Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build: adding provenance generation to release-please workflow #256

Merged
merged 4 commits into from
Feb 8, 2024
Merged

build: adding provenance generation to release-please workflow #256

merged 4 commits into from
Feb 8, 2024

Conversation

rsoberano-ld
Copy link
Contributor

Requirements

  • I have added test coverage for new or changed functionality
  • I have followed the repository's pull request submission guidelines
  • I have validated my changes against all supported platform versions

Related issues

Provide links to any issues in this repository or elsewhere relating to this pull request.

Describe the solution you've provided

Using Github SLSA generator to generate build provenance for python-server-sdk

Implementation based off of previous SDK SLSA integrations with release-please and Python-specific guidance here: https://sethmlarson.dev/python-and-slsa#generating-a-provenance-attestation

Describe alternatives you've considered

Provide a clear and concise description of any alternative solutions or features you've considered.

Additional context

Add any other context about the pull request here.

@rsoberano-ld rsoberano-ld requested a review from a team January 23, 2024 01:47
rsoberano-ld
rsoberano-ld commented Jan 23, 2024
View reviewed changes
PROVENANCE.md Outdated
--source-uri github.com/launchdarkly/launchdarkly-server-sdk \
launchdarkly_server_sdk-VERSION-py3-none-any.whl

TBD OUTPUT
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TBD pending test output - @keelerm84 what's the best way to test out the updates to the release workflow?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So there isn't a good way to test this without actually publishing something.

You can run the manual-publish with the dry run option (as I've mentioned in another comment), but actually going through the whole process isn't something that is easily done.

You can use the internal release please testing repo and just modify this code to not actually publish anything as well. I've done that a lot during initial dev.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Leaving the example output empty for now until we're able to publish something (so it'll come in a separate commit after).

Let's coordinate on doing a manual-publish dry run next week to at least test most of the functionality here, and we can figure out a path for a full test after, though it sounds like the only way to make sure this works all the way through is to do this on an actual release. At the very least, the provenance generation happens last and won't fail the rest of the release steps

@rsoberano-ld
Copy link
Contributor Author

@keelerm84 does the manual-publish.yml workflow publish anything to Github releases?

keelerm84
keelerm84 reviewed Jan 26, 2024
View reviewed changes
.github/workflows/manual-publish.yml Outdated Show resolved Hide resolved
.github/workflows/manual-publish.yml Outdated Show resolved Hide resolved
PROVENANCE.md Outdated
--source-uri github.com/launchdarkly/launchdarkly-server-sdk \
launchdarkly_server_sdk-VERSION-py3-none-any.whl

TBD OUTPUT
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So there isn't a good way to test this without actually publishing something.

You can run the manual-publish with the dry run option (as I've mentioned in another comment), but actually going through the whole process isn't something that is easily done.

You can use the internal release please testing repo and just modify this code to not actually publish anything as well. I've done that a lot during initial dev.

@keelerm84
Copy link
Member

@keelerm84 does the manual-publish.yml workflow publish anything to Github releases?

It probably uploads a compressed copy of the source code, but the actual publication of the package is handled through pypi.

@rsoberano-ld rsoberano-ld merged commit 250261a into main Feb 8, 2024
11 checks passed
@rsoberano-ld rsoberano-ld deleted the rsoberano/SEC-5003/python-sdk-provenance branch February 8, 2024 17:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@keelerm84 keelerm84 keelerm84 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rsoberano-ld @keelerm84