Python
/
uv
mirror of https://github.com/astral-sh/uv
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add uv release artifact attestations (#11357) 

## Summary

Similar to https://github.com/astral-sh/uv/pull/8685, this adds
attestations for uv release artifacts.

The changes on this PR would add attestations for
* `dist-manifest.json`
* `uv-installer.ps1`
* `uv-installer.sh`
* All `*.tar.gz` and `*.zip` uv binary files

## Test Plan

~(clarifying note: I'm aware this file is managed cargo dist and this
will not work without allow-dirty at this time)~

~Currently cargo dist targets generation in `build_local_artifacts`
which is not used here, plus we'd ideally want to attest the GH
downloads / artifacts.~ (edit: fixed by
https://github.com/axodotdev/cargo-dist/pull/2000)

At a glance, this release workflow seems to work successfully:

e.g. Example Run:
https://github.com/samypr100/uv/actions/runs/13229100555
e.g. Example Release:
https://github.com/samypr100/uv/releases/tag/0.5.29

---------

Co-authored-by: Aria Desires <aria.desires@gmail.com>
This commit is contained in:
samypr100 2025-10-29 20:33:37 -04:00 committed by GitHub
parent 2652244655
commit f3d3203734
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 23 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
.github/workflows/release.yml vendored
View File

@ -68,7 +68,7 @@ jobs:
# we specify bash to get pipefail; it guards against the `curl` command # we specify bash to get pipefail; it guards against the `curl` command
# failing. otherwise `sh` won't catch that `curl` returned non-0 # failing. otherwise `sh` won't catch that `curl` returned non-0
shell: bash shell: bash
run: "curl --proto '=https' --tlsv1.2 -LsSf https://github.com/axodotdev/cargo-dist/releases/download/v0.30.0/cargo-dist-installer.sh | sh" run: "curl --proto '=https' --tlsv1.2 -LsSf https://github.com/axodotdev/cargo-dist/releases/download/v0.30.1/cargo-dist-installer.sh | sh"
- name: Cache dist - name: Cache dist
uses: actions/upload-artifact@6027e3dd177782cd8ab9af838c04fd81a07f1d47 uses: actions/upload-artifact@6027e3dd177782cd8ab9af838c04fd81a07f1d47
with: with:
@ -168,13 +168,17 @@ jobs:
- custom-build-binaries - custom-build-binaries
- custom-build-docker - custom-build-docker
- build-global-artifacts - build-global-artifacts
# Only run if we're "publishing", and only if local and global didn't fail (skipped is fine) # Only run if we're "publishing", and only if plan, local and global didn't fail (skipped is fine)
if: ${{ always() && needs.plan.outputs.publishing == 'true' && (needs.build-global-artifacts.result == 'skipped' || needs.build-global-artifacts.result == 'success') && (needs.custom-build-binaries.result == 'skipped' || needs.custom-build-binaries.result == 'success') && (needs.custom-build-docker.result == 'skipped' || needs.custom-build-docker.result == 'success') }} if: ${{ always() && needs.plan.result == 'success' && needs.plan.outputs.publishing == 'true' && (needs.build-global-artifacts.result == 'skipped' || needs.build-global-artifacts.result == 'success') && (needs.custom-build-binaries.result == 'skipped' || needs.custom-build-binaries.result == 'success') && (needs.custom-build-docker.result == 'skipped' || needs.custom-build-docker.result == 'success') }}
env: env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
runs-on: "depot-ubuntu-latest-4" runs-on: "depot-ubuntu-latest-4"
outputs: outputs:
val: ${{ steps.host.outputs.manifest }} val: ${{ steps.host.outputs.manifest }}
permissions:
"attestations": "write"
"contents": "write"
"id-token": "write"
steps: steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with: with:
@ -251,6 +255,15 @@ jobs:
run: | run: |
# Remove the granular manifests # Remove the granular manifests
rm -f artifacts/*-dist-manifest.json rm -f artifacts/*-dist-manifest.json
- name: Attest
uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2
with:
subject-path: |
artifacts/*.json
artifacts/*.sh
artifacts/*.ps1
artifacts/*.zip
artifacts/*.tar.gz
- name: Create GitHub Release - name: Create GitHub Release
env: env:
PRERELEASE_FLAG: "${{ fromJson(needs.host.outputs.val).announcement_is_prerelease && '--prerelease' || '' }}" PRERELEASE_FLAG: "${{ fromJson(needs.host.outputs.val).announcement_is_prerelease && '--prerelease' || '' }}"

8
dist-workspace.toml
View File

@ -4,7 +4,7 @@ members = ["cargo:."]
# Config for 'dist' # Config for 'dist'
[dist] [dist]
# The preferred dist version to use in CI (Cargo.toml SemVer syntax) # The preferred dist version to use in CI (Cargo.toml SemVer syntax)
cargo-dist-version = "0.30.0" cargo-dist-version = "0.30.1"
# Whether to consider the binaries in a package for distribution (defaults true) # Whether to consider the binaries in a package for distribution (defaults true)
dist = false dist = false
# CI backends to support # CI backends to support
@ -46,6 +46,12 @@ pr-run-mode = "plan"
dispatch-releases = true dispatch-releases = true
# Which phase dist should use to create the GitHub release # Which phase dist should use to create the GitHub release
github-release = "announce" github-release = "announce"
# Whether to enable GitHub Attestations
github-attestations = true
# When to generate GitHub Attestations
github-attestations-phase = "host"
# Patterns to attest when creating attestations for release artifacts
github-attestations-filters = ["*.json", "*.sh", "*.ps1", "*.zip", "*.tar.gz"]
# Whether CI should include auto-generated code to build local artifacts # Whether CI should include auto-generated code to build local artifacts
build-local-artifacts = false build-local-artifacts = false
# Local artifacts jobs to run in CI # Local artifacts jobs to run in CI