-
Notifications
You must be signed in to change notification settings - Fork 968
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PEP 740: Post-deployment tasks #17001
Comments
Is it possible to do this in a job following pypi-upload? |
Not at the moment -- in principle we could add a separate upload endpoint/codepath for uploading attestations to an already-uploaded release, but that doesn't exist yet. For the time being, the assumption is that one or more attestations get uploaded with the release itself, so a user who wants to upload a SLSA attestation should put it in their In other words, a
(The interstitial |
@woodruffw so I'm usually structuring my workflows to do any mutations post initial PyPI publish. That's my point of no return. Besides, the official SLSA automation for GHA is a reusable workflow. So running it before publishing would be a separate job with a hope that dists will get uploaded eventually, which may not happen in case of release rejection. This is my primary motivation for uploading attestations post-release (which could be useful in tandem with the very old request to have draft releases for transactional uploads). By the way, I've researched a little how the attestations are uploaded to GH: pypa/gh-action-pypi-publish#288. |
Signed-off-by: William Woodruff <[email protected]>
* initial attestations user docs Signed-off-by: William Woodruff <[email protected]> * more background, use preview Signed-off-by: William Woodruff <[email protected]> * docs: more improvements Signed-off-by: William Woodruff <[email protected]> * docs: attestation internals Signed-off-by: William Woodruff <[email protected]> * Update docs/user/attestations/internals.md Co-authored-by: Facundo Tuesca <[email protected]> * publish/v1: clarify the signing target Signed-off-by: William Woodruff <[email protected]> * Apply suggestions from code review Co-authored-by: Facundo Tuesca <[email protected]> * v1: be explicit about payload Signed-off-by: William Woodruff <[email protected]> * attestations: avoid "index attestations" Signed-off-by: William Woodruff <[email protected]> * attestations/internals: remove another confusing phrase Signed-off-by: William Woodruff <[email protected]> * Apply suggestions from code review Co-authored-by: Dustin Ingram <[email protected]> * docs: move internals doc to dev-docs Signed-off-by: William Woodruff <[email protected]> * dev: fix backticks Signed-off-by: William Woodruff <[email protected]> * lintage, add note about trust Signed-off-by: William Woodruff <[email protected]> * docs/dev: add callout for user docs Signed-off-by: William Woodruff <[email protected]> * Update attestation-internals.rst Co-authored-by: Dustin Ingram <[email protected]> * Update attestation-internals.rst Co-authored-by: Dustin Ingram <[email protected]> * tweak index attestations warning Signed-off-by: William Woodruff <[email protected]> * docs: more PEP 740 docs, begin migrating user API docs Signed-off-by: William Woodruff <[email protected]> * docs: integrity API, details Signed-off-by: William Woodruff <[email protected]> * api/integrity: fill in example Signed-off-by: William Woodruff <[email protected]> * document status code Signed-off-by: William Woodruff <[email protected]> * docs/dev: add note about api docs migration Signed-off-by: William Woodruff <[email protected]> * Apply suggestions from code review Co-authored-by: Dustin Ingram <[email protected]> * api/integrity: avoid weird formatting Signed-off-by: William Woodruff <[email protected]> * Apply suggestions from code review Co-authored-by: Dustin Ingram <[email protected]> * docs: link to #17001 Signed-off-by: William Woodruff <[email protected]> * docs/dev: use sampleproject for attestation docs Signed-off-by: William Woodruff <[email protected]> * dev-docs: more attestation internals to security/ Signed-off-by: William Woodruff <[email protected]> * dev-docs: remove old index ref Signed-off-by: William Woodruff <[email protected]> * dev-docs: fix two more broken refs Signed-off-by: William Woodruff <[email protected]> * user-docs: use a real provenance example Signed-off-by: William Woodruff <[email protected]> * remove incorrect header Signed-off-by: William Woodruff <[email protected]> * make toctree placement less confusing Signed-off-by: William Woodruff <[email protected]> --------- Signed-off-by: William Woodruff <[email protected]> Co-authored-by: Facundo Tuesca <[email protected]> Co-authored-by: Dustin Ingram <[email protected]>
The main roadmap for PEP 740 is in #15871; this tracks related items that aren't blockers, but need to be thought about more and/or addressed in the medium-to-long term.
claims
toAttestation
trailofbits/pypi-attestations#70pypi
andtestpypi
respectively). We have a strong source of timeliness in the form of signed time, so we could add these and then require them in new attestations after a period of adoption.The text was updated successfully, but these errors were encountered: