Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add GitHub attestation discovery #1020

Draft
wants to merge 17 commits into
base: staging
Choose a base branch
from
Draft

feat: add GitHub attestation discovery #1020

wants to merge 17 commits into from

Conversation

benmss
Copy link
Member

@benmss benmss commented Mar 19, 2025
edited
Loading

This PR adds support for GitHub attestation discovery. To access GitHub attestations, the SHA256 hash of the repositories artefacts must be generated and submitted via the API. Artefacts may be found in local caches, or downloaded from remote repositories.

  • Support for Maven artefacts
  • Support for PyPI artefacts

Blocked by #982 (Due to changes to PyPI registry assets)
Closes #915

@benmss benmss self-assigned this Mar 19, 2025
@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Mar 19, 2025
benmss added 15 commits March 19, 2025 10:59
@benmss
feat: check PyPI registry when deps.dev fails to find a source reposi…
8dd2e65 
…tory

Signed-off-by: Ben Selwyn-Smith <[email protected]>
@benmss
chore: avoid circular dependency
07ea44d 
Signed-off-by: Ben Selwyn-Smith <[email protected]>
@benmss
chore: add alternative find repo for latest purl version also
52d3c59 
Signed-off-by: Ben Selwyn-Smith <[email protected]>
@benmss
chore: add integration test
cd724cf 
Signed-off-by: Ben Selwyn-Smith <[email protected]>
@benmss
chore: update tests
c7492fb 
Signed-off-by: Ben Selwyn-Smith <[email protected]>
@benmss
chore: pass build tool names to super class
e38975a 
Signed-off-by: Ben Selwyn-Smith <[email protected]>
@benmss
chore: reuse PyPI JSON asset
9398295 
Signed-off-by: Ben Selwyn-Smith <[email protected]>
@benmss
chore: update tests
ae950ef 
Signed-off-by: Ben Selwyn-Smith <[email protected]>
@benmss
chore: add purl type to build tool in registry info
bc03bbb 
Signed-off-by: Ben Selwyn-Smith <[email protected]>
@benmss
chore: add repository info for source code heuristic; minor fixes
0c1c9f0 
Signed-off-by: Ben Selwyn-Smith <[email protected]>
@benmss
chore: fix test
f3a5419 
Signed-off-by: Ben Selwyn-Smith <[email protected]>
@benmss
chore: minor fix
e73235c 
Signed-off-by: Ben Selwyn-Smith <[email protected]>
@benmss
chore: add integration test for find-source command
7956693 
Signed-off-by: Ben Selwyn-Smith <[email protected]>
@benmss
feat: add GitHub attestation discovery
599d261 
Signed-off-by: Ben Selwyn-Smith <[email protected]>
@benmss
chore: add support for PyPI PURLs
69099a8 
Signed-off-by: Ben Selwyn-Smith <[email protected]>
@benmss benmss force-pushed the 915-discover-github-attestations branch from dc4736e to 69099a8 Compare March 19, 2025 10:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@behnazh-w behnazh-w Awaiting requested review from behnazh-w behnazh-w will be requested when the pull request is marked ready for review behnazh-w is a code owner

@tromai tromai Awaiting requested review from tromai tromai will be requested when the pull request is marked ready for review tromai is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@benmss benmss

Labels
OCA Verified All contributors have signed the Oracle Contributor Agreement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@benmss