Skip to content

Commit 7148b81

Browse files
feat: add dual SBOMs, build provenance attestation, and release assets
Add release-assets job to publish workflow that generates CycloneDX and SPDX SBOMs via anchore/sbom-action, signs all artifacts with Sigstore via actions/attest-build-provenance, and uploads wheel/sdist to GitHub releases. Improves OpenSSF Scorecard Signed-Releases from -1 to ~8/10. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 parent 0f7ee5c commit 7148b81

1 file changed

Lines changed: 49 additions & 0 deletions

File tree

.github/workflows/publish.yml

Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,56 @@ jobs:
3838
assert walk({'k': 'v'}) == {'k': 'v'}
3939
print('Smoke test passed')
4040
"
41+
- name: Upload dist
42+
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
43+
with:
44+
name: dist
45+
path: dist/
4146
- name: Publish to PyPI
4247
uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
4348
with:
4449
print-hash: true
50+
51+
release-assets:
52+
needs: [publish]
53+
runs-on: ubuntu-latest
54+
permissions:
55+
contents: write
56+
id-token: write
57+
attestations: write
58+
steps:
59+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
60+
- uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
61+
with:
62+
name: dist
63+
path: dist/
64+
- name: Generate CycloneDX SBOM
65+
uses: anchore/sbom-action@17ae1740179002c89186b61233e0f892c3118b11 # v0.23.0
66+
with:
67+
path: dist/
68+
artifact-name: navi-sanitize.cdx.json
69+
output-file: navi-sanitize.cdx.json
70+
format: cyclonedx-json
71+
upload-artifact: false
72+
upload-release-assets: true
73+
- name: Generate SPDX SBOM
74+
uses: anchore/sbom-action@17ae1740179002c89186b61233e0f892c3118b11 # v0.23.0
75+
with:
76+
path: dist/
77+
artifact-name: navi-sanitize.spdx.json
78+
output-file: navi-sanitize.spdx.json
79+
format: spdx-json
80+
upload-artifact: false
81+
upload-release-assets: true
82+
- name: Attest build provenance
83+
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
84+
with:
85+
subject-path: |
86+
dist/*
87+
navi-sanitize.cdx.json
88+
navi-sanitize.spdx.json
89+
- name: Upload dist to release
90+
env:
91+
GH_TOKEN: ${{ github.token }}
92+
TAG_NAME: ${{ github.ref_name }}
93+
run: gh release upload "$TAG_NAME" dist/* --clobber

0 commit comments

Comments
 (0)