Skip to content

feat: add pypi attestation discovery #1067

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 15 commits into from
May 12, 2025
Merged

feat: add pypi attestation discovery #1067

merged 15 commits into from
May 12, 2025

Conversation

benmss
Copy link
Member

@benmss benmss commented Apr 24, 2025

Summary

This PR adds discovery of PyPI attestation. URLs to these attestation files are sought via the deps.dev API.

Description of changes

  • DepsDevRepoFinder was updated to use the DepsDevService, ensuring consistent and easily configurable use of the API
  • Tests were added for DepsDevRepoFinder functions (they were not added previously), including for the functions that PyPI attestation discovery relies upon.
  • PyPI attestations do not have a predicate. The pypi-attestation is used to extract information from the attestation certificate. This information is coerced into a predicate for use elsewhere within Macaron.
  • Addition of an integration test case using the ultralytics Python library as its target.

Related issues

Closes #947

@benmss benmss self-assigned this Apr 24, 2025
@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Apr 24, 2025
@benmss benmss force-pushed the 947-discover-pypi-attestation branch 2 times, most recently from 2df212b to 6d7cf95 Compare April 24, 2025 06:31
@benmss benmss marked this pull request as ready for review April 24, 2025 13:00
@benmss benmss requested review from behnazh-w and tromai as code owners April 24, 2025 13:00
tromai
tromai reviewed Apr 29, 2025
View reviewed changes
tromai
tromai reviewed Apr 30, 2025
View reviewed changes
tromai
tromai reviewed May 2, 2025
View reviewed changes
tromai
tromai reviewed May 2, 2025
View reviewed changes
tromai
tromai reviewed May 2, 2025
View reviewed changes
tromai
tromai reviewed May 2, 2025
View reviewed changes
tromai
tromai reviewed May 2, 2025
View reviewed changes
tromai
tromai reviewed May 2, 2025
View reviewed changes
tromai
tromai reviewed May 2, 2025
View reviewed changes
tromai
tromai reviewed May 2, 2025
View reviewed changes
tromai
tromai reviewed May 2, 2025
View reviewed changes
tromai
tromai reviewed May 2, 2025
View reviewed changes
tromai
tromai reviewed May 6, 2025
View reviewed changes
tromai
tromai reviewed May 6, 2025
View reviewed changes
tromai
tromai reviewed May 6, 2025
View reviewed changes
tromai
tromai reviewed May 6, 2025
View reviewed changes
tromai
tromai reviewed May 6, 2025
View reviewed changes
tromai
tromai reviewed May 6, 2025
View reviewed changes
tromai
tromai reviewed May 6, 2025
View reviewed changes
tromai
tromai reviewed May 6, 2025
View reviewed changes
tromai
tromai reviewed May 7, 2025
View reviewed changes
tromai
tromai reviewed May 7, 2025
View reviewed changes
tromai
tromai reviewed May 7, 2025
View reviewed changes
tromai
tromai requested changes May 7, 2025
View reviewed changes
Copy link
Member

@tromai tromai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have finished my round of review. Thank you.

tromai
tromai reviewed May 8, 2025
View reviewed changes
tromai
tromai previously approved these changes May 9, 2025
View reviewed changes
Copy link
Member

@tromai tromai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks for addressing the feedbacks.

behnazh-w
behnazh-w previously approved these changes May 12, 2025
View reviewed changes
@benmss benmss force-pushed the 947-discover-pypi-attestation branch from aee8b44 to 2620a0a Compare May 12, 2025 07:24
benmss added 15 commits May 12, 2025 20:22
@benmss
feat: add pypi attestation discovery
8db88a2 
Signed-off-by: Ben Selwyn-Smith <[email protected]>
@benmss
chore: keep encoding of purls consistent
53d5807 
Signed-off-by: Ben Selwyn-Smith <[email protected]>
@benmss
chore: add config to repo finder tests
8797d7a 
Signed-off-by: Ben Selwyn-Smith <[email protected]>
@benmss
chore: use SplitResult type hint
b6b7fd3 
Signed-off-by: Ben Selwyn-Smith <[email protected]>
@benmss
chore: replace library used for x509 extraction
c670305 
Signed-off-by: Ben Selwyn-Smith <[email protected]>
@benmss
chore: update pyproject.toml
b2cfab1 
Signed-off-by: Ben Selwyn-Smith <[email protected]>
@benmss
chore: remove comment
4944928 
Signed-off-by: Ben Selwyn-Smith <[email protected]>
@benmss
chore: address PR feedback
198c853 
Signed-off-by: Ben Selwyn-Smith <[email protected]>
@benmss
chore: minor fix
446b1b4 
Signed-off-by: Ben Selwyn-Smith <[email protected]>
@benmss
chore: minor fix
b78a06d 
Signed-off-by: Ben Selwyn-Smith <[email protected]>
@benmss
chore: add custom predicate doc string
424a44c 
Signed-off-by: Ben Selwyn-Smith <[email protected]>
@benmss
chore: address PR feedback
0d7280a 
Signed-off-by: Ben Selwyn-Smith <[email protected]>
@benmss
chore: add example PURL endpoint
25d0efb 
Signed-off-by: Ben Selwyn-Smith <[email protected]>
@benmss
chore: fix predicate check
545a603 
Signed-off-by: Ben Selwyn-Smith <[email protected]>
@benmss
chore: remove github attestation related change
57f4346 
Signed-off-by: Ben Selwyn-Smith <[email protected]>
@benmss benmss dismissed stale reviews from behnazh-w and tromai via 57f4346 May 12, 2025 10:24
@benmss benmss force-pushed the 947-discover-pypi-attestation branch from 2620a0a to 57f4346 Compare May 12, 2025 10:24
@benmss benmss merged commit 4b20c18 into main May 12, 2025
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@behnazh-w behnazh-w behnazh-w approved these changes

@tromai tromai tromai approved these changes

Assignees

@benmss benmss

Labels
OCA Verified All contributors have signed the Oracle Contributor Agreement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Obtain PyPI Publish Attestation
3 participants
@benmss @behnazh-w @tromai