It looks like there there are a few GitHub Actions for pushing container image artifacts to GCP Artifact Registry: https://github.com/marketplace?query=artifact+registry&type=...
FWIW, though it may not be necessary for a plain Python package, "pypa/cibuildwheel" is the easy way to build a Python package for various platforms in CI.
SLSA.dev, Sigstore;
GitHub supports artifact attestations and storing attestations in an OCI Image store FWIU. Does GCP Artifact Registry support attestations?
"Using artifact attestations to establish provenance for builds" https://docs.github.com/en/actions/security-for-github-actio...
That is one of the supported formats (and maybe most common), but not the only one.
https://cloud.google.com/artifact-registry/docs/supported-fo...
The Python one behaves just like PyPI, you just need to specify the URL provide credentials.
GitLab has Python package registry support (503?): https://docs.gitlab.com/user/packages/pypi_repository/
Gitea has Python package registry support (503?): https://docs.gitea.com/usage/packages/pypi
PyPI supports attestations for Python packages when built by Trusted Publishers: https://docs.pypi.org/attestations/ :
> PyPI uses the in-toto Attestation Framework for the attestations it accepts. [ in-toto/attestation spec: https://github.com/in-toto/attestation/blob/main/spec/README... ]
> Currently, PyPI allows the following attestation predicates:
> SLSA Provenance, PyPI Publish
Artifact Registry > Artifact Registry documentation > Guides > Manage Python packages: https://cloud.google.com/artifact-registry/docs/python/manag... :
> [Artifact Registry] private repositories use the canonical Python repository implementation, the simple repository API (PEP 503), and work with installation tools like pip.
PEP 503 – Simple Repository API: https://peps.python.org/pep-0503/
PEP 740 – Index support for digital attestations: https://peps.python.org/pep-0740/
OCI artifacts are one of the most under hyped technologies. Almost everyone already has an image registry, now that registry supports basically any kind of package and with nice versioning semantics.
Why wouldn’t you use it? I don’t want to auth again into something else and deal with different registries for every language I have.
Most major tech companies I've worked with have an internal OCI repo of some kind maintained; internal packages are available and external packages are cached (or blocklisted, in certain situations, which is its own flavor of helpful for security risks) and everything from Docker to Maven to Pip/Poetry/etc. Just Works.
https://cloud.google.com/artifact-registry/docs/python
This is just a private PEP503 repository, your own private PyPI.
This quickly get messy though. We use AWS CDK and build our assets in a Docker container. Each time the token changes, Docker invalidates a bunch of layers and rebuilds the image. AWS CDK sees that and uploads a new .zip to S3 or an image to ECR. Then Security Hub sees a new Lambda function or image, scans it, and carpet bombs my email whenever a CVE is found.
It's ... not ideal.
sergiolema•8mo ago
So, I needed to create a runnable file in Python. I needed to create a wheel file. All this with Poetry and integrate it into my CI/CD pipeline.
robertlagrant•8mo ago
[0] https://python-poetry.org/docs/cli/#version