Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SNOW-685438: Sign artifacts before publish #522

Merged
merged 1 commit into from
Aug 8, 2024
Merged

SNOW-685438: Sign artifacts before publish #522

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 42 additions & 1 deletion .github/workflows/python-publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,8 @@ on:
types: [published]

permissions:
contents: read
contents: write
id-token: write
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you please explain this change?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

id-token is required for signing the artifacts for cosign.
This github action will sign the artifacts using keyless process, verify signature using bundle file and certificate and sig files. Finally will copy the signing files to the release tag.


jobs:
deploy:
Expand All @@ -34,6 +35,46 @@ jobs:
python -m uv pip install -U hatch
- name: Build package
run: python -m hatch build --clean
- name: List artifacts
run: ls ./dist
- name: Install sigstore
run: python -m pip install sigstore
- name: Signing
run: |
for dist in dist/*; do
dist_base="$(basename "${dist}")"
echo "dist: ${dist}"
echo "dist_base: ${dist_base}"
python -m \
sigstore sign "${dist}" \
--output-signature "${dist_base}.sig" \
--output-certificate "${dist_base}.crt" \
--bundle "${dist_base}.sigstore"

# Verify using `.sig` `.crt` pair;
python -m \
sigstore verify identity "${dist}" \
--signature "${dist_base}.sig" \
--cert "${dist_base}.crt" \
--cert-oidc-issuer https://token.actions.githubusercontent.com \
--cert-identity ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/.github/workflows/build_and_sign_demand.yml@${GITHUB_REF}

# Verify using `.sigstore` bundle;
python -m \
sigstore verify identity "${dist}" \
--bundle "${dist_base}.sigstore" \
--cert-oidc-issuer https://token.actions.githubusercontent.com \
--cert-identity ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/.github/workflows/build_and_sign_demand.yml@${GITHUB_REF}
done
- name: List artifacts after sign
run: ls ./dist
- name: Copy files to release
run: |
gh release upload ${{ github.event.release.tag_name }} *.sigstore
gh release upload ${{ github.event.release.tag_name }} *.sig
gh release upload ${{ github.event.release.tag_name }} *.crt
env:
GITHUB_TOKEN: ${{ github.TOKEN }}
- name: Publish package
uses: pypa/gh-action-pypi-publish@release/v1
with:
Expand Down
Loading