[pyos meta repo] Use GitHub Artifact Attestations

pyOpenSci / pyosMeta

A package that updates pyOpenSci contributor and package metadata on our website

MIT License

3 stars 17 forks source link

[pyos meta repo] Use GitHub Artifact Attestations #165

Open blink1073 opened 2 weeks ago

blink1073 commented 2 weeks ago

GitHub now has full support for Artifact Attestations: https://github.blog/changelog/2024-06-25-artifact-attestations-is-generally-available/

The feature supersedes our usage of SigStore (#156), since it uses SigStore under the hood and has built-in support in the GitHub API/cli, e.g. gh attestation verify PATH/TO/ARTIFACT -o myorganization.

I am happy to make this change if there is agreement.

cc @webknjaz

webknjaz commented 2 weeks ago

Either that, or the official action. Keep the old job for making releases, perhaps reduce its privileges and add a new job with new privileges.

I actually filed an issue to update this in PyPUG yesterday, too.

The upload attestations will be built into the publish action once that work is completed, by the way.

blink1073 commented 2 weeks ago

By official action do you mean actions/attest-build-provenance or sigstore/gh-action-sigstore-python?

You're saying it might get folded into gh-action-pypi-publish?