attestation-bundles

Author: AA-Turner

.github/workflows/create-release.yml

@@ -62,13 +62,17 @@ jobs:
         run: |
           python -m pypi_attestations inspect dist/*.publish.attestation
 
-      - name: Upload attestations bundles
+      - name: Prepare attestation bundles for uploading
+        run: |
+          mkdir -p /tmp/attestation-bundles
+          cp "${{ steps.attest.outputs.bundle-path }}" /tmp/attestation-bundles/
+          cp dist/*.publish.attestation /tmp/attestation-bundles/
+
+      - name: Upload attestation bundles
         uses: actions/upload-artifact@v4
         with:
-          name: attestations
-          path: |
-            ${{ steps.attest.outputs.bundle-path }}
-            dist/*.publish.attestation
+          name: attestation-bundles
+          path: /tmp/attestation-bundles/
 
       - name: Mint PyPI API token
         id: mint-token

utils/convert_attestations.py

@@ -3,9 +3,9 @@
 See https://github.com/trailofbits/pypi-attestations.
 """
 
-import base64
 import json
 import sys
+from base64 import b64decode
 from pathlib import Path
 
 from pypi_attestations import Attestation, Distribution
@@ -19,7 +19,7 @@
 
 for line in bundle_path.read_bytes().splitlines():
     dsse_envelope_payload = json.loads(line)['dsseEnvelope']['payload']
-    subjects = json.loads(base64.b64decode(dsse_envelope_payload))['subject']
+    subjects = json.loads(b64decode(dsse_envelope_payload))['subject']
     for subject in subjects:
         filename = subject['name']
         assert (DIST / filename).is_file()
@@ -28,7 +28,6 @@
         print(f'Converting attestation for {filename}')
         sigstore_bundle = Bundle.from_json(line)
         attestation = Attestation.from_bundle(sigstore_bundle)
-        print(attestation.model_dump_json())
         attestation_path = DIST / f'{filename}.publish.attestation'
         attestation_path.write_text(attestation.model_dump_json())
         print(f'Attestation for {filename} written to {attestation_path}')