ci: switch from SLSA provenance to actions/attest with subject-path (#46)

keelerm84 · web-flow · commit 22ccdce936df · 2026-04-09T11:40:17.000-04:00
diff --git a/.github/actions/build/action.yml b/.github/actions/build/action.yml
@@ -1,19 +1,9 @@
 name: Build distribution files
 description: 'Build distribution files'
-outputs:
-  package-hashes:
-    description: "base64-encoded sha256 hashes of distribution files"
-    value: ${{ steps.package-hashes.outputs.package-hashes }}
 
 runs:
   using: composite
   steps:
     - name: Build distribution files
       shell: bash
       run: poetry build
-    - name: Hash build files for provenance
-      id: package-hashes
-      shell: bash
-      working-directory: ./dist
-      run: |
-        echo "package-hashes=$(sha256sum * | base64 -w0)" >> "$GITHUB_OUTPUT"
diff --git a/.github/workflows/manual-publish.yml b/.github/workflows/manual-publish.yml
@@ -14,8 +14,7 @@ jobs:
     permissions:
       id-token: write
       contents: read
-    outputs:
-      package-hashes: ${{ steps.build.outputs.package-hashes}}
+      attestations: write
     steps:
       - uses: actions/checkout@v4
 
@@ -33,21 +32,15 @@ jobs:
           ssm_parameter_pairs: '/production/common/releasing/pypi/token = PYPI_AUTH_TOKEN'
 
       - uses: ./.github/actions/build
-        id: build
 
       - name: Publish package distributions to PyPI
-        if: ${{ inputs.dry_run == false }}
+        if: ${{ format('{0}', inputs.dry_run) == 'false' }}
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
           password: ${{env.PYPI_AUTH_TOKEN}}
 
-  release-provenance:
-    needs: [ 'build-publish' ]
-    permissions:
-      actions: read
-      id-token: write
-      contents: write
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
-    with:
-      base64-subjects: "${{ needs.build-publish.outputs.package-hashes }}"
-      upload-assets: ${{ !inputs.dry_run }}
+      - name: Attest build provenance
+        if: ${{ format('{0}', inputs.dry_run) == 'false' }}
+        uses: actions/attest@v4
+        with:
+          subject-path: 'dist/*'
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -9,12 +9,9 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       id-token: write # Needed if using OIDC to get release secrets.
-      contents: write # Contents and pull-requests are for release-please to make releases.
+      contents: write # Needed for release-please to create releases.
       pull-requests: write
-    outputs:
-      release-created: ${{ steps.release.outputs.release_created }}
-      upload-tag-name: ${{ steps.release.outputs.tag_name }}
-      package-hashes: ${{ steps.build.outputs.package-hashes}}
+      attestations: write
     steps:
       - uses: googleapis/release-please-action@v4
         id: release
@@ -41,7 +38,6 @@ jobs:
           ssm_parameter_pairs: '/production/common/releasing/pypi/token = PYPI_AUTH_TOKEN'
 
       - uses: ./.github/actions/build
-        id: build
         if: ${{ steps.release.outputs.releases_created == 'true' }}
 
       - uses: ./.github/actions/build-docs
@@ -53,15 +49,8 @@ jobs:
         with:
           password: ${{env.PYPI_AUTH_TOKEN}}
 
-  release-provenance:
-    needs: [ 'release-package' ]
-    if: ${{ needs.release-package.outputs.release-created == 'true' }}
-    permissions:
-      actions: read
-      id-token: write
-      contents: write
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
-    with:
-      base64-subjects: "${{ needs.release-package.outputs.package-hashes }}"
-      upload-assets: true
-      upload-tag-name: ${{ needs.release-package.outputs.upload-tag-name }}
+      - name: Attest build provenance
+        if: ${{ steps.release.outputs.releases_created == 'true' }}
+        uses: actions/attest@v4
+        with:
+          subject-path: 'dist/*'
diff --git a/PROVENANCE.md b/PROVENANCE.md
@@ -1,10 +1,10 @@
-## Verifying SDK build provenance with the SLSA framework
+## Verifying SDK build provenance with GitHub artifact attestations
 
-LaunchDarkly uses the [SLSA framework](https://slsa.dev/spec/v1.0/about) (Supply-chain Levels for Software Artifacts) to help developers make their supply chain more secure by ensuring the authenticity and build integrity of our published SDK packages.
+LaunchDarkly uses [GitHub artifact attestations](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds) to help developers make their supply chain more secure by ensuring the authenticity and build integrity of our published SDK packages.
 
-As part of [SLSA requirements for level 3 compliance](https://slsa.dev/spec/v1.0/requirements), LaunchDarkly publishes provenance about our SDK package builds using [GitHub's generic SLSA3 provenance generator](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#generation-of-slsa3-provenance-for-arbitrary-projects) for distribution alongside our packages. These attestations are available for download from the GitHub release page for the release version under Assets > `multiple.intoto.jsonl`.
+LaunchDarkly publishes provenance about our SDK package builds using [GitHub's `actions/attest` action](https://github.com/actions/attest). These attestations are stored in GitHub's attestation API and can be verified using the [GitHub CLI](https://cli.github.com/).
 
-To verify SLSA provenance attestations, we recommend using [slsa-verifier](https://github.com/slsa-framework/slsa-verifier). Example usage for verifying a package is included below:
+To verify build provenance attestations, we recommend using the [GitHub CLI `attestation verify` command](https://cli.github.com/manual/gh_attestation_verify). Example usage for verifying SDK packages is included below:
 
 <!-- x-release-please-start-version -->
 ```
@@ -13,32 +13,37 @@ VERSION=1.2.0
 ```
 <!-- x-release-please-end -->
 
-
 ```
-# Download package from PyPi
+# Download package from PyPI
 $ pip download --only-binary=:all: launchdarkly-server-sdk-otel==${VERSION}
 
-# Download provenance from Github release into same directory
-$ curl --location -O \
-  https://github.com/launchdarkly/python-server-sdk-otel/releases/download/${VERSION}/multiple.intoto.jsonl
-
-# Run slsa-verifier to verify provenance against package artifacts 
-$ slsa-verifier verify-artifact \
---provenance-path multiple.intoto.jsonl \
---source-uri github.com/launchdarkly/python-server-sdk-otel \
-launchdarkly_server_sdk_otel-${VERSION}-py3-none-any.whl
+# Verify provenance using the GitHub CLI
+$ gh attestation verify launchdarkly_server_sdk_otel-${VERSION}-py3-none-any.whl --owner launchdarkly
 ```
 
 Below is a sample of expected output.
 
 ```
-Verified signature against tlog entry index 89939519 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77abb8d2f681b007c76a4fe9f89cd9574918683ac8bc87cd6834c5baa479ae5cb98
-Verified build using builder "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.10.0" at commit 984fc268df29918b03f51f2507146f66d8668d03
-Verifying artifact launchdarkly_server_sdk_otel-1.0.0-py3-none-any.whl: PASSED
+Loaded digest sha256:... for file://launchdarkly_server_sdk_otel-1.2.0-py3-none-any.whl
+Loaded 1 attestation from GitHub API
+
+The following policy criteria will be enforced:
+- Predicate type must match:................ https://slsa.dev/provenance/v1
+- Source Repository Owner URI must match:... https://github.com/launchdarkly
+- Subject Alternative Name must match regex: (?i)^https://github.com/launchdarkly/
+- OIDC Issuer must match:................... https://token.actions.githubusercontent.com
+
+✓ Verification succeeded!
+
+The following 1 attestation matched the policy criteria
 
-PASSED: Verified SLSA provenance
+- Attestation #1
+  - Build repo:..... launchdarkly/python-server-sdk-otel
+  - Build workflow:. .github/workflows/release-please.yml
+  - Signer repo:.... launchdarkly/python-server-sdk-otel
+  - Signer workflow: .github/workflows/release-please.yml
 ```
 
-Alternatively, to verify the provenance manually, the SLSA framework specifies [recommendations for verifying build artifacts](https://slsa.dev/spec/v1.0/verifying-artifacts) in their documentation.
+For more information, see [GitHub's documentation on verifying artifact attestations](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds#verifying-artifact-attestations-with-the-github-cli).
 
-**Note:** These instructions do not apply when building our libraries from source. 
+**Note:** These instructions do not apply when building our libraries from source.  
diff --git a/release-please-config.json b/release-please-config.json
@@ -4,7 +4,10 @@
       "release-type": "python",
       "versioning": "default",
       "include-v-in-tag": false,
-      "extra-files": ["ldotel/__init__.py", "PROVENANCE.md"],
+      "extra-files": [
+        "ldotel/__init__.py",
+        "PROVENANCE.md"
+      ],
       "include-component-in-tag": false
     }
   }

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,10 @@`
`4`	`4`	`"release-type": "python",`
`5`	`5`	`"versioning": "default",`
`6`	`6`	`"include-v-in-tag": false,`
`7`		`- "extra-files": ["ldotel/__init__.py", "PROVENANCE.md"],`
	`7`	`+ "extra-files": [`
	`8`	`+ "ldotel/__init__.py",`
	`9`	`+ "PROVENANCE.md"`
	`10`	`+ ],`
`8`	`11`	`"include-component-in-tag": false`
`9`	`12`	`}`
`10`	`13`	`}`