Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow multiple attestations per distribution #17134

Merged
merged 3 commits into from
Nov 25, 2024
Merged

Allow multiple attestations per distribution #17134

merged 3 commits into from
Nov 25, 2024

Conversation

facutuesca
Copy link
Contributor

@facutuesca facutuesca commented Nov 20, 2024
edited
Loading

Now that SLSA provenances are supported in PEP-740 attestations, this PR removes the limit of 1 attestation per file.

This is bumped to 2 attestations per file, one per predicate type supported in PEP-740. This should allow users to upload both SLSA provenance and PyPI publish attestations for each distribution file.

This is part of #17001.

cc @woodruffw @di

@facutuesca facutuesca requested a review from a team as a code owner November 20, 2024 20:35
woodruffw
woodruffw approved these changes Nov 20, 2024
View reviewed changes
Copy link
Member

@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks @facutuesca!

@woodruffw woodruffw mentioned this pull request Nov 20, 2024
Open
12 tasks
di
di reviewed Nov 21, 2024
View reviewed changes
Copy link
Member

@di di left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As an aside, would be nice if https://docs.pypi.org/attestations/#supported-attestations went into a bit more detail about this behavior. Can be in this PR or another.

warehouse/attestations/services.py Outdated Show resolved Hide resolved
@facutuesca facutuesca force-pushed the ft/allow-multiple-attestations branch from fbfeca4 to 2563648 Compare November 25, 2024 15:58
@facutuesca
Copy link
Contributor Author

As an aside, would be nice if https://docs.pypi.org/attestations/#supported-attestations went into a bit more detail about this behavior. Can be in this PR or another.

Pushed a commit with the doc change

@facutuesca
attestations: allow multiple attestations per dist
8f2396e 
Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
@facutuesca
docs: document multiple attestations per file upload
7bd8510 
Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
@facutuesca
attestations: improve error messages
b7baedf 
Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
@facutuesca facutuesca force-pushed the ft/allow-multiple-attestations branch from 2563648 to b7baedf Compare November 25, 2024 17:16
@di di merged commit 9543608 into pypi:main Nov 25, 2024
20 checks passed
@di di deleted the ft/allow-multiple-attestations branch November 25, 2024 17:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@woodruffw woodruffw woodruffw approved these changes

@di di di approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@facutuesca @di @woodruffw