Attest build provenance of artifacts (#122)

hugovk · hynek · web-flow · commit 0f9f77848331 · 2024-05-13T17:14:48.000+02:00
* Attest build provenance of artifacts * Add attest-build-provenance input to changelog * Try out attestation in CI * Clarify this is only GitHub attestation * Revert "Try out attestation in CI" This reverts commit 6a782e1. --------- Co-authored-by: Hynek Schlawack <hs@ox.cx>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ## [Unreleased](https://github.com/hynek/build-and-inspect-python-package/compare/v2.4.0...main)
 
+### Added
+
+- New input: `attest-build-provenance-github` generates signed build provenance attestations for workflow artifacts.
+  [#122](https://github.com/hynek/build-and-inspect-python-package/pull/122)
+
+
 ## [2.4.0](https://github.com/hynek/build-and-inspect-python-package/compare/v2.3.0...v2.4.0) - 2024-04-11
 
 ### Changed
diff --git a/README.md b/README.md
@@ -95,6 +95,10 @@ While *build-and-inspect-python-package* will build a wheel for you by default,
 
   Use this if you want to build multiple packages in one workflow.
   (*optional*, default: `''`).
+- `attest-build-provenance-github`: Whether to generate signed build provenance attestations for workflow artifacts using [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance).
+  Requires `attestations: write` and `id-token: write` permissions.
+  The only meaningful value is `'true'` (note the quotes – GitHub Actions only allow string inputs) and everything else is treated as falsey.
+  (*optional*, default: `'false'`).
 
 
 ### Outputs
diff --git a/action.yml b/action.yml
@@ -19,6 +19,10 @@ inputs:
     description: Suffix to append to the artifact names.
     required: false
     default: ""
+  attest-build-provenance-github:
+    description: "Attest provenance using GitHub's own action. Requires 'attestations: write' and 'id-token: write' permissions."
+    required: false
+    default: 'false'
 outputs:
   dist:
     description: The location of the built packages.
@@ -102,6 +106,12 @@ runs:
       shell: bash
       working-directory: ${{ inputs.path }}
 
+    - name: Attest GitHub build provenance
+      if: ${{ inputs.attest-build-provenance-github == 'true' }}
+      uses: actions/attest-build-provenance@v1
+      with:
+        subject-path: "/tmp/baipp/dist/*"
+
     - name: Set output
       id: dist-location-setter
       shell: bash
