Closed jsirois closed 2 weeks ago
jsirois
commented
2 weeks ago Ok, @benjyw that didn't quite do it. The fix in the 2.6.1 release is a nice-to-have and only really useful if you can't use --pip-version 24.1 (You run Python<3.8). I'm away until July 2nd at which point I'll dig in to righting the release ship. If an emergency release is needed, I think just reverting this PR and the attestation PR makes sense as the stop gap.
benjyw
commented
1 week ago Thanks @jsirois, I'll keep an eye out for any urgent release needs.
benjyw
commented
1 week ago FWIW, looks like this issue was triggered, presumably by the upgrade of softprops/action-gh-release in #2374, and nothing to do with the attestations.
jsirois
commented
1 week ago I don't think so. The action log shows it checked out https://github.com/softprops/action-gh-release/commit/4634c16e79c963813287e889244c50009e7f0981 which is v2 from February. That issue loosely pattern matches, but is from 2021. I'll be spinning up a test repo to see what's going on.
The addition of digital attestations in #2442 broke the GitHub Releases release by moving from default permissions to more restrictive explicit permission. Those permissions lacked the content write permission needed to create the release and post its artifacts.