convert

AA-Turner · AA-Turner · commit 14d5c39af7bd · 2024-10-08T04:21:50.000+01:00
diff --git a/.github/workflows/convert_attestation.py b/.github/workflows/convert_attestation.py
diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml
@@ -77,23 +77,24 @@ jobs:
           predicate: "null"
           show-summary: "true"
 
-      - uses: actions/upload-artifact@v4
+      - name: Upload sigstore JSONL attestations bundle
+        uses: actions/upload-artifact@v4
         with:
           name: sigstore-bundle
           path: ${{ steps.attest.outputs.bundle-path }}
 
-#      - name: Generate PEP 740 attestations
-#        run: |
-#          python -m pypi_attestations sign dist/*
-#
-#      - name: Inspect PEP 740 attestations
-#        run: |
-#          python -m pypi_attestations inspect dist/*.publish.attestation
-#
-#      - name: Verify PEP 740 attestations
-#        run: |
-#          python -m pypi_attestations verify dist/*.whl --identity https://github.com/${{ github.repository }}/.github/workflows/create-release.yml@${{ github.ref }}
-#          python -m pypi_attestations verify dist/*.tar.gz --identity https://github.com/${{ github.repository }}/.github/workflows/create-release.yml@${{ github.ref }}
+      - name: Convert attestations to PEP 740
+        run: python utils/convert_attestations.py "${{ steps.attest.outputs.bundle-path }}"
+
+      - name: Inspect PEP 740 attestations
+        run: |
+          python -m pypi_attestations inspect dist/*.publish.attestation
+
+      - name: Verify PEP 740 attestations
+        # workflow_ref example: sphinx-doc/sphinx/.github/workflows/create-release.yml@refs/heads/master
+        run: |
+          python -m pypi_attestations verify dist/*.whl --identity https://github.com/${{ github.workflow_ref }}
+          python -m pypi_attestations verify dist/*.tar.gz --identity https://github.com/${{ github.workflow_ref }}
 
 #      - name: Upload to PyPI
 #        env:
diff --git a/utils/convert_attestations.py b/utils/convert_attestations.py
@@ -0,0 +1,22 @@
+import base64
+import json
+import sys
+from pathlib import Path
+
+from pypi_attestations import Attestation
+from sigstore.models import Bundle
+
+DIST = Path('dist')
+
+bundle_path = Path(sys.argv[1])
+for line in bundle_path.read_bytes().splitlines():
+    dsse_envelope_payload = json.loads(line)['dsseEnvelope']['payload']
+    subjects = json.loads(base64.b64decode(dsse_envelope_payload))['subject']
+    for subject in subjects:
+        filename = subject['name']
+        sigstore_bundle = Bundle.from_json(line)
+        attestation = Attestation.from_bundle(sigstore_bundle)
+        print(attestation.model_dump_json())
+        signature_path = DIST / f'{filename}.publish.attestation'
+        signature_path.write_text(attestation.model_dump_json())
+        print(f'Attestation for {filename} written to {signature_path}')
