kyungjunleeme opened a new issue, #50005: URL: https://github.com/apache/airflow/issues/50005
### Description ### Summary I would like to work on integrating [PEP 740](https://peps.python.org/pep-0740/) compliance into Apache Airflow by generating provenance attestations (`.intoto.jsonl`) during PyPI release workflows. This aligns with PyPI's recent support for [digital attestations](https://blog.pypi.org/posts/2024-11-14-pypi-now-supports-digital-attestations/). ### Motivation Software supply chain security has become increasingly important, especially for widely-used OSS projects like Airflow. Adding support for provenance attestations will: - Improve trust and transparency in Airflow releases - Help consumers verify that published packages were built from the source in GitHub - Align with best practices established in other major OSS projects (e.g., [uv](https://github.com/astral-sh/uv/attestations) ### Proposed Work I am proposing to: 1. Update GitHub Actions workflow used for PyPI release to include: - [`actions/attest-build-provenance`](https://github.com/actions/attest-build-provenance) step - `subject-path` pointing to the built distribution files (e.g., `.whl`, `.tar.gz`) 2. Ensure support for [Trusted Publishing](https://docs.pypi.org/trusted-publishers/) if not already configured 3. Confirm successful generation and verification of `.intoto.jsonl` files ### References - [PEP 740: Secure Publishing of Python Packages](https://peps.python.org/pep-0740/) - [GitHub: actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) - [Example Attestations - uv](https://github.com/astral-sh/uv/attestations) ### Request for Assignment I’d like to take ownership of this enhancement and would be happy to submit a PR if approved. Please assign this issue to me if the proposal is accepted. Thanks! ### Use case/motivation _No response_ ### Related issues _No response_ ### Are you willing to submit a PR? - [x] Yes I am willing to submit a PR! ### Code of Conduct - [x] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
