It seems like this could be as easy as "run this action, upload its artifacts to GitHub." py-sl-go is already uploading artifacts go GHR so it's just one more lil' JSON file.
I think to take it to the next logical step is to have another action that then verifies the package uploaded to PyPI against the IN-TOTO-format SLSA data file.
The thing that makes me think it might not be worth it (yet) is that there's not a good story yet of how to automate SLSA verification before package installation beyond "download the wheel, go find upstream's IN-TOTO file, verify, then install. That second step is a big ask that I think few people will do.
Reading about Python and SLSA piqued my interest. Would generating Supply chain Layers for Software Artifacts be of value to this library?
It seems like this could be as easy as "run this action, upload its artifacts to GitHub." py-sl-go is already uploading artifacts go GHR so it's just one more lil' JSON file.
I think to take it to the next logical step is to have another action that then verifies the package uploaded to PyPI against the IN-TOTO-format SLSA data file.
The thing that makes me think it might not be worth it (yet) is that there's not a good story yet of how to automate SLSA verification before package installation beyond "download the wheel, go find upstream's IN-TOTO file, verify, then install. That second step is a big ask that I think few people will do.