Description
Hi,
Thank you for maintaining this action!
We currently use version 1 of the action, which (as I understand it) creates one attestation per artefact, writing each to a new line of a JSONL document. #164 changed this to creating a single attesation with multiple 'subjects'.
We're using the action for integration with GitHub, and then converting the Sigstore attestations to the format expected by the Python Package Index (PEP 740). When upgrading the action to version 2, I get a failure with pypi-attestations, which requires that there must be exactly one subject in the statement.
My questions are therefore:
- Is it possible to replicate the v1 behaviour of one-attestation-per-artefact with v2 of the action?
- Ought this be fixed in
pypi-attestationsinstead? (I will open a similar issue there and cross-link it) - (low priority; usability) Is it possible to include the filename of the attested artefacts somehow in the action outputs? I currently extract this via JSON decoding a base64-encoded blob inside the Sigstore JSON, which isn't the most ergonomic.
For my use-case, I can just use two invocations of the article, as our build process only produces two artefacts, but this does not scale well should we create more outputs in the future.
Thanks,
Adam
References:
- https://github.com/sphinx-doc/sphinx/blob/master/.github/workflows/create-release.yml
- support multi-subject attestations #164
- https://github.com/sphinx-doc/sphinx/blob/master/utils/convert_attestations.py
- https://peps.python.org/pep-0740/
- https://github.com/trailofbits/pypi-attestations
- https://github.com/trailofbits/pypi-attestations/blob/v0.0.21/src/pypi_attestations/_impl.py#L274-L275