is for python publishing. Am I still misunderstanding attestations?

[shenxianpeng]

For Python .whl package should be the same as static binaries. For example https://github.com/commit-check/commit-check/attestations, user can download .whl and verify attestations like

pip download commit-check
Collecting commit-check
  Using cached commit_check-0.8.0-py3-none-any.whl.metadata (8.8 kB)
Collecting pyyaml (from commit-check)
  Using cached PyYAML-6.0.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.metadata (2.1 kB)
Using cached commit_check-0.8.0-py3-none-any.whl (11 kB)
Using cached PyYAML-6.0.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (705 kB)
Saved ./commit_check-0.8.0-py3-none-any.whl
Saved ./PyYAML-6.0.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Successfully downloaded commit-check pyyaml

gh attestation verify commit_check-0.8.0-py3-none-any.whl -R commit-check/commit-check
Loaded digest sha256:bdab08d78123da1c20b38e96d485c5660c4e85fd26f4b026d6002dac3493676e for file://commit_check-0.8.0-py3-none-any.whl
Loaded 1 attestation from GitHub API
✓ Verification succeeded!

sha256:bdab08d78123da1c20b38e96d485c5660c4e85fd26f4b026d6002dac3493676e was attested by:
REPO                       PREDICATE_TYPE                  WORKFLOW                                              
commit-check/commit-check  https://slsa.dev/provenance/v1  .github/workflows/publish-package.yml@refs/tags/v0.8.0

[2bndy5]

Oh, ok. I didn't know you plan to use gh-cli to verify. According to the gh attestation verify docs:

By default, the verify command will attempt to fetch attestations associated with the provided artifact from the GitHub API. If you would prefer to verify the artifact using attestations stored on disk (c.f. the download command), provide a path to the --bundle flag.

I was expecting we'd have to keep track of the attestations locally. I did not know what tool you planned to use (or the tool's behavior).

Given the use of gh-cli, I guess it isn't necessary to save the attestation as downloadable artifacts. Still I'm unsure of where exactly the gh-cli tool is fetching the appropriate attestation. Obviously, I'll learn as I follow your progress 😉

[shenxianpeng]

I'm a newbie too, getting better together 😆

[shenxianpeng]

I assume all review comments are addressed and I feel ready to merge.

[2bndy5]

yep. LGTM

[shenxianpeng]

The attestation was created at https://github.com/cpp-linter/cpp-linter-hooks/attestations when the published job runs https://github.com/cpp-linter/cpp-linter-hooks/actions/runs/9608722570