Add PyPI publish attestations on release#132
Open
shaanmajid wants to merge 1 commit into
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Hi! This switches the release upload step from
uv publishtopypa/gh-action-pypi-publish@v1.14.0.python-frontmatteralready publishes from GitHub Actions using PyPI Trusted Publishing/OIDC. Using the official PyPA publish action keeps that flow, but also generates and uploads PyPI publish attestations by default, so this shouldn't require any new PyPI-side configuration or secrets. Those attestations bind each uploaded distribution to the GitHub Actions workflow that published it, giving PyPI and downstream users stronger provenance for the release artifacts.Possible follow-ups
I kept this PR intentionally small for reviewability, but noticed a few related release-hardening opportunities while looking at the workflow:
enable-cache: trueonsetup-uvin thedeployjob. Avoiding cache in the publish flow reduces cache-poisoning risk around artifacts being published to PyPI.id-token: writeis only available in the final upload job. This is recommended by both the pypa/gh-action-pypi-publish and astral-sh/attest-action docs.Happy to make any of these here or in follow-up PRs, whichever you prefer.
Testing
Not run; workflow-only change.