Improve provenance checking (gh)

Author: howetuft

.github/workflows/wheel-builder.yml

@@ -240,6 +240,7 @@ jobs:
           CIBW_ENVIRONMENT: >
             SKBUILD_CMAKE_ARGS='--preset conan-default;--log-level=VERBOSE;-DLUXCORE_VERSION=${{ steps.output-version.outputs.version }};-G Ninja Multi-Config'
             SKBUILD_CMAKE_BUILD_TYPE=${{ env.BUILD_TYPE }}
+            GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           CIBW_ENVIRONMENT_PASS_LINUX: |
             CC
             CXX
@@ -264,14 +265,25 @@ jobs:
             dnf install -y epel-release
             dnf install -y almalinux-release-devel
             dnf install -y ccache
-            dnf install -y sudo  # for gtk3...
             dnf install -y perl-IPC-Cmd perl-Digest-SHA
 
-            # Manylinux_2_34 compatibility
+            # Install gh (via conda)
+            dnf install -y wget
+            mkdir -p miniconda3
+            wget https://repo.anaconda.com/miniconda/Miniconda3-latest-Linux-x86_64.sh -O miniconda3/miniconda.sh
+            bash miniconda3/miniconda.sh -b -u -p miniconda3
+            rm miniconda3/miniconda.sh
+            source miniconda3/bin/activate
+            conda init --all
+            conda install gh --channel conda-forge -y
+            echo ${{ secrets.GITHUB_TOKEN }} | gh auth login --with-token
+
+            # Manylinux_2_34 compatibility (for future use)
             if [[ ${{ env.GLIBC_VERSION }} != 2_28 ]]; then
               dnf install -y perl-FindBin perl-lib
             fi
 
+            # Install dependencies
             pip install conan && make deps
 
           CIBW_BEFORE_ALL_MACOS: |

cmake/make_deps.py

@@ -7,7 +7,7 @@
 import os
 import tempfile
 from urllib.request import urlretrieve
-from urllib.parse import urlparse, urlsplit
+from urllib.parse import urlparse
 from pathlib import Path
 from zipfile import ZipFile
 import subprocess
@@ -18,11 +18,11 @@
 import platform
 import sys
 from functools import cache
+from dataclasses import dataclass
 
 
 CONAN_ALL_PACKAGES = '"*"'
 
-OUTPUT_DIR = os.getenv("OUTPUT_DIR", "out")
 
 logger = logging.getLogger("LuxCore Dependencies")
 
@@ -36,7 +36,9 @@
 }
 
 
+@dataclass
 class Colors:
+    """Colors for terminal output."""
     HEADER = "\033[95m"
     OKBLUE = "\033[94m"
     OKCYAN = "\033[96m"
@@ -135,11 +137,22 @@ def download(url, destdir):
     # Check attestation
     logger.info("Checking '%s'", local_filename)
 
-    gh_app = shutil.which("gh")
-    if not gh_app:
-        logger.error(Colors.FAIL + "SIGNATURE CHECKING ERROR" + Colors.ENDC)
-        msg = "Cannot find 'gh'application - Dependencies origin cannot be checked."
-        logger.error(Colors.FAIL + msg + Colors.ENDC)
+    if not (gh_app := shutil.which("gh")):
+        msg = (
+            Colors.WARNING,
+            "SIGNATURE CHECKING ERROR",
+            Colors.ENDC,
+        )
+        msg = "".join(msg)
+        logger.warning(msg)
+        msg = (
+            Colors.WARNING,
+            "Cannot find 'gh'application - ",
+            "Dependencies origin cannot be checked.",
+            Colors.ENDC,
+        )
+        msg = ''.join(msg)
+        logger.warning(msg)
     else:
         gh_cmd = [
             gh_app,
@@ -153,11 +166,13 @@ def download(url, destdir):
         try:
             gh_output = subprocess.check_output(gh_cmd, text=True)
         except subprocess.CalledProcessError as err:
-            logger.error(Colors.FAIL + "SIGNATURE CHECKING ERROR" + Colors.ENDC)
-            logger.error("gh return code: %s", err.returncode)
-            logger.error(err.output)
+            msg = f"{Colors.WARNING}SIGNATURE CHECKING ERROR{Colors.ENDC}"
+            logger.warning(msg)
+            logger.warning("gh return code: %s", err.returncode)
+            logger.warning(err.output)
         else:
-            logger.info(Colors.OKGREEN + "'%s': found certificate - OK" + Colors.ENDC, filename)
+            msg = f"{Colors.OKGREEN}'%s': found certificate - OK{Colors.ENDC}"
+            logger.info(msg, filename)
             signature, *_ = json.loads(gh_output)
             certificate = signature["verificationResult"]["signature"]["certificate"]
             logger.debug(json.dumps(certificate, indent=2))
@@ -201,18 +216,19 @@ def copy_conf(dest):
 
 def main(call_args=None):
     """Entry point."""
-    global OUTPUT_DIR
+    output_dir = os.getenv("output_dir", "out")
 
     # Set-up logger
     logger.setLevel(logging.INFO)
     logging.basicConfig(level=logging.INFO)
-    logger.info(Colors.OKBLUE + "BEGIN" + Colors.ENDC)
+    msg = f"{Colors.OKBLUE}BEGIN{Colors.ENDC}"
+    logger.info(msg)
 
     # Get settings
     logger.info("Reading settings")
     with open("luxcore.json", encoding="utf-8") as f:
         settings = json.load(f)
-    logger.info("Output directory: %s", OUTPUT_DIR)
+    logger.info("Output directory: %s", output_dir)
 
     # Get optional command-line parameters
     # Nota: --local option is used by LuxCoreDeps CI
@@ -248,7 +264,7 @@ def main(call_args=None):
     if args.verbose:
         logger.setLevel(logging.DEBUG)
     if args.output:
-        OUTPUT_DIR = args.output
+        output_dir = args.output
 
     # Process
     with tempfile.TemporaryDirectory() as tmpdir:
@@ -315,24 +331,25 @@ def main(call_args=None):
             "--build=missing",
             f"--profile:all={get_profile_name()}",
             "--deployer=full_deploy",
-            f"--deployer-folder={OUTPUT_DIR}/dependencies",
-            f"--output-folder={OUTPUT_DIR}",
+            f"--deployer-folder={output_dir}/dependencies",
+            f"--output-folder={output_dir}",
             "--settings=build_type=Release",
             "--conf:all=tools.cmake.cmaketoolchain:generator=Ninja Multi-Config",
         ]
         build_types = ["Debug", "Release"]
         if args.extended:
             build_types += ["RelWithDebInfo", "MinSizeRel"]
         for build_type in build_types:
-            logger.info(f"Generating '{build_type}'")
+            logger.info("Generating '%s'", build_type)
             end_block = [f"--settings=&:build_type={build_type}", "."]
             run_conan(main_block + end_block)
 
         # Show presets
-        subprocess.run(["cmake", "--list-presets=build"])
+        subprocess.run(["cmake", "--list-presets=build"], check=False)
         print("", flush=True)
 
-    logger.info(Colors.OKBLUE + "END" + Colors.ENDC)
+    msg = Colors.OKBLUE + "END" + Colors.ENDC
+    logger.info(msg)
 
 
 if __name__ == "__main__":

utils/debug_wheels.sh

@@ -13,6 +13,7 @@
 python_version_minor=$(python -c 'import sys; print(sys.version_info[1])')
 
 act workflow_dispatch \
+  --pull \
   --action-offline-mode \
   --workflows ".github/workflows/wheel-builder.yml" \
   -s GITHUB_TOKEN="$(gh auth token)" \