diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 19a2445..81d2255 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -1,49 +1,68 @@ -# Triggers a pypi publication when a release is created - name: Publish Python Package on: - release: - types: [created] + workflow_dispatch: + inputs: + tag: + description: 'Release Tag' + required: true jobs: build: runs-on: ubuntu-latest + outputs: + hashes: ${{ steps.hash.outputs.hashes }} steps: - - uses: actions/checkout@v4 - - - uses: actions/setup-python@v5 - with: - python-version: '3.x' + - uses: actions/checkout@v4 + with: + ref: ${{ inputs.tag }} + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: '3.x' + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install setuptools wheel twine + - name: Build + run: | + python setup.py sdist bdist_wheel + - name: "Generate hashes" + id: hash + run: | + cd dist && echo "hashes=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT + - uses: actions/upload-artifact@v4 + with: + name: build + path: ./dist - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install setuptools wheel - - - name: Build - run: | - python setup.py sdist bdist_wheel - - - uses: actions/upload-artifact@v4 - with: - path: ./dist + provenance_python: + needs: [build] + permissions: + actions: read + contents: write + id-token: write # Needed to access the workflow's OIDC identity. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 + with: + base64-subjects: "${{ needs.build.outputs.hashes }}" + upload-assets: true + upload-tag-name: ${{ inputs.tag }} # Tag from the initiation of the workflow - pypi-publish: - needs: ['build'] - environment: - name: publish - url: 'https://pypi.org/project/labelboxbigquery/' + publish-python-package-to-release: runs-on: ubuntu-latest + needs: ['build'] permissions: - # IMPORTANT: this permission is mandatory for trusted publishing - id-token: write + contents: write steps: + - uses: actions/checkout@v4 + with: + ref: ${{ inputs.tag }} - uses: actions/download-artifact@v4 - - - name: Publish package distributions to PyPI - uses: pypa/gh-action-pypi-publish@release/v1.8 with: - packages-dir: artifact/ - -# Note that the build and pypi-publish jobs are split so that the additional permissions are only granted to the pypi-publish job. + name: build + path: ./artifact + - name: Upload dist to release + run: | + gh release upload ${{ inputs.tag }} ./artifact/* + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/README.md b/README.md index 9fc2e02..4617408 100644 --- a/README.md +++ b/README.md @@ -41,3 +41,21 @@ The `client` class requires the following arguments: - `lb_api_key` = Labelbox API Key - `google_key` = Google Service Account Permissions dict, how to create one [here](https://cloud.google.com/iam/docs/creating-managing-service-account-keys#creating) - `google_project_name` = Google Project ID / Name + + +## Provenance +[![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev) + +To enhance the software supply chain security of Labelbox's users, as of 0.1.8, every release contains a [SLSA Level 3 Provenance](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md) document. +This document provides detailed information about the build process, including the repository and branch from which the package was generated. + +By using the [SLSA framework's official verifier](https://github.com/slsa-framework/slsa-verifier), you can verify the provenance document to ensure that the package is from a trusted source. Verifying the provenance helps confirm that the package has not been tampered with and was built in a secure environment. + +Example of usage for the 0.1.8 release wheel: + +``` +VERSION=0.1.8 #tag +gh release download ${VERSION} --repo Labelbox/labelbox-bigquery + +slsa-verifier verify-artifact --source-branch main --builder-id 'https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v2.0.0' --source-uri "git+https://github.com/Labelbox/labelbox-bigquery" --provenance-path multiple.intoto.jsonl ./labelboxbigquery-${VERSION}-py3-none-any.whl +``` \ No newline at end of file diff --git a/SECURITY.md b/SECURITY.md index c06b405..c8d4f07 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,5 +2,4 @@ ## Reporting a Vulnerability -Please contact security@labelbox.com for any vulnerability that needs to be reported -with labelbox-python. We will get back to you as soon as we can. +Please contact security@labelbox.com for any vulnerability that needs to be reported. We will get back to you as soon as we can. diff --git a/setup.py b/setup.py index 7ee6ee2..085d43b 100644 --- a/setup.py +++ b/setup.py @@ -5,7 +5,7 @@ setuptools.setup( name="labelboxbigquery", - version="0.1.07", + version="0.1.8", author="Labelbox", author_email="raphael@labelbox.com", description="Labelbox Connector for BigQuery",