adding slsa metadata

Author: abacchilb

.github/workflows/publish.yml

@@ -1,34 +1,68 @@
 name: Publish Python Package
 
 on:
-  release:
-    types: [created, updated]
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Release Tag'
+        required: true
 
 jobs:
-  deploy:
-
+  build:
     runs-on: ubuntu-latest
-
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
     steps:
-    - uses: actions/checkout@v2
-
+    - uses: actions/checkout@v4
+      with:
+        ref: ${{ inputs.tag }}
     - name: Set up Python
-      uses: actions/setup-python@v2
+      uses: actions/setup-python@v5
       with:
         python-version: '3.x'
-
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
         pip install setuptools wheel twine
-
     - name: Build
       run: |
         python setup.py sdist bdist_wheel
-
-    - name: Publish
-      env:
-        TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }}
-        TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
+    - name: "Generate hashes"
+      id: hash
       run: |
-        twine upload dist/*
+        cd dist && echo "hashes=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
+    - uses: actions/upload-artifact@v4
+      with:
+        name: build
+        path: ./dist
+
+  provenance_python:
+    needs: [build]
+    permissions:
+      actions: read
+      contents: write
+      id-token: write # Needed to access the workflow's OIDC identity.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
+    with:
+      base64-subjects: "${{ needs.build.outputs.hashes }}"
+      upload-assets: true
+      upload-tag-name: ${{ inputs.tag }} # Tag from the initiation of the workflow
+
+  publish-python-package-to-release:
+    runs-on: ubuntu-latest
+    needs: ['build']
+    permissions:
+      contents: write    
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.tag }}
+      - uses: actions/download-artifact@v4
+        with:
+          name: build
+          path: ./artifact
+      - name: Upload dist to release
+        run: |
+          gh release upload ${{ inputs.tag }} ./artifact/*
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

README.md

@@ -62,3 +62,20 @@ Once set up, you can run the following core functions:
 ------
 
 * = Coming soon
+
+## Provenance
+[![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev)
+
+To enhance the software supply chain security of Labelbox's users, as of 0.1.40, every release contains a [SLSA Level 3 Provenance](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md) document.  
+This document provides detailed information about the build process, including the repository and branch from which the package was generated.
+
+By using the [SLSA framework's official verifier](https://github.com/slsa-framework/slsa-verifier), you can verify the provenance document to ensure that the package is from a trusted source. Verifying the provenance helps confirm that the package has not been tampered with and was built in a secure environment.
+
+Example of usage for the 0.1.40 release wheel:
+
+```
+VERSION=0.1.40 #tag
+gh release download 0.1.40 --repo Labelbox/labelpandas
+
+slsa-verifier verify-artifact --source-branch master --builder-id 'https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v2.0.0' --source-uri "git+https://github.com/Labelbox/labelpandas" --provenance-path multiple.intoto.jsonl ./labelpandas-${VERSION}-py3-none-any.whl
+```

SECURITY.md

@@ -2,5 +2,4 @@
 
 ## Reporting a Vulnerability
 
-Please contact security@labelbox.com for any vulnerability that needs to be reported
-with labelbox-python. We will get back to you as soon as we can.
+Please contact security@labelbox.com for any vulnerability that needs to be reported. We will get back to you as soon as we can.