-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[pyos meta repo] Use GitHub Artifact Attestations #165
Comments
Either that, or the official action. Keep the old job for making releases, perhaps reduce its privileges and add a new job with new privileges. I actually filed an issue to update this in PyPUG yesterday, too. The upload attestations will be built into the publish action once that work is completed, by the way. |
By official action do you mean You're saying it might get folded into |
As of https://github.com/pypa/gh-action-pypi-publish/releases/tag/v1.11.0, sigstore attestations enabled by default. pypa/gh-action-pypi-publish#288 is for adding them to GitHub Attestations as well. |
Oh, I missed this question. I think I meant
Kind of. I want to try uploading the same attestations that are sent to PyPI, to GitHub as well. However, the difference with What I dislike about Here's an example of doing this + producing SLSA artifacts as well: https://github.com/ansible/awx-plugins/blob/678ea69/.github/workflows/ci-cd.yml#L925-L1115. |
Oh, and yes, |
GitHub now has full support for Artifact Attestations: https://github.blog/changelog/2024-06-25-artifact-attestations-is-generally-available/
The feature supersedes our usage of SigStore (#156), since it uses SigStore under the hood and has built-in support in the GitHub API/cli, e.g.
gh attestation verify PATH/TO/ARTIFACT -o myorganization
.I am happy to make this change if there is agreement.
cc @webknjaz
The text was updated successfully, but these errors were encountered: