Open blink1073 opened 2 weeks ago
Either that, or the official action. Keep the old job for making releases, perhaps reduce its privileges and add a new job with new privileges.
I actually filed an issue to update this in PyPUG yesterday, too.
The upload attestations will be built into the publish action once that work is completed, by the way.
By official action do you mean actions/attest-build-provenance
or sigstore/gh-action-sigstore-python
?
You're saying it might get folded into gh-action-pypi-publish
?
GitHub now has full support for Artifact Attestations: https://github.blog/changelog/2024-06-25-artifact-attestations-is-generally-available/
The feature supersedes our usage of SigStore (#156), since it uses SigStore under the hood and has built-in support in the GitHub API/cli, e.g.
gh attestation verify PATH/TO/ARTIFACT -o myorganization
.I am happy to make this change if there is agreement.
cc @webknjaz