Doc: explaining how to verify provenance + introducing guarddog in CI

py-pdf · Dec 18, 2024 · 6ba975d · 6ba975d
1 parent fb525ad
commit 6ba975d
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 1 deletion.
diff --git a/.github/workflows/continuous-integration-workflow.yml b/.github/workflows/continuous-integration-workflow.yml
@@ -119,6 +119,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
+        # Security hardening because this is a sensitive job,
+        # where extra care should be taken NOT to leak any secret
         uses: step-security/harden-runner@v2
         with:
           egress-policy: block
@@ -172,6 +174,8 @@ jobs:
       id-token: write
     steps:
       - name: Harden Runner
+        # Security hardening because this is a sensitive job,
+        # where extra care should be taken NOT to leak any secret
         uses: step-security/harden-runner@v2
         with:
           egress-policy: block

diff --git a/README.md b/README.md
@@ -5,7 +5,7 @@
 [![build status](https://github.com/py-pdf/fpdf2/workflows/build/badge.svg)](https://github.com/py-pdf/fpdf2/actions?query=branch%3Amaster)
 [![codecov](https://codecov.io/gh/py-pdf/fpdf2/branch/master/graph/badge.svg)](https://codecov.io/gh/py-pdf/fpdf2)
 [![Pypi Trusted Publisher: enabled](https://img.shields.io/badge/Pypi%20Trusted%20Publisher-enabled-green.svg)](https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/)
-[![checks: bandit, guarddog, pylint, semgrep](https://img.shields.io/badge/checks-bandit,pylint,semgrep,grype-green.svg)](https://github.com/py-pdf/fpdf2/actions/workflows/continuous-integration-workflow.yml)
+[![checks: bandit, grype, guarddog, pylint, semgrep](https://img.shields.io/badge/checks-bandit,grype,guarddog,pylint,semgrep-green.svg)](https://github.com/py-pdf/fpdf2/actions/workflows/continuous-integration-workflow.yml)
 
 [![Dependents](https://img.shields.io/librariesio/dependents/pypi/fpdf2)](https://libraries.io/pypi/fpdf2/dependents)
 [![Downloads per month](https://pepy.tech/badge/fpdf2/month)](https://pepy.tech/project/fpdf2)

diff --git a/docs/index.md b/docs/index.md
@@ -83,6 +83,19 @@ pip install git+https://github.com/py-pdf/fpdf2.git@master
 
 **Developement**: check the [dedicated documentation page](Development.md).
 
+### Verifying provenance
+`sigstore` can be used to check the provenance of a `fpdf2-2.X.Y.tar.gz` package.
+
+Example to check that [`fpdf2-2.8.2.tar.gz` package on Pypi](https://pypi.org/project/fpdf2/#fpdf2-2.8.2.tar.gz) can be linked to the `git` commit [b9cfbb6d8ca1eb034e826fd358194e899a1daf28](https://github.com/py-pdf/fpdf2/commit/b9cfbb6d8ca1eb034e826fd358194e899a1daf28) on the [py-pdf/fpdf2](https://github.com/py-pdf/fpdf2) GitHub repository:
+
+```shell
+pip install sigstore
+
+wget https://files.pythonhosted.org/packages/b0/54/0e86f986e81abad9e6b348f5176048a2aa046920d46292c42a581064d93e/fpdf2-2.8.2.tar.gz
+
+sigstore verify github fpdf2-2.8.2.tar.gz --repository=py-pdf/fpdf2 --sha b9cfbb6d8ca1eb034e826fd358194e899a1daf28
+```
+
 ### Displaying deprecation warnings
 `DeprecationWarning`s are not displayed by Python by default.