captn3m0
commented
2 months ago How I hate python ecosystem fragmentation. just after upgrading from pyscaffold, because the pypa setuptools links it pointed me to are dead after 3 years.
Open captn3m0 opened 2 months ago
captn3m0
commented
2 months ago How I hate python ecosystem fragmentation. just after upgrading from pyscaffold, because the pypa setuptools links it pointed me to are dead after 3 years.
captn3m0
commented
2 months ago Waiting for https://github.com/pypi/warehouse/issues/15871 is probably a good idea.
webknjaz
commented
1 month ago FYI, it's already possible to upload the attestations. I had to fix a minor bug in the action today but you can start uploading already if you use trusted publishing. Just bump to v1.10.1 and opt-in.
https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds.
seems like while pypa is still suggestion the python sigstore action, the github attestations are more native, so we should move there?