Generate build provenance attestations

[shenxianpeng]

It looks like GitHub rolled out their own attestations in beta. I wonder if we could integrate with that. for more details below:

• https://github.com/actions/attest-build-provenance
• https://github.com/cpp-linter/cpp-linter-action/attestations
• https://github.com/orgs/community/discussions/122028
• https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
• https://github.blog/2024-04-30-where-does-your-software-really-come-from/

[2bndy5]

That last link was most helpful to me. I've never been too concerned about verifying "artifacts" that I download over the Internet.

Now that I have a better understanding of provenance attestation, my first thought was the static binaries we are distributing via clang-tools-pip use. This is where I'd start integrating proper attestation. Then we can use such attestation downstream in cpp-linter-action (or in clang-tools-pip itself)...

Pypi does not support any form of digital signing (that in aware of). Just last year, they dropped their support for PGP signatures.

[shenxianpeng]

To summarize your thoughts, we can at least start with this

• verify provenance attestation in clang-tools-pip clang-tools-pip#96
• Update py-publish.yml to generate build provenance attestations #29

maybe we do not need to verify attestation in cpp-linter-action because static binaries have verified in clang-tools-pip。

Digital signing seems to become a roadmap of Pypi pypi/warehouse#15871

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[2bndy5]

This is complete anyway, right?

[shenxianpeng]

I removed - [ ] cpp-linter/clang-tools-static-binaries#24 from the above list since it already provides sha256 files and is not easy to switch GitHub attestations for now.

We have generated GitHub attestations for our Python package publish, so it is completed.