FWIW, though it may not be necessary for a plain Python package, "pypa/cibuildwheel" is the easy way to build a Python package for various platforms in CI.
SLSA.dev, Sigstore;
GitHub supports artifact attestations and storing attestations in an OCI Image store FWIU. Does GCP Artifact Registry support attestations?
> [Artifact Registry] private repositories use the canonical Python repository implementation, the simple repository API (PEP 503), and work with installation tools like pip.
Recently, I've been building a project in Python that doesn't have a Docker image as output. Instead, I need a runnable file. Why? Because I need to talk to the machine directly and not to Docker. Because I need to talk to the GPU drivers directly and not to another abstraction layer.
So, I needed to create a runnable file in Python. I needed to create a wheel file. All this with Poetry and integrate it into my CI/CD pipeline.
I've used https://github.com/gorilla-co/s3pypi or some variant of it in a few places. Basically cloudfront + s3 instead of a dedicated artifact registry.
At my job, we use AWS CodeArtifact to host a couple dozen internal libraries we use for Python and TypeScript projects. I suspect that this is a common use case for these kinds of artifact repositories.
To access a private CodeArtifact repository, you have to first fetch a short-lived token, then supply that as the password when you access it via npm/yarn, poetry, etc. In most cases, this is an inconvenience that can mostly be paved over with the AWS CLI or a shell alias.
This quickly get messy though. We use AWS CDK and build our assets in a Docker container. Each time the token changes, Docker invalidates a bunch of layers and rebuilds the image. AWS CDK sees that and uploads a new .zip to S3 or an image to ECR. Then Security Hub sees a new Lambda function or image, scans it, and carpet bombs my email whenever a CVE is found.
I've been doing it to Azure (private package repo) since their instructions were ok. I would like some of these to publish instructions for uv as well (instead of just pip/twine).
Someone needs to make a site like You Might Not Need jQuery but You Might Not Need Docker. It's unfortunate to me these days that putting everything into containers seems to be the default.
These aren’t normal containers, they are “artifacts” which are just the manifest and a single layer and a mime type.
OCI artifacts are one of the most under hyped technologies. Almost everyone already has an image registry, now that registry supports basically any kind of package and with nice versioning semantics.
Why wouldn’t you use it? I don’t want to auth again into something else and deal with different registries for every language I have.
Definitely. OCI artifact repos are much closer to the Artifactories of yore (and today) than they are to "it's all docker".
Most major tech companies I've worked with have an internal OCI repo of some kind maintained; internal packages are available and external packages are cached (or blocklisted, in certain situations, which is its own flavor of helpful for security risks) and everything from Docker to Maven to Pip/Poetry/etc. Just Works.
It looks like there there are a few GitHub Actions for pushing container image artifacts to GCP Artifact Registry: https://github.com/marketplace?query=artifact+registry&type=...
FWIW, though it may not be necessary for a plain Python package, "pypa/cibuildwheel" is the easy way to build a Python package for various platforms in CI.
SLSA.dev, Sigstore;
GitHub supports artifact attestations and storing attestations in an OCI Image store FWIU. Does GCP Artifact Registry support attestations?
"Using artifact attestations to establish provenance for builds" https://docs.github.com/en/actions/security-for-github-actio...