Merge pull request #9 from Labelbox/DEVOPS-3097

DEVOPS-3097 - adding slsa metadata

Author: abacchilb

.github/workflows/publish.yml

@@ -1,49 +1,68 @@
-# Triggers a pypi publication when a release is created
-
 name: Publish Python Package
 
 on:
-  release:
-    types: [created]
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Release Tag'
+        required: true
 
 jobs:
   build:
     runs-on: ubuntu-latest
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
     steps:
-      - uses: actions/checkout@v4
-
-      - uses: actions/setup-python@v5
-        with:
-          python-version: '3.x'
+    - uses: actions/checkout@v4
+      with:
+        ref: ${{ inputs.tag }}
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.x'
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install setuptools wheel twine
+    - name: Build
+      run: |
+        python setup.py sdist bdist_wheel
+    - name: "Generate hashes"
+      id: hash
+      run: |
+        cd dist && echo "hashes=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
+    - uses: actions/upload-artifact@v4
+      with:
+        name: build
+        path: ./dist
 
-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install setuptools wheel
-
-      - name: Build
-        run: |
-          python setup.py sdist bdist_wheel
-      
-      - uses: actions/upload-artifact@v4
-        with:
-            path: ./dist
+  provenance_python:
+    needs: [build]
+    permissions:
+      actions: read
+      contents: write
+      id-token: write # Needed to access the workflow's OIDC identity.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
+    with:
+      base64-subjects: "${{ needs.build.outputs.hashes }}"
+      upload-assets: true
+      upload-tag-name: ${{ inputs.tag }} # Tag from the initiation of the workflow
 
-  pypi-publish:   
-    needs: ['build']
-    environment: 
-      name: publish
-      url: 'https://pypi.org/project/labelboxbigquery/'
+  publish-python-package-to-release:
     runs-on: ubuntu-latest
+    needs: ['build']
     permissions:
-      # IMPORTANT: this permission is mandatory for trusted publishing
-      id-token: write
+      contents: write    
     steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.tag }}
       - uses: actions/download-artifact@v4
-
-      - name: Publish package distributions to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1.8
         with:
-          packages-dir: artifact/
-
-# Note that the build and pypi-publish jobs are split so that the additional permissions are only granted to the pypi-publish job.
+          name: build
+          path: ./artifact
+      - name: Upload dist to release
+        run: |
+          gh release upload ${{ inputs.tag }} ./artifact/*
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

README.md

@@ -41,3 +41,21 @@ The `client` class requires the following arguments:
 - `lb_api_key` = Labelbox API Key
 - `google_key` = Google Service Account Permissions dict, how to create one [here](https://cloud.google.com/iam/docs/creating-managing-service-account-keys#creating)
 - `google_project_name` = Google Project ID / Name
+
+
+## Provenance
+[![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev)
+
+To enhance the software supply chain security of Labelbox's users, as of 0.1.8, every release contains a [SLSA Level 3 Provenance](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md) document.  
+This document provides detailed information about the build process, including the repository and branch from which the package was generated.
+
+By using the [SLSA framework's official verifier](https://github.com/slsa-framework/slsa-verifier), you can verify the provenance document to ensure that the package is from a trusted source. Verifying the provenance helps confirm that the package has not been tampered with and was built in a secure environment.
+
+Example of usage for the 0.1.8 release wheel:
+
+```
+VERSION=0.1.8 #tag
+gh release download ${VERSION} --repo Labelbox/labelbox-bigquery
+
+slsa-verifier verify-artifact --source-branch main --builder-id 'https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v2.0.0' --source-uri "git+https://github.com/Labelbox/labelbox-bigquery" --provenance-path multiple.intoto.jsonl ./labelboxbigquery-${VERSION}-py3-none-any.whl
+```

SECURITY.md

@@ -2,5 +2,4 @@
 
 ## Reporting a Vulnerability
 
-Please contact security@labelbox.com for any vulnerability that needs to be reported
-with labelbox-python. We will get back to you as soon as we can.
+Please contact security@labelbox.com for any vulnerability that needs to be reported. We will get back to you as soon as we can.

setup.py

@@ -5,7 +5,7 @@
 
 setuptools.setup(
     name="labelboxbigquery",
-    version="0.1.07",
+    version="0.1.8",
     author="Labelbox",
     author_email="raphael@labelbox.com",
     description="Labelbox Connector for BigQuery",