From 2ea72a24caaf787da03b315b46f3a6ee7bf47af5 Mon Sep 17 00:00:00 2001 From: r19006733 Date: Mon, 11 Mar 2024 16:30:45 +0100 Subject: [PATCH 01/67] adding SLSA verification : Building pure Python packages (build.yaml),Generating a provenance attestation (provenance.yaml),Uploading to PyPI (publish.yaml) --- .github/workflows/build.yaml | 18 ++++++++++++++++++ .github/workflows/provenance.yaml | 11 +++++++++++ .github/workflows/publish.yaml | 25 +++++++++++++++++++++++++ 3 files changed, 54 insertions(+) create mode 100644 .github/workflows/build.yaml create mode 100644 .github/workflows/provenance.yaml create mode 100644 .github/workflows/publish.yaml diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml new file mode 100644 index 000000000..bb922fde3 --- /dev/null +++ b/.github/workflows/build.yaml @@ -0,0 +1,18 @@ +jobs: + build: + steps: + - uses: actions/checkout@... + - uses: actions/setup-python@... + with: + python-version: 3.x + - run: | + # Install 'build' and create sdist & wheel + python -m pip install build + python -m build + + # Gather hashes of all files + cd dist && echo "hashes=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT + - uses: actions/upload-artifacts@... + with: + path: ./dist + \ No newline at end of file diff --git a/.github/workflows/provenance.yaml b/.github/workflows/provenance.yaml new file mode 100644 index 000000000..86c58c4d9 --- /dev/null +++ b/.github/workflows/provenance.yaml @@ -0,0 +1,11 @@ +jobs: + provenance: + needs: [build] + uses: slsa-framework/slsa-github-builder/.github/workflows/generator_generic_slsa3.yml@v1.5.0 + permissions: + actions: read + id-token: write + contents: write + with: + subject-base64: ${{ steps.build.outputs.hashes }} + upload-assets: true \ No newline at end of file diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml new file mode 100644 index 000000000..42b1d0360 --- /dev/null +++ b/.github/workflows/publish.yaml @@ -0,0 +1,25 @@ +jobs: + publish: + needs: ["build", "provenance"] + permissions: + contents: write + runs-on: "ubuntu-latest" + steps: + # Download the built distributions + - uses: "actions/download-artifact@..." + with: + name: "dist" + path: "dist/" + + # Upload distributions to the GitHub Release + - env: + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + run: | + gh release upload ${{ github.ref_name }} \ + dist/* --repo ${{ github.repository }} + + # Publish distributions to PyPI + - uses: "pypa/gh-action-pypi-publish@..." + with: + user: __token__ + password: ${{ secrets.PYPI_TOKEN }} From 21028f37ec301d1f2cf97b3c8dd36f123b543e9d Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Tue, 12 Mar 2024 17:16:56 +0100 Subject: [PATCH 02/67] Update build.yaml with merge jobs --- .github/workflows/build.yaml | 35 ++++++++++++++++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index bb922fde3..58b9b16ee 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -15,4 +15,37 @@ jobs: - uses: actions/upload-artifacts@... with: path: ./dist - \ No newline at end of file + provenance: + needs: [build] + uses: slsa-framework/slsa-github-builder/.github/workflows/generator_generic_slsa3.yml@v1.5.0 + permissions: + actions: read + id-token: write + contents: write + with: + subject-base64: ${{ steps.build.outputs.hashes }} + upload-assets: true + publish: + needs: ["build", "provenance"] + permissions: + contents: write + runs-on: "ubuntu-latest" + steps: + # Download the built distributions + - uses: "actions/download-artifact@..." + with: + name: "dist" + path: "dist/" + + # Upload distributions to the GitHub Release + - env: + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + run: | + gh release upload ${{ github.ref_name }} \ + dist/* --repo ${{ github.repository }} + + # Publish distributions to PyPI + #- uses: "pypa/gh-action-pypi-publish@..." + # with: + # user: __token__ + # password: ${{ secrets.PYPI_TOKEN }} From 6f222a4c827766e3ebad40b575f334f4b2d0e2d7 Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Tue, 12 Mar 2024 17:27:05 +0100 Subject: [PATCH 03/67] Delete .github/workflows/provenance.yaml --- .github/workflows/provenance.yaml | 11 ----------- 1 file changed, 11 deletions(-) delete mode 100644 .github/workflows/provenance.yaml diff --git a/.github/workflows/provenance.yaml b/.github/workflows/provenance.yaml deleted file mode 100644 index 86c58c4d9..000000000 --- a/.github/workflows/provenance.yaml +++ /dev/null @@ -1,11 +0,0 @@ -jobs: - provenance: - needs: [build] - uses: slsa-framework/slsa-github-builder/.github/workflows/generator_generic_slsa3.yml@v1.5.0 - permissions: - actions: read - id-token: write - contents: write - with: - subject-base64: ${{ steps.build.outputs.hashes }} - upload-assets: true \ No newline at end of file From c44b1e6b4b0541182ab284f50df61f60520309fc Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Tue, 12 Mar 2024 17:27:16 +0100 Subject: [PATCH 04/67] Delete .github/workflows/publish.yaml --- .github/workflows/publish.yaml | 25 ------------------------- 1 file changed, 25 deletions(-) delete mode 100644 .github/workflows/publish.yaml diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml deleted file mode 100644 index 42b1d0360..000000000 --- a/.github/workflows/publish.yaml +++ /dev/null @@ -1,25 +0,0 @@ -jobs: - publish: - needs: ["build", "provenance"] - permissions: - contents: write - runs-on: "ubuntu-latest" - steps: - # Download the built distributions - - uses: "actions/download-artifact@..." - with: - name: "dist" - path: "dist/" - - # Upload distributions to the GitHub Release - - env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - run: | - gh release upload ${{ github.ref_name }} \ - dist/* --repo ${{ github.repository }} - - # Publish distributions to PyPI - - uses: "pypa/gh-action-pypi-publish@..." - with: - user: __token__ - password: ${{ secrets.PYPI_TOKEN }} From a844529593e8d0845e69f999d5ef1591b68d3b71 Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Tue, 12 Mar 2024 17:30:41 +0100 Subject: [PATCH 05/67] Update build.yaml --- .github/workflows/build.yaml | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 58b9b16ee..7ad210fc1 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -25,24 +25,25 @@ jobs: with: subject-base64: ${{ steps.build.outputs.hashes }} upload-assets: true - publish: - needs: ["build", "provenance"] - permissions: - contents: write - runs-on: "ubuntu-latest" - steps: + + publish: + needs: ["build", "provenance"] + permissions: + contents: write + runs-on: "ubuntu-latest" + steps: # Download the built distributions - - uses: "actions/download-artifact@..." - with: - name: "dist" - path: "dist/" + - uses: "actions/download-artifact@..." + with: + name: "dist" + path: "dist/" # Upload distributions to the GitHub Release - - env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - run: | - gh release upload ${{ github.ref_name }} \ - dist/* --repo ${{ github.repository }} + - env: + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + run: | + gh release upload ${{ github.ref_name }} \ + dist/* --repo ${{ github.repository }} # Publish distributions to PyPI #- uses: "pypa/gh-action-pypi-publish@..." From d903ad4be2128ea31c88ecd71213e9b9677bb765 Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Tue, 12 Mar 2024 17:45:59 +0100 Subject: [PATCH 06/67] Update build.yaml --- .github/workflows/build.yaml | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 7ad210fc1..2084ebef9 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -1,5 +1,15 @@ +name: Build for slsa +on: + pull_request: + push: + branches: + - '*' + tags: + - '*' + jobs: build: + runs-on: "ubuntu-latest" steps: - uses: actions/checkout@... - uses: actions/setup-python@... @@ -17,7 +27,7 @@ jobs: path: ./dist provenance: needs: [build] - uses: slsa-framework/slsa-github-builder/.github/workflows/generator_generic_slsa3.yml@v1.5.0 + uses: slsa-framework/slsa-github-builder/.github/workflows/generator_generic_slsa3.yml@v1.9.0 permissions: actions: read id-token: write @@ -39,11 +49,11 @@ jobs: path: "dist/" # Upload distributions to the GitHub Release - - env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - run: | - gh release upload ${{ github.ref_name }} \ - dist/* --repo ${{ github.repository }} + env: + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + run: | + gh release upload ${{ github.ref_name }} \ + dist/* --repo ${{ github.repository }} # Publish distributions to PyPI #- uses: "pypa/gh-action-pypi-publish@..." From a321bbc139c9b4946b08d3afc1d93111b0ee8707 Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Tue, 12 Mar 2024 17:56:06 +0100 Subject: [PATCH 07/67] Update build.yaml --- .github/workflows/build.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 2084ebef9..130c8fa3e 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -27,7 +27,7 @@ jobs: path: ./dist provenance: needs: [build] - uses: slsa-framework/slsa-github-builder/.github/workflows/generator_generic_slsa3.yml@v1.9.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 permissions: actions: read id-token: write @@ -35,6 +35,7 @@ jobs: with: subject-base64: ${{ steps.build.outputs.hashes }} upload-assets: true + draft-release: true publish: needs: ["build", "provenance"] From de38986eef9ff17a0e915216ffd3a475e68082ba Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Tue, 12 Mar 2024 17:59:20 +0100 Subject: [PATCH 08/67] Update build.yaml --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 130c8fa3e..a262b5990 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -33,7 +33,7 @@ jobs: id-token: write contents: write with: - subject-base64: ${{ steps.build.outputs.hashes }} + subject-base64: ${{ needs.release.outputs.hashes }} upload-assets: true draft-release: true From 3c98eb964a02f039ce0517b436e8ff403d5af945 Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Tue, 12 Mar 2024 18:05:54 +0100 Subject: [PATCH 09/67] Update build.yaml --- .github/workflows/build.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index a262b5990..312d24a75 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -10,6 +10,8 @@ on: jobs: build: runs-on: "ubuntu-latest" + outputs: + hashes: ${{ steps.hash.outputs.hashes }} steps: - uses: actions/checkout@... - uses: actions/setup-python@... @@ -33,7 +35,7 @@ jobs: id-token: write contents: write with: - subject-base64: ${{ needs.release.outputs.hashes }} + subject-base64: ${{ needs.build.outputs.hashes }} upload-assets: true draft-release: true From 2cda8997474db605bda934fde7d67b48c8b0392f Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Tue, 12 Mar 2024 18:07:12 +0100 Subject: [PATCH 10/67] Update build.yaml --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 312d24a75..a514319ff 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -35,7 +35,7 @@ jobs: id-token: write contents: write with: - subject-base64: ${{ needs.build.outputs.hashes }} + base64-subjects: ${{ needs.build.outputs.hashes }} upload-assets: true draft-release: true From 4bb49ea8316948703381374b510273c5497b9623 Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Tue, 12 Mar 2024 18:12:24 +0100 Subject: [PATCH 11/67] Update build.yaml --- .github/workflows/build.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index a514319ff..f5965c201 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -13,8 +13,8 @@ jobs: outputs: hashes: ${{ steps.hash.outputs.hashes }} steps: - - uses: actions/checkout@... - - uses: actions/setup-python@... + - uses: actions/checkout@v4 + - uses: actions/setup-python@v4 with: python-version: 3.x - run: | From ff3ab954af48123f2bb447f1c7e7d664cc02ad52 Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Tue, 12 Mar 2024 18:18:34 +0100 Subject: [PATCH 12/67] Update build.yaml --- .github/workflows/build.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index f5965c201..d6de9777a 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -24,7 +24,7 @@ jobs: # Gather hashes of all files cd dist && echo "hashes=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT - - uses: actions/upload-artifacts@... + - uses: actions/upload-artifacts@v4 with: path: ./dist provenance: @@ -46,7 +46,7 @@ jobs: runs-on: "ubuntu-latest" steps: # Download the built distributions - - uses: "actions/download-artifact@..." + - uses: "actions/download-artifact@v4" with: name: "dist" path: "dist/" @@ -59,7 +59,7 @@ jobs: dist/* --repo ${{ github.repository }} # Publish distributions to PyPI - #- uses: "pypa/gh-action-pypi-publish@..." + #- uses: "pypa/gh-action-pypi-publish@v4" # with: # user: __token__ # password: ${{ secrets.PYPI_TOKEN }} From fcd9b418146e53b47dcd0e5b8476f3b8fc1d1077 Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Tue, 12 Mar 2024 18:28:20 +0100 Subject: [PATCH 13/67] Update build.yaml --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index d6de9777a..e0ea7f5e8 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -24,7 +24,7 @@ jobs: # Gather hashes of all files cd dist && echo "hashes=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT - - uses: actions/upload-artifacts@v4 + - uses: actions/upload-artifact@v4 with: path: ./dist provenance: From 0aba89f4aee617ccace7bc9d27cf8b2c2bfba33f Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Tue, 12 Mar 2024 18:40:25 +0100 Subject: [PATCH 14/67] Update build.yaml --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index e0ea7f5e8..0ef59d740 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -14,7 +14,7 @@ jobs: hashes: ${{ steps.hash.outputs.hashes }} steps: - uses: actions/checkout@v4 - - uses: actions/setup-python@v4 + - uses: actions/setup-python@v5 with: python-version: 3.x - run: | From bbe2bf363529ceb2b72bdd3b6d252d0b1990cd88 Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Tue, 12 Mar 2024 19:07:53 +0100 Subject: [PATCH 15/67] Update build.yaml --- .github/workflows/build.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 0ef59d740..3ac091409 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -20,6 +20,7 @@ jobs: - run: | # Install 'build' and create sdist & wheel python -m pip install build + python -m pip install -r requirements.txt python -m build # Gather hashes of all files From 9101d7acf33d8019f3dc98e4b4493c1698dbbdb8 Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Tue, 12 Mar 2024 19:12:38 +0100 Subject: [PATCH 16/67] Update build.yaml --- .github/workflows/build.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 3ac091409..483e40c88 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -20,6 +20,7 @@ jobs: - run: | # Install 'build' and create sdist & wheel python -m pip install build + python -m ensurepip --upgrade python -m pip install -r requirements.txt python -m build From 773eaa56d76cd4b5c2f928e64d4f44c96705cdbc Mon Sep 17 00:00:00 2001 From: Ataxi Date: Tue, 12 Mar 2024 21:33:47 +0100 Subject: [PATCH 17/67] add init for script --- scripts/__init__.py | 1 + setup.py | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 scripts/__init__.py diff --git a/scripts/__init__.py b/scripts/__init__.py new file mode 100644 index 000000000..8b1378917 --- /dev/null +++ b/scripts/__init__.py @@ -0,0 +1 @@ + diff --git a/setup.py b/setup.py index 1c44de132..385740dee 100644 --- a/setup.py +++ b/setup.py @@ -2,7 +2,7 @@ import re import setuptools -from scripts.get_package_version import get_package_version +from scripts import get_package_version def update_version_file(version: str): From 6555f311a09d06542ad76cc6889bdeada299192a Mon Sep 17 00:00:00 2001 From: Ataxi Date: Tue, 12 Mar 2024 21:39:16 +0100 Subject: [PATCH 18/67] modif setup.py --- setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py index 385740dee..1c44de132 100644 --- a/setup.py +++ b/setup.py @@ -2,7 +2,7 @@ import re import setuptools -from scripts import get_package_version +from scripts.get_package_version import get_package_version def update_version_file(version: str): From 2bd3b3255a1c7b75d64c7cd2657f4dfc2cdfae96 Mon Sep 17 00:00:00 2001 From: Ataxi Date: Tue, 12 Mar 2024 22:07:27 +0100 Subject: [PATCH 19/67] add version.json for setutools --- setup.py | 1 + 1 file changed, 1 insertion(+) diff --git a/setup.py b/setup.py index 1c44de132..0e6a7fc1c 100644 --- a/setup.py +++ b/setup.py @@ -78,6 +78,7 @@ def revert(): package_data={ "taskweaver.planner": ["*"], # prompt "taskweaver.code_interpreter.code_generator": ["*"], # prompt + "taskweaver": ["version.json"], # version }, entry_points={ "console_scripts": ["taskweaver=taskweaver.__main__:main"], From 8159d73408ac401bd523f0740c3689890be78656 Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Tue, 12 Mar 2024 22:14:43 +0100 Subject: [PATCH 20/67] Update setup.py --- setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py index 0e6a7fc1c..e446ae343 100644 --- a/setup.py +++ b/setup.py @@ -78,7 +78,7 @@ def revert(): package_data={ "taskweaver.planner": ["*"], # prompt "taskweaver.code_interpreter.code_generator": ["*"], # prompt - "taskweaver": ["version.json"], # version + "taskweaver": ["*"], # version }, entry_points={ "console_scripts": ["taskweaver=taskweaver.__main__:main"], From 6b413ef553eaabd1df777677c09eb113bdecd2ba Mon Sep 17 00:00:00 2001 From: Ataxi Date: Tue, 12 Mar 2024 22:50:33 +0100 Subject: [PATCH 21/67] build work --- setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py index 0e6a7fc1c..8dc7cea7f 100644 --- a/setup.py +++ b/setup.py @@ -78,7 +78,7 @@ def revert(): package_data={ "taskweaver.planner": ["*"], # prompt "taskweaver.code_interpreter.code_generator": ["*"], # prompt - "taskweaver": ["version.json"], # version + "taskweaver": ["../*"], # version }, entry_points={ "console_scripts": ["taskweaver=taskweaver.__main__:main"], From 39620cce2cedb3b962e85ce78f8e9a5d5f6efded Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Wed, 13 Mar 2024 12:05:36 +0100 Subject: [PATCH 22/67] Update build.yaml --- .github/workflows/build.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 483e40c88..a3b61812d 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -25,10 +25,11 @@ jobs: python -m build # Gather hashes of all files - cd dist && echo "hashes=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT + checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path') + echo "hashes=$(cat $checksum_file | base64 -w0)" >> $GITHUB_OUTPUT - uses: actions/upload-artifact@v4 with: - path: ./dist + path: dist/ provenance: needs: [build] uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 From 1affa17dca6b8b359c413b48d85e73b7bc2920d9 Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Wed, 13 Mar 2024 12:18:13 +0100 Subject: [PATCH 23/67] Update build.yaml --- .github/workflows/build.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index a3b61812d..0ec07ceeb 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -25,11 +25,11 @@ jobs: python -m build # Gather hashes of all files - checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path') - echo "hashes=$(cat $checksum_file | base64 -w0)" >> $GITHUB_OUTPUT + set -euo pipefail + cd dist && echo "hashes=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT - uses: actions/upload-artifact@v4 with: - path: dist/ + path: ./dist provenance: needs: [build] uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 From 0d8fbfc203f7a7ce53ca90edfae09c0d6b3aba76 Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Wed, 13 Mar 2024 12:41:42 +0100 Subject: [PATCH 24/67] Update build.yaml --- .github/workflows/build.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 0ec07ceeb..1bc0653b9 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -17,7 +17,9 @@ jobs: - uses: actions/setup-python@v5 with: python-version: 3.x - - run: | + - name: Generate checksum + id: hash + run: | # Install 'build' and create sdist & wheel python -m pip install build python -m ensurepip --upgrade From 58be17f422a7d56773e4798eaccf16caf1fcbd5b Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Wed, 13 Mar 2024 12:45:28 +0100 Subject: [PATCH 25/67] Update build.yaml --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 1bc0653b9..b6c14569e 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -31,7 +31,7 @@ jobs: cd dist && echo "hashes=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT - uses: actions/upload-artifact@v4 with: - path: ./dist + path: ../dist provenance: needs: [build] uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 From 8384e7ea3b376e755ada6fd97fb350a795da6bb0 Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Wed, 13 Mar 2024 12:49:47 +0100 Subject: [PATCH 26/67] Update build.yaml --- .github/workflows/build.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index b6c14569e..c13d4d4b4 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -29,9 +29,10 @@ jobs: # Gather hashes of all files set -euo pipefail cd dist && echo "hashes=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT + cd .. - uses: actions/upload-artifact@v4 with: - path: ../dist + path: dist/ provenance: needs: [build] uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 From c4e03d96154e94059ec0ce780c6db79b0a7205a7 Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Wed, 13 Mar 2024 13:05:31 +0100 Subject: [PATCH 27/67] Update build.yaml --- .github/workflows/build.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index c13d4d4b4..fb217d510 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -52,17 +52,17 @@ jobs: runs-on: "ubuntu-latest" steps: # Download the built distributions - - uses: "actions/download-artifact@v4" + - uses: "actions/upload-artifact@v4" with: name: "dist" path: "dist/" # Upload distributions to the GitHub Release - env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - run: | - gh release upload ${{ github.ref_name }} \ - dist/* --repo ${{ github.repository }} + #env: + # GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + # run: | + # gh release upload ${{ github.ref_name }} \ + # dist/* --repo ${{ github.repository }} # Publish distributions to PyPI #- uses: "pypa/gh-action-pypi-publish@v4" From 4769eee38d413251d540655365d7b7299284941e Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Wed, 13 Mar 2024 12:26:00 -0400 Subject: [PATCH 28/67] Update build.yaml --- .github/workflows/build.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index fb217d510..8de76a0a1 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -52,17 +52,17 @@ jobs: runs-on: "ubuntu-latest" steps: # Download the built distributions - - uses: "actions/upload-artifact@v4" + - uses: "actions/download-artifact@v4" with: name: "dist" - path: "dist/" - + - name: Display structure of downloaded files + run: ls -R # Upload distributions to the GitHub Release - #env: - # GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - # run: | - # gh release upload ${{ github.ref_name }} \ - # dist/* --repo ${{ github.repository }} + env: + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + run: | + gh release upload ${{ github.ref_name }} \ + dist/* --repo ${{ github.repository }} # Publish distributions to PyPI #- uses: "pypa/gh-action-pypi-publish@v4" From cf759a6575d352f5328511795dc52c786ff995c5 Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Wed, 13 Mar 2024 12:30:01 -0400 Subject: [PATCH 29/67] Update build.yaml --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 8de76a0a1..569f654fb 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -54,7 +54,7 @@ jobs: # Download the built distributions - uses: "actions/download-artifact@v4" with: - name: "dist" + path: "/dist" - name: Display structure of downloaded files run: ls -R # Upload distributions to the GitHub Release From db4cfafa64bf7d88ab38703058797ec7af6e91e9 Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Wed, 13 Mar 2024 12:35:32 -0400 Subject: [PATCH 30/67] Update build.yaml --- .github/workflows/build.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 569f654fb..ca60d283b 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -52,17 +52,17 @@ jobs: runs-on: "ubuntu-latest" steps: # Download the built distributions - - uses: "actions/download-artifact@v4" + - uses: "actions/upload-artifact@v4" with: path: "/dist" - name: Display structure of downloaded files run: ls -R # Upload distributions to the GitHub Release - env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - run: | - gh release upload ${{ github.ref_name }} \ - dist/* --repo ${{ github.repository }} + #env: + # GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + # run: | + # gh release upload ${{ github.ref_name }} \ + # dist/* --repo ${{ github.repository }} # Publish distributions to PyPI #- uses: "pypa/gh-action-pypi-publish@v4" From 089077e005a91eaaf0ca5276898311897cc384d0 Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Wed, 13 Mar 2024 12:50:42 -0400 Subject: [PATCH 31/67] Update build.yaml --- .github/workflows/build.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index ca60d283b..6a5545746 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -52,17 +52,17 @@ jobs: runs-on: "ubuntu-latest" steps: # Download the built distributions - - uses: "actions/upload-artifact@v4" + - uses: "actions/download-artifact@v4" with: - path: "/dist" + path: "dist/" - name: Display structure of downloaded files run: ls -R # Upload distributions to the GitHub Release - #env: - # GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - # run: | - # gh release upload ${{ github.ref_name }} \ - # dist/* --repo ${{ github.repository }} + env: + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + run: | + gh release upload ${{ github.ref_name }} \ + dist/* --repo ${{ github.repository }} # Publish distributions to PyPI #- uses: "pypa/gh-action-pypi-publish@v4" From 6ac0c10cf8df3b1b99afb693d979be646933efc8 Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Wed, 13 Mar 2024 13:08:22 -0400 Subject: [PATCH 32/67] Update build.yaml --- .github/workflows/build.yaml | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 6a5545746..f8494624a 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -33,6 +33,16 @@ jobs: - uses: actions/upload-artifact@v4 with: path: dist/ + - name: Create Release + uses: actions/create-release@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + tag_name: ${{ github.ref }} + release_name: Release ${{ github.ref_name }} + draft: false + prerelease: false + args: release --clean provenance: needs: [build] uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 @@ -57,12 +67,6 @@ jobs: path: "dist/" - name: Display structure of downloaded files run: ls -R - # Upload distributions to the GitHub Release - env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - run: | - gh release upload ${{ github.ref_name }} \ - dist/* --repo ${{ github.repository }} # Publish distributions to PyPI #- uses: "pypa/gh-action-pypi-publish@v4" From 58cd76621cf413f1e35c362915862cecb5b44c33 Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Thu, 14 Mar 2024 06:10:06 -0400 Subject: [PATCH 33/67] Create codeql.yml --- .github/workflows/codeql.yml | 83 ++++++++++++++++++++++++++++++++++++ 1 file changed, 83 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 000000000..837ca922a --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,83 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: [ "main", "test" ] + pull_request: + branches: [ "main", "test" ] + + +jobs: + analyze: + name: Analyze + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners + # Consider using larger runners for possible analysis time improvements. + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} + permissions: + # required for all workflows + security-events: write + + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + language: [ 'javascript-typescript', 'python' ] + # CodeQL supports [ 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' ] + # Use only 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use only 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" From 0b4111f19ec7244a8c5a0916aeb04e9dcdb8479d Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Thu, 14 Mar 2024 06:14:25 -0400 Subject: [PATCH 34/67] Update build.yaml --- .github/workflows/build.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index f8494624a..f2944d1a0 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -2,10 +2,8 @@ name: Build for slsa on: pull_request: push: - branches: - - '*' tags: - - '*' + - 'v*' jobs: build: From 325f07d50ee2b86a3b7212799598368f1b7b51b7 Mon Sep 17 00:00:00 2001 From: r19006733 Date: Sat, 16 Mar 2024 15:18:12 +0100 Subject: [PATCH 35/67] Add SBOM generator to build.YAML --- .github/workflows/build.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index f2944d1a0..49583f197 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -41,6 +41,13 @@ jobs: draft: false prerelease: false args: release --clean + # SBOM generator + - name: Generate Python SBOM + uses: CycloneDX/gh-python-generate-sbom@v2 + with: + input: ./requirements.txt + output: ./bom.json + format: json # output format (xml/json) provenance: needs: [build] uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 From e6ffbb3d5303f8015f888243e24a6f801f1954ea Mon Sep 17 00:00:00 2001 From: r19006733 Date: Sat, 16 Mar 2024 15:37:07 +0100 Subject: [PATCH 36/67] correction et ajout d'un fichier YAML pour le SBOM uniquement --- .github/workflows/SBOM.yaml | 27 +++++++++++++++++++++++++++ .github/workflows/build.yaml | 7 ------- 2 files changed, 27 insertions(+), 7 deletions(-) create mode 100644 .github/workflows/SBOM.yaml diff --git a/.github/workflows/SBOM.yaml b/.github/workflows/SBOM.yaml new file mode 100644 index 000000000..0df513b6d --- /dev/null +++ b/.github/workflows/SBOM.yaml @@ -0,0 +1,27 @@ +name: Generate SBOM + +on: + push: + + +jobs: + generate_sbom: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v2 #get depo code + # SBOM generator + - name: Generate Python SBOM + uses: CycloneDX/gh-python-generate-sbom@v2 + with: + input: ./requirements.txt + output: ./bom.json # path output + format: json # output format (xml/json) + + # SBOM generator + - name: Generate Python SBOM + uses: CycloneDX/gh-python-generate-sbom@v2 + with: + input: ./requirements.txt + output: ./bom.json + format: json # output format (xml/json) \ No newline at end of file diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 49583f197..f2944d1a0 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -41,13 +41,6 @@ jobs: draft: false prerelease: false args: release --clean - # SBOM generator - - name: Generate Python SBOM - uses: CycloneDX/gh-python-generate-sbom@v2 - with: - input: ./requirements.txt - output: ./bom.json - format: json # output format (xml/json) provenance: needs: [build] uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 From e67a54f58798035823d69b3794df0b1a5d602ddf Mon Sep 17 00:00:00 2001 From: r19006733 Date: Sat, 16 Mar 2024 15:40:16 +0100 Subject: [PATCH 37/67] mini correctif YAML SBOM --- .github/workflows/SBOM.yaml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/SBOM.yaml b/.github/workflows/SBOM.yaml index 0df513b6d..0671a8380 100644 --- a/.github/workflows/SBOM.yaml +++ b/.github/workflows/SBOM.yaml @@ -23,5 +23,10 @@ jobs: uses: CycloneDX/gh-python-generate-sbom@v2 with: input: ./requirements.txt - output: ./bom.json - format: json # output format (xml/json) \ No newline at end of file + output: ./generated_bom.json + format: json # output format (xml/json) + - name: Upload SBOM artifact + uses: actions/upload-artifact@v2 + with: + name: sbom + path: ./generated_bom.json \ No newline at end of file From e23236f15640c8feda94889baec0f1b910f5d3a1 Mon Sep 17 00:00:00 2001 From: r19006733 Date: Sat, 16 Mar 2024 15:57:41 +0100 Subject: [PATCH 38/67] test d'ajout de xml en artefact --- .github/workflows/SBOM.yaml | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/.github/workflows/SBOM.yaml b/.github/workflows/SBOM.yaml index 0671a8380..73c3dc01b 100644 --- a/.github/workflows/SBOM.yaml +++ b/.github/workflows/SBOM.yaml @@ -10,23 +10,26 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v2 #get depo code - # SBOM generator + + # SBOM generator JSON - name: Generate Python SBOM uses: CycloneDX/gh-python-generate-sbom@v2 with: - input: ./requirements.txt - output: ./bom.json # path output - format: json # output format (xml/json) - - # SBOM generator + input: ./requirements.txt + output: ./generated_bom.json + format: json # output format (json) + # SBOM generator XML - name: Generate Python SBOM uses: CycloneDX/gh-python-generate-sbom@v2 with: input: ./requirements.txt - output: ./generated_bom.json - format: json # output format (xml/json) + output: ./generated_bom.xml + format: json # output format (xml) + - name: Upload SBOM artifact uses: actions/upload-artifact@v2 with: name: sbom - path: ./generated_bom.json \ No newline at end of file + path: | + ./generated_bom.json + ./generated_bom.xml \ No newline at end of file From 54e98dc7fba1641e50f338fb175c9b18f42bf846 Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Tue, 2 Apr 2024 16:00:09 +0200 Subject: [PATCH 39/67] Update .github/workflows/SBOM.yaml Co-authored-by: Yassine Ilmi <9211413+yilmi@users.noreply.github.com> --- .github/workflows/SBOM.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/SBOM.yaml b/.github/workflows/SBOM.yaml index 73c3dc01b..e43f884b4 100644 --- a/.github/workflows/SBOM.yaml +++ b/.github/workflows/SBOM.yaml @@ -1,8 +1,8 @@ name: Generate SBOM on: - push: - + release: + types: [published] jobs: generate_sbom: From deb4f6b20f8a28697e88bb6414aed5c640a011b0 Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Tue, 2 Apr 2024 16:00:27 +0200 Subject: [PATCH 40/67] Update .github/workflows/SBOM.yaml Co-authored-by: Yassine Ilmi <9211413+yilmi@users.noreply.github.com> --- .github/workflows/SBOM.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/SBOM.yaml b/.github/workflows/SBOM.yaml index e43f884b4..3b4524548 100644 --- a/.github/workflows/SBOM.yaml +++ b/.github/workflows/SBOM.yaml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v2 #get depo code + uses: actions/checkout@v2 # SBOM generator JSON - name: Generate Python SBOM From 2de928d730762b030bcf90a6603eda27b9a8e251 Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Tue, 2 Apr 2024 16:00:38 +0200 Subject: [PATCH 41/67] Update .github/workflows/SBOM.yaml Co-authored-by: Yassine Ilmi <9211413+yilmi@users.noreply.github.com> --- .github/workflows/SBOM.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/SBOM.yaml b/.github/workflows/SBOM.yaml index 3b4524548..ad59c3999 100644 --- a/.github/workflows/SBOM.yaml +++ b/.github/workflows/SBOM.yaml @@ -11,7 +11,6 @@ jobs: - name: Checkout repository uses: actions/checkout@v2 - # SBOM generator JSON - name: Generate Python SBOM uses: CycloneDX/gh-python-generate-sbom@v2 with: From 6c70d2c5bd7b1334935f7e3a09556d2c9081a72c Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Tue, 2 Apr 2024 16:00:52 +0200 Subject: [PATCH 42/67] Update .github/workflows/SBOM.yaml Co-authored-by: Yassine Ilmi <9211413+yilmi@users.noreply.github.com> --- .github/workflows/SBOM.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/SBOM.yaml b/.github/workflows/SBOM.yaml index ad59c3999..261ee4d47 100644 --- a/.github/workflows/SBOM.yaml +++ b/.github/workflows/SBOM.yaml @@ -17,7 +17,6 @@ jobs: input: ./requirements.txt output: ./generated_bom.json format: json # output format (json) - # SBOM generator XML - name: Generate Python SBOM uses: CycloneDX/gh-python-generate-sbom@v2 with: From 92b69510cb23263bd6db3c46b8d829df6addd7a3 Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Tue, 2 Apr 2024 16:01:31 +0200 Subject: [PATCH 43/67] Update .github/workflows/SBOM.yaml Co-authored-by: Yassine Ilmi <9211413+yilmi@users.noreply.github.com> --- .github/workflows/SBOM.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/SBOM.yaml b/.github/workflows/SBOM.yaml index 261ee4d47..0dcede8e2 100644 --- a/.github/workflows/SBOM.yaml +++ b/.github/workflows/SBOM.yaml @@ -30,4 +30,4 @@ jobs: name: sbom path: | ./generated_bom.json - ./generated_bom.xml \ No newline at end of file + ./generated_bom.xml From e9948ea8003539d67426bd53ba18b23d15b9d92a Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Tue, 2 Apr 2024 16:02:00 +0200 Subject: [PATCH 44/67] Update .github/workflows/build.yaml Co-authored-by: Yassine Ilmi <9211413+yilmi@users.noreply.github.com> --- .github/workflows/build.yaml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index f2944d1a0..ffaad88e4 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -1,9 +1,7 @@ name: Build for slsa on: - pull_request: - push: - tags: - - 'v*' + release: + types: [published] jobs: build: From d7ab2555532df707d8d6c1fac0caba346666f831 Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Tue, 2 Apr 2024 16:03:06 +0200 Subject: [PATCH 45/67] Update .github/workflows/build.yaml Co-authored-by: Yassine Ilmi <9211413+yilmi@users.noreply.github.com> --- .github/workflows/build.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index ffaad88e4..a7563c5d3 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -13,7 +13,8 @@ jobs: - uses: actions/setup-python@v5 with: python-version: 3.x - - name: Generate checksum + - run: pip install build + - name: Generate checksum id: hash run: | # Install 'build' and create sdist & wheel From 990a0024502f11cb5cc33c462000a1b7fcfa207c Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Tue, 2 Apr 2024 16:46:51 +0200 Subject: [PATCH 46/67] Rename SBOM.yaml to sbom.yaml --- .github/workflows/{SBOM.yaml => sbom.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{SBOM.yaml => sbom.yaml} (100%) diff --git a/.github/workflows/SBOM.yaml b/.github/workflows/sbom.yaml similarity index 100% rename from .github/workflows/SBOM.yaml rename to .github/workflows/sbom.yaml From 8c1d7e17ffe882186107c548cf7bb3ce61639356 Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Tue, 2 Apr 2024 17:04:56 +0200 Subject: [PATCH 47/67] Update build.yaml --- .github/workflows/build.yaml | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index a7563c5d3..03248f14f 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -30,16 +30,7 @@ jobs: - uses: actions/upload-artifact@v4 with: path: dist/ - - name: Create Release - uses: actions/create-release@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - tag_name: ${{ github.ref }} - release_name: Release ${{ github.ref_name }} - draft: false - prerelease: false - args: release --clean + provenance: needs: [build] uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 From f2242d2c3dc6602cde364a3cea5e695432d43424 Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Tue, 2 Apr 2024 17:11:37 +0200 Subject: [PATCH 48/67] Update build.yaml --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 03248f14f..fa4afa287 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -14,7 +14,7 @@ jobs: with: python-version: 3.x - run: pip install build - - name: Generate checksum + - name: Generate checksum id: hash run: | # Install 'build' and create sdist & wheel From b6e513cdfef91b2f3857172491d52c02146045a7 Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Tue, 2 Apr 2024 17:35:27 +0200 Subject: [PATCH 49/67] merge sbom.yaml and build.yaml --- .github/workflows/build.yaml | 31 +++++++++++++++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index fa4afa287..d0a119c0d 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -55,9 +55,36 @@ jobs: path: "dist/" - name: Display structure of downloaded files run: ls -R - - # Publish distributions to PyPI + # Publish distributions to PyPI #- uses: "pypa/gh-action-pypi-publish@v4" # with: # user: __token__ # password: ${{ secrets.PYPI_TOKEN }} + + generate_sbom: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + - name: Generate Python SBOM + uses: CycloneDX/gh-python-generate-sbom@v2 + with: + input: ./requirements.txt + output: ./generated_bom.json + format: json # output format (json) + - name: Generate Python SBOM + uses: CycloneDX/gh-python-generate-sbom@v2 + with: + input: ./requirements.txt + output: ./generated_bom.xml + format: json # output format (xml) + + - name: Upload SBOM artifact + uses: actions/upload-artifact@v2 + with: + name: sbom + path: | + ./generated_bom.json + ./generated_bom.xml + From 9d5f9ba50fce404b145a548c2923ccb6fff625dc Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Tue, 2 Apr 2024 17:39:17 +0200 Subject: [PATCH 50/67] Delete .github/workflows/sbom.yaml --- .github/workflows/sbom.yaml | 33 --------------------------------- 1 file changed, 33 deletions(-) delete mode 100644 .github/workflows/sbom.yaml diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml deleted file mode 100644 index 0dcede8e2..000000000 --- a/.github/workflows/sbom.yaml +++ /dev/null @@ -1,33 +0,0 @@ -name: Generate SBOM - -on: - release: - types: [published] - -jobs: - generate_sbom: - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@v2 - - - name: Generate Python SBOM - uses: CycloneDX/gh-python-generate-sbom@v2 - with: - input: ./requirements.txt - output: ./generated_bom.json - format: json # output format (json) - - name: Generate Python SBOM - uses: CycloneDX/gh-python-generate-sbom@v2 - with: - input: ./requirements.txt - output: ./generated_bom.xml - format: json # output format (xml) - - - name: Upload SBOM artifact - uses: actions/upload-artifact@v2 - with: - name: sbom - path: | - ./generated_bom.json - ./generated_bom.xml From def4ec8a8853e81fb47447742572a2de93550de0 Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Tue, 2 Apr 2024 17:40:46 +0200 Subject: [PATCH 51/67] Update build.yaml --- .github/workflows/build.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index d0a119c0d..d33965ff0 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -53,8 +53,6 @@ jobs: - uses: "actions/download-artifact@v4" with: path: "dist/" - - name: Display structure of downloaded files - run: ls -R # Publish distributions to PyPI #- uses: "pypa/gh-action-pypi-publish@v4" # with: From e15e82d58a4a5566f07d19a6e08bf0285d9dba09 Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Tue, 2 Apr 2024 18:02:21 +0200 Subject: [PATCH 52/67] Update .github/workflows/build.yaml Co-authored-by: Yassine Ilmi <9211413+yilmi@users.noreply.github.com> --- .github/workflows/build.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index d33965ff0..e771421d1 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -26,7 +26,6 @@ jobs: # Gather hashes of all files set -euo pipefail cd dist && echo "hashes=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT - cd .. - uses: actions/upload-artifact@v4 with: path: dist/ From 0506658303e7963a4c62eaff4296001dc14d02d6 Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Tue, 2 Apr 2024 18:10:09 +0200 Subject: [PATCH 53/67] Update build.yaml --- .github/workflows/build.yaml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index e771421d1..9d05a63ea 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -17,14 +17,11 @@ jobs: - name: Generate checksum id: hash run: | - # Install 'build' and create sdist & wheel - python -m pip install build - python -m ensurepip --upgrade + # create sdist & wheel python -m pip install -r requirements.txt python -m build # Gather hashes of all files - set -euo pipefail cd dist && echo "hashes=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT - uses: actions/upload-artifact@v4 with: From b304a28669b0698d001c69d7dbdf23ed67ca8aab Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Sun, 7 Apr 2024 07:50:49 +0200 Subject: [PATCH 54/67] Update .github/workflows/build.yaml Co-authored-by: Yassine Ilmi <9211413+yilmi@users.noreply.github.com> --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 9d05a63ea..b72fa5fb7 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -1,4 +1,4 @@ -name: Build for slsa +name: Build for SLSA on: release: types: [published] From b2cb709fe44f588a4e49b4fda291b7bcbb4dc272 Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Sun, 7 Apr 2024 07:51:11 +0200 Subject: [PATCH 55/67] Update .github/workflows/build.yaml Co-authored-by: Yassine Ilmi <9211413+yilmi@users.noreply.github.com> --- .github/workflows/build.yaml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index b72fa5fb7..90ae6942b 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -13,16 +13,13 @@ jobs: - uses: actions/setup-python@v5 with: python-version: 3.x - - run: pip install build - - name: Generate checksum + - name: Build Wheel and Generate checksum id: hash run: | - # create sdist & wheel + pip install build python -m pip install -r requirements.txt python -m build - - # Gather hashes of all files - cd dist && echo "hashes=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT + cd dist && echo "hashes=$(sha256sum | base64 -w0)" >> $GITHUB_OUTPUT - uses: actions/upload-artifact@v4 with: path: dist/ From d8bece68300325099b0a83394ced7e00008cb7bb Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Sun, 7 Apr 2024 07:51:22 +0200 Subject: [PATCH 56/67] Update .github/workflows/build.yaml Co-authored-by: Yassine Ilmi <9211413+yilmi@users.noreply.github.com> --- .github/workflows/build.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 90ae6942b..317faf67a 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -33,7 +33,6 @@ jobs: contents: write with: base64-subjects: ${{ needs.build.outputs.hashes }} - upload-assets: true draft-release: true publish: From 1f7eae52defca9404259a156184f96447aff2fda Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Sun, 7 Apr 2024 07:51:34 +0200 Subject: [PATCH 57/67] Update .github/workflows/build.yaml Co-authored-by: Yassine Ilmi <9211413+yilmi@users.noreply.github.com> --- .github/workflows/build.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 317faf67a..1d0d8f389 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -33,7 +33,6 @@ jobs: contents: write with: base64-subjects: ${{ needs.build.outputs.hashes }} - draft-release: true publish: needs: ["build", "provenance"] From b08183d81c8d4bb93f7881286fb14a8cd3610f6e Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Sun, 7 Apr 2024 07:51:44 +0200 Subject: [PATCH 58/67] Update .github/workflows/build.yaml Co-authored-by: Yassine Ilmi <9211413+yilmi@users.noreply.github.com> --- .github/workflows/build.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 1d0d8f389..be4e6ef2d 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -40,7 +40,6 @@ jobs: contents: write runs-on: "ubuntu-latest" steps: - # Download the built distributions - uses: "actions/download-artifact@v4" with: path: "dist/" From 757fc55728a3d744156960b0c842e2ac149d20e4 Mon Sep 17 00:00:00 2001 From: Ataxii <56798404+Ataxii@users.noreply.github.com> Date: Sun, 7 Apr 2024 07:51:59 +0200 Subject: [PATCH 59/67] Update .github/workflows/build.yaml Co-authored-by: Yassine Ilmi <9211413+yilmi@users.noreply.github.com> --- .github/workflows/build.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index be4e6ef2d..376f1ed31 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -44,6 +44,11 @@ jobs: with: path: "dist/" # Publish distributions to PyPI + - env: + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + run: | + gh release upload ${{ github.ref_name }} \ + dist/* --repo ${{ github.repository }} #- uses: "pypa/gh-action-pypi-publish@v4" # with: # user: __token__ From 152b5d11442fff20caa3c75fa51927f4c79e81e1 Mon Sep 17 00:00:00 2001 From: Yassine Ilmi <9211413+yilmi@users.noreply.github.com> Date: Sun, 7 Apr 2024 15:32:22 +0200 Subject: [PATCH 60/67] Fix latest changes --- .github/workflows/build.yaml | 63 ++++++++++++++++++------------------ 1 file changed, 31 insertions(+), 32 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 376f1ed31..394422d7b 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -2,7 +2,7 @@ name: Build for SLSA on: release: types: [published] - + jobs: build: runs-on: "ubuntu-latest" @@ -23,37 +23,6 @@ jobs: - uses: actions/upload-artifact@v4 with: path: dist/ - - provenance: - needs: [build] - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 - permissions: - actions: read - id-token: write - contents: write - with: - base64-subjects: ${{ needs.build.outputs.hashes }} - - publish: - needs: ["build", "provenance"] - permissions: - contents: write - runs-on: "ubuntu-latest" - steps: - - uses: "actions/download-artifact@v4" - with: - path: "dist/" - # Publish distributions to PyPI - - env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - run: | - gh release upload ${{ github.ref_name }} \ - dist/* --repo ${{ github.repository }} - #- uses: "pypa/gh-action-pypi-publish@v4" - # with: - # user: __token__ - # password: ${{ secrets.PYPI_TOKEN }} - generate_sbom: runs-on: ubuntu-latest steps: @@ -80,4 +49,34 @@ jobs: path: | ./generated_bom.json ./generated_bom.xml + provenance: + needs: [build] + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 + permissions: + actions: read + id-token: write + contents: write + with: + base64-subjects: ${{ needs.build.outputs.hashes }} + + publish: + needs: ["build", "provenance"] + permissions: + contents: write + runs-on: "ubuntu-latest" + steps: + - uses: "actions/download-artifact@v4" + with: + path: "dist/" + # Publish distributions to PyPI + - name: Release all artifacts + run: | + gh release upload ${{ github.ref_name }} \ + dist/* --repo ${{ github.repository }} + env: + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + #- uses: "pypa/gh-action-pypi-publish@v4" + # with: + # user: __token__ + # password: ${{ secrets.PYPI_TOKEN }} From 5908b20fdd475a05afa42741c5c1806827cfa924 Mon Sep 17 00:00:00 2001 From: Yassine Ilmi <9211413+yilmi@users.noreply.github.com> Date: Sun, 7 Apr 2024 15:55:57 +0200 Subject: [PATCH 61/67] Generate hashes separately --- .github/workflows/build.yaml | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 394422d7b..b57adb210 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -19,15 +19,16 @@ jobs: pip install build python -m pip install -r requirements.txt python -m build - cd dist && echo "hashes=$(sha256sum | base64 -w0)" >> $GITHUB_OUTPUT - uses: actions/upload-artifact@v4 + name: dist with: path: dist/ - generate_sbom: + + generate-sbom: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Generate Python SBOM uses: CycloneDX/gh-python-generate-sbom@v2 @@ -49,18 +50,32 @@ jobs: path: | ./generated_bom.json ./generated_bom.xml + + generate-hashes: + needs: [build, generate-sbom] + runs-on: ubuntu-latest + steps: + - name: Download artifact + uses: actions/download-artifact@v4 + with: + path: dist/ + - name: Generate hashes + id: hash + run: | + echo "hashes=$(find dist/ -type f -exec sha256sum {} \; | sed 's/ etc\// /g' | base64 -w0)" >> "$GITHUB_OUTPUT" + provenance: - needs: [build] + needs: [generate-hashes] uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 permissions: actions: read id-token: write contents: write with: - base64-subjects: ${{ needs.build.outputs.hashes }} + base64-subjects: ${{ needs.generate-hashes.outputs.hashes }} publish: - needs: ["build", "provenance"] + needs: ["provenance"] permissions: contents: write runs-on: "ubuntu-latest" From 235bedadc1dbe92489d9ded5d0c1d19e0ee722bd Mon Sep 17 00:00:00 2001 From: Yassine Ilmi <9211413+yilmi@users.noreply.github.com> Date: Sun, 7 Apr 2024 16:19:21 +0200 Subject: [PATCH 62/67] Merge and simplify --- .github/workflows/build.yaml | 66 +++++++++++++----------------------- 1 file changed, 24 insertions(+), 42 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index b57adb210..a1465e0e9 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -14,66 +14,48 @@ jobs: with: python-version: 3.x - name: Build Wheel and Generate checksum - id: hash + id: build run: | pip install build python -m pip install -r requirements.txt python -m build - - uses: actions/upload-artifact@v4 - name: dist - with: - path: dist/ - - generate-sbom: - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - name: Generate Python SBOM + id: sbom-json uses: CycloneDX/gh-python-generate-sbom@v2 with: input: ./requirements.txt - output: ./generated_bom.json + output: dist/generated_bom.json format: json # output format (json) - name: Generate Python SBOM + id: sbom-xml uses: CycloneDX/gh-python-generate-sbom@v2 with: input: ./requirements.txt - output: ./generated_bom.xml + output: dist/generated_bom.xml format: json # output format (xml) - - - name: Upload SBOM artifact - uses: actions/upload-artifact@v2 - with: - name: sbom - path: | - ./generated_bom.json - ./generated_bom.xml - - generate-hashes: - needs: [build, generate-sbom] - runs-on: ubuntu-latest - steps: - - name: Download artifact - uses: actions/download-artifact@v4 - with: - path: dist/ - - name: Generate hashes + - name: Generate subject id: hash run: | - echo "hashes=$(find dist/ -type f -exec sha256sum {} \; | sed 's/ etc\// /g' | base64 -w0)" >> "$GITHUB_OUTPUT" + cd dist + HASHES=$(sha256sum * | base64 -w0) + echo "hashes=$HASHES" >> "$GITHUB_OUTPUT" + - uses: actions/upload-artifact@v4 + name: dist + with: + path: dist/ + provenance: - needs: [generate-hashes] - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 + needs: [build] + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0 permissions: actions: read id-token: write contents: write with: - base64-subjects: ${{ needs.generate-hashes.outputs.hashes }} - + base64-subjects: ${{ needs.build.outputs.hashes }} + + publish: needs: ["provenance"] permissions: @@ -83,15 +65,15 @@ jobs: - uses: "actions/download-artifact@v4" with: path: "dist/" - # Publish distributions to PyPI - name: Release all artifacts run: | gh release upload ${{ github.ref_name }} \ dist/* --repo ${{ github.repository }} env: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - #- uses: "pypa/gh-action-pypi-publish@v4" - # with: - # user: __token__ - # password: ${{ secrets.PYPI_TOKEN }} + # Publish distributions to PyPI + # - uses: "pypa/gh-action-pypi-publish@v4" + # with: + # user: __token__ + # password: ${{ secrets.PYPI_TOKEN }} From b0d1f1ef5921babac6955fd2994511a5a13f2c1e Mon Sep 17 00:00:00 2001 From: Yassine Ilmi <9211413+yilmi@users.noreply.github.com> Date: Sun, 7 Apr 2024 16:34:34 +0200 Subject: [PATCH 63/67] Try softprops action-gh-release --- .github/workflows/build.yaml | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index a1465e0e9..a15774c26 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -40,7 +40,7 @@ jobs: HASHES=$(sha256sum * | base64 -w0) echo "hashes=$HASHES" >> "$GITHUB_OUTPUT" - uses: actions/upload-artifact@v4 - name: dist + name: release with: path: dist/ @@ -62,15 +62,20 @@ jobs: contents: write runs-on: "ubuntu-latest" steps: - - uses: "actions/download-artifact@v4" + - name: Release + uses: softprops/action-gh-release@v2.0.4 with: - path: "dist/" - - name: Release all artifacts - run: | - gh release upload ${{ github.ref_name }} \ - dist/* --repo ${{ github.repository }} - env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + files: dist/* + # - uses: "actions/download-artifact@v4" + # with: + # path: "dist/" + # - name: Release all artifacts + # env: + # GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + # run: | + # gh release upload ${{ github.ref_name }} \ + # dist/* --repo ${{ github.repository }} + # Publish distributions to PyPI # - uses: "pypa/gh-action-pypi-publish@v4" # with: From 049db6f39c4934a160871dd19793c56610d8cc71 Mon Sep 17 00:00:00 2001 From: Yassine Ilmi <9211413+yilmi@users.noreply.github.com> Date: Sun, 7 Apr 2024 16:40:16 +0200 Subject: [PATCH 64/67] clean-up --- .github/workflows/build.yaml | 10 ----- .github/workflows/codeql.yml | 83 ------------------------------------ playground/UI/app.py | 1 - scripts/__init__.py | 1 - 4 files changed, 95 deletions(-) delete mode 100644 .github/workflows/codeql.yml delete mode 100644 scripts/__init__.py diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index a15774c26..72c2fba36 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -66,16 +66,6 @@ jobs: uses: softprops/action-gh-release@v2.0.4 with: files: dist/* - # - uses: "actions/download-artifact@v4" - # with: - # path: "dist/" - # - name: Release all artifacts - # env: - # GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - # run: | - # gh release upload ${{ github.ref_name }} \ - # dist/* --repo ${{ github.repository }} - # Publish distributions to PyPI # - uses: "pypa/gh-action-pypi-publish@v4" # with: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml deleted file mode 100644 index 837ca922a..000000000 --- a/.github/workflows/codeql.yml +++ /dev/null @@ -1,83 +0,0 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# -name: "CodeQL" - -on: - push: - branches: [ "main", "test" ] - pull_request: - branches: [ "main", "test" ] - - -jobs: - analyze: - name: Analyze - # Runner size impacts CodeQL analysis time. To learn more, please see: - # - https://gh.io/recommended-hardware-resources-for-running-codeql - # - https://gh.io/supported-runners-and-hardware-resources - # - https://gh.io/using-larger-runners - # Consider using larger runners for possible analysis time improvements. - runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} - timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} - permissions: - # required for all workflows - security-events: write - - # only required for workflows in private repositories - actions: read - contents: read - - strategy: - fail-fast: false - matrix: - language: [ 'javascript-typescript', 'python' ] - # CodeQL supports [ 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' ] - # Use only 'java-kotlin' to analyze code written in Java, Kotlin or both - # Use only 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both - # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v3 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality - - - # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v3 - - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - - # - run: | - # echo "Run, Build Application using script" - # ./location_of_script_within_repo/buildscript.sh - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 - with: - category: "/language:${{matrix.language}}" diff --git a/playground/UI/app.py b/playground/UI/app.py index a5f6f857d..ba53832f0 100644 --- a/playground/UI/app.py +++ b/playground/UI/app.py @@ -450,7 +450,6 @@ async def main(message: cl.Message): f"{img_prefix}[{file_name}]({file_path})", file_name, ) - elements = file_display(files, session_cwd_path) await cl.Message( author="TaskWeaver", diff --git a/scripts/__init__.py b/scripts/__init__.py deleted file mode 100644 index 8b1378917..000000000 --- a/scripts/__init__.py +++ /dev/null @@ -1 +0,0 @@ - From 62d53b68bd55cefb1cf7a55de7364e463d4df1f1 Mon Sep 17 00:00:00 2001 From: Yassine Ilmi <9211413+yilmi@users.noreply.github.com> Date: Sun, 7 Apr 2024 17:21:25 +0200 Subject: [PATCH 65/67] Pass filelist to softprops/action-gh-release --- .github/workflows/build.yaml | 11 ++++++++++- scripts/__init__.py | 0 2 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 scripts/__init__.py diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 72c2fba36..17fce0031 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -62,10 +62,19 @@ jobs: contents: write runs-on: "ubuntu-latest" steps: + - name: Download Artifacts + uses: actions/download-artifact@v4 + with: + path: dist + - name: Generate list of files to upload + id: files + run: | + FILES=$(find dist/ -type f) + echo "filelist=$FILES" >> "$GITHUB_OUTPUT" - name: Release uses: softprops/action-gh-release@v2.0.4 with: - files: dist/* + files: ${{ steps.files.outputs.filelist }} # Publish distributions to PyPI # - uses: "pypa/gh-action-pypi-publish@v4" # with: diff --git a/scripts/__init__.py b/scripts/__init__.py new file mode 100644 index 000000000..e69de29bb From becebd2c82b8209ab95b6f5e9c2f83899235b291 Mon Sep 17 00:00:00 2001 From: Yassine Ilmi <9211413+yilmi@users.noreply.github.com> Date: Sun, 7 Apr 2024 17:37:38 +0200 Subject: [PATCH 66/67] Fix filelist --- .github/workflows/build.yaml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 17fce0031..d07d8cf3b 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -67,14 +67,15 @@ jobs: with: path: dist - name: Generate list of files to upload - id: files + id: filelist run: | - FILES=$(find dist/ -type f) - echo "filelist=$FILES" >> "$GITHUB_OUTPUT" + echo "list<> "$GITHUB_OUTPUT" + find dist/ -type f >> "$GITHUB_OUTPUT" + echo "EOF" >> "$GITHUB_OUTPUT" - name: Release uses: softprops/action-gh-release@v2.0.4 with: - files: ${{ steps.files.outputs.filelist }} + files: ${{ steps.filelist.outputs.list }} # Publish distributions to PyPI # - uses: "pypa/gh-action-pypi-publish@v4" # with: From 11aa94fe27392292aa8d28ecf13981b341f556a6 Mon Sep 17 00:00:00 2001 From: Yassine Ilmi <9211413+yilmi@users.noreply.github.com> Date: Sun, 7 Apr 2024 17:41:43 +0200 Subject: [PATCH 67/67] Remove PyPI --- .github/workflows/build.yaml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index d07d8cf3b..710b3417a 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -76,9 +76,5 @@ jobs: uses: softprops/action-gh-release@v2.0.4 with: files: ${{ steps.filelist.outputs.list }} - # Publish distributions to PyPI - # - uses: "pypa/gh-action-pypi-publish@v4" - # with: - # user: __token__ - # password: ${{ secrets.PYPI_TOKEN }} +