Moving towards SLSA Level 1.

[jenstroeger]

@behnazh, if I understand you correctly in related issue #25 then we need a scripted build of sorts reach SLSA Level 1 for this repo. For Python packages (What about applications?) that’s described on the Creating Built Distributions — is that what you mean?

It sounds like the script itself is required, but not the built artifact, e.g.

#!/usr/bin/env bash

python setup.py bdist

which would create e.g. a dist/package-1.1.2.macosx-10.14-x86_64.tar.gz artifact; or using the sdist to create a dist/package-1.1.2.tar.gz artifact. (See also the setuptools documentation.)

[brad-getpassport]

I would prefer that we utilize a Makefile as it's pretty standard and we can then have:

make distribution
make clean -- to cleanup and start afresh

Also if a package is included it's easy to build as you can just run make

[behnazh]

@jenstroeger to reach level 1, the repo needs a scripted build and the provenance for the built artifact. Once the build script is added, we can use the SLSA's existing Action to generate a provenance in in-toto format and upload it as an artifact. The provenance contains the Actions workflow where the build script is run, the sha256 digest, and other useful metadata.

I agree with @brad-getpassport 's suggestion to use Makefile.

[jenstroeger]

Thank you for the details, @behnazh. I can open a PR to add a GNU Makefile, and we take it from there? Unless you insist on writing it 🤓

[brad-getpassport]

@jenstroeger You can also take the makefile I created from the services project. It's not pretty but does a lot of the setup.

[jenstroeger]

PR #74, commit 05f226d. Shipped with v1.3.0 ☺️