Skip to content

feat: create attestations on upload with cosign #1679

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 11 commits into
base: main
Choose a base branch
from
Open

feat: create attestations on upload with cosign #1679

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
aabc221
create attestations on upload with cosign
wolfv Sep 18, 2025
fe1d4b8
undo changes to github actions
wolfv Oct 12, 2025
003cece
update PR
wolfv Oct 12, 2025
d6294a5
undo unrelated changes in this pr
wolfv Oct 12, 2025
4b72883
undo cargo changes
wolfv Oct 12, 2025
103250a
add new github workflow and some refactoring
wolfv Oct 12, 2025
11a66fe
Merge remote-tracking branch 'origin/main' into attest-with-cosign
wolfv Oct 12, 2025
d7f5052
move arguments
wolfv Oct 12, 2025
0c2c971
fix lint
wolfv Oct 12, 2025
35f2440
fix
wolfv Oct 12, 2025
418f7a9
..
wolfv Oct 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
74 changes: 74 additions & 0 deletions .github/workflows/test-cosign-attestation.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
on:
workflow_dispatch:
inputs:
package_url:
description: 'Full URL to download the package from'
required: true
default: 'https://repo.prefix.dev/conda-forge/noarch/rich-13.7.0-pyhd8ed1ab_0.conda'
channel:
description: 'Channel to upload to'
required: true
default: 'wolf-private-test'

name: Test Cosign Attestation

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

env:
RUST_LOG: info
RUST_BACKTRACE: 1
CARGO_TERM_COLOR: always

jobs:
test-attestation:
name: Test Cosign Attestation Upload
runs-on: ubuntu-22.04

# These permissions are needed to create a sigstore certificate.
permissions:
id-token: write
contents: read
attestations: write

steps:
- name: Checkout source code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
submodules: recursive

- name: Install Rust toolchain
run: |
rustup component add rustfmt
rustup target add x86_64-unknown-linux-musl

- name: Install musl tools
run: |
sudo apt install musl-tools gcc g++
sudo ln -s /usr/bin/musl-gcc /usr/bin/musl-g++

- uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8

- name: Show version information (Rust, cargo, GCC)
shell: bash
run: |
gcc --version || true
rustup -V
rustup toolchain list
cargo -V
rustc -V

- name: Install Cosign
uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0

- name: Download package
run: |
PACKAGE_NAME=$(basename ${{ inputs.package_url }})
curl -L -o $PACKAGE_NAME ${{ inputs.package_url }}
ls -lh $PACKAGE_NAME
echo "PACKAGE_NAME=$PACKAGE_NAME" >> $GITHUB_ENV

- name: Run rattler upload with attestation generation
run: |
cargo run --bin rattler -- upload prefix --generate-attestation -c ${{ inputs.channel }} $PACKAGE_NAME
Loading
Loading