Skip to content

Add support for attestations in the host phase #2000

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mistydemeo merged 1 commit into from
Aug 27, 2025
Merged

Add support for attestations in the host phase #2000

mistydemeo merged 1 commit into from
Aug 27, 2025

Conversation

@samypr100
Copy link
Contributor

@samypr100 samypr100 commented Aug 2, 2025

Closes #1754

Two integration tests were added to confirm functionality behaves as expected.

Originally opened in astral-sh#45

@samypr100 samypr100 force-pushed the attest-improvements branch 2 times, most recently from e689d9e to 67eb13f Compare August 2, 2025 04:20
@mistydemeo
Copy link
Contributor

mistydemeo commented Aug 3, 2025

This makes sense to me, and thank you for adding tests!

Question for you - do you think these make sense as two separate settings? It feels like they're pretty linked, since the github-attestations-filters setting doesn't do anything if you don't also change the other one. Maybe it makes sense to just have the github-attestations-filters setting, and have that switch the phase if you choose it?

@samypr100
Copy link
Contributor Author

samypr100 commented Aug 3, 2025

This makes sense to me, and thank you for adding tests!

Question for you - do you think these make sense as two separate settings? It feels like they're pretty linked, since the github-attestations-filters setting doesn't do anything if you don't also change the other one. Maybe it makes sense to just have the github-attestations-filters setting, and have that switch the phase if you choose it?

Good question, happy to change it.
I chose two separate entries to allow more flexibility in the future, e.g. to support filters in the build-local-artifacts phase as well.
I didn't implement that in this PR though as I was thinking that could be a follow up.

@mistydemeo
Copy link
Contributor

mistydemeo commented Aug 3, 2025

Good point - leaving it open for other expansion could be useful. I was thinking about what else you might want to attest in that step, but now that I think about it, the custom build steps do mean that there are hypothetically extra artifacts produced in local builds that the user might want attested. That being the case, I'm happy for these to be separate steps.

@samypr100 samypr100 force-pushed the attest-improvements branch 2 times, most recently from f75fbbf to e32411b Compare August 8, 2025 02:54
@samypr100
Copy link
Contributor Author

samypr100 commented Aug 13, 2025

@mistydemeo Anything I could do to help move this forward? 🙏

@mistydemeo
Copy link
Contributor

mistydemeo commented Aug 13, 2025

Sorry to have taken so long! I'll try to get this merged tonight.

Just for a little transparency, I'm preparing for a big move in a few weeks, and it turns out dealing with all of that stuff takes up most of my after-work energy and brainpower. 😅

@samypr100
Copy link
Contributor Author

samypr100 commented Aug 13, 2025

Sorry to have taken so long! I'll try to get this merged tonight.

Just for a little transparency, I'm preparing for a big move in a few weeks, and it turns out dealing with all of that stuff takes up most of my after-work energy and brainpower. 😅

No worries, moving is a nightmare. Take your time 📦.
I asked as I wasn't sure there were other changes you'd like for me to do 😄.
On the avenue of total transparency I am also going to be dissapearing 👻 for a couple of weeks sometime next week 😆.

@samypr100 samypr100 mentioned this pull request Aug 13, 2025
Closed
mistydemeo
mistydemeo requested changes Aug 15, 2025
View reviewed changes
Copy link
Contributor

@mistydemeo mistydemeo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good! Sorry it took me so long to review. Just one quick request, then I think we're good to go.

@samypr100 samypr100 force-pushed the attest-improvements branch from b54ea61 to 456b330 Compare August 15, 2025 14:08
mistydemeo
mistydemeo approved these changes Aug 15, 2025
View reviewed changes
Copy link
Contributor

@mistydemeo mistydemeo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@mistydemeo mistydemeo merged commit c261d5f into axodotdev:main Aug 27, 2025
17 checks passed
@mistydemeo mistydemeo mentioned this pull request Aug 27, 2025
Merged
@samypr100 samypr100 deleted the attest-improvements branch August 27, 2025 01:18
@samypr100 samypr100 mentioned this pull request Sep 22, 2025
Merged
Gankra added a commit to astral-sh/uv that referenced this pull request Oct 30, 2025
@samypr100 @Gankra
Add uv release artifact attestations (#11357)
f3d3203 
## Summary

Similar to #8685, this adds
attestations for uv release artifacts.

The changes on this PR would add attestations for
* `dist-manifest.json`
* `uv-installer.ps1`
* `uv-installer.sh`
* All `*.tar.gz` and `*.zip` uv binary files

## Test Plan

~(clarifying note: I'm aware this file is managed cargo dist and this
will not work without allow-dirty at this time)~

~Currently cargo dist targets generation in `build_local_artifacts`
which is not used here, plus we'd ideally want to attest the GH
downloads / artifacts.~ (edit: fixed by
axodotdev/cargo-dist#2000)

At a glance, this release workflow seems to work successfully:

e.g. Example Run:
https://github.com/samypr100/uv/actions/runs/13229100555
e.g. Example Release:
https://github.com/samypr100/uv/releases/tag/0.5.29

---------

Co-authored-by: Aria Desires <aria.desires@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mistydemeo mistydemeo mistydemeo approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support attestations in GitHub host phase

2 participants

@samypr100 @mistydemeo