[CHORE] SLSA L2/L3 compliance and workflow standardization for 26.1.1 #110
Description
Summary
Standardize the release workflow and add SLSA Level 2+3 provenance for the 26.1.1 release, aligning with autobahn-python as the reference implementation.
Current State
| Feature | Status | Notes |
|---|---|---|
| Trusted Publishing | ✅ | Configured on PyPI |
| PEP 740 Attestations | ❌ | Not enabled |
| Job naming | Uses release-production (should be release-stable) |
|
| Jinja2 templates | ❌ | No .github/templates/ |
| release-post-comment.yml | ✅ | Exists |
| SLSA L3 provenance | ❌ | Missing |
Scope for 26.1.1
1. Enable PEP 740 Attestations
- name: Publish to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
packages-dir: dist/
attestations: true # ADD THIS2. Rename release-production → release-stable
Align naming with reference implementation.
3. Add release-nightly Job
Separate nightly builds from development builds.
4. Create Jinja2 Templates
Copy from autobahn-python and adapt:
.github/templates/
├── release-stable.md.j2
├── release-nightly.md.j2
├── release-development.md.j2
├── discussion-post.md.j2
└── pr-comment.md.j2
5. Add PyPI Provenance Fetch
After PyPI publish, fetch .provenance.json files and include in GitHub Release.
6. Add SLSA L3 Provenance Jobs
publish-slsa3-provenance:
name: Prepare SLSA L3 Subjects
needs: [identifiers, release-stable]
if: needs.identifiers.outputs.release_type == 'stable'
# ... (convert CHECKSUMS to SLSA subjects)
generate-provenance:
name: Generate SLSA L3 Provenance
needs: [identifiers, publish-slsa3-provenance]
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
with:
base64-subjects: ${{ needs.publish-slsa3-provenance.outputs.subjects-base64 }}
upload-assets: true
provenance-name: "multiple.intoto.jsonl"7. Update Release Notes with Verification Instructions
Include both L2 (sigstore) and L3 (slsa-verifier) instructions.
Acceptance Criteria
-
attestations: trueenabled in PyPI publish -
release-productionrenamed torelease-stable -
release-nightlyjob added -
.github/templates/created with all 5 templates - PyPI provenance fetch implemented
- SLSA L3 jobs added (
publish-slsa3-provenance,generate-provenance) -
multiple.intoto.jsonluploaded to stable releases - Release notes include L2 and L3 verification instructions
References
- autobahn-python release.yml (reference implementation)
- slsa-github-generator
Checklist
- I have searched existing issues to avoid duplicates
- I have described the problem clearly
- I have provided use cases
- I have considered alternatives
- I have assessed impact and breaking changes