Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[pyos meta repo] Use GitHub Artifact Attestations #165

Open
blink1073 opened this issue Jun 27, 2024 · 2 comments
Open

[pyos meta repo] Use GitHub Artifact Attestations #165

blink1073 opened this issue Jun 27, 2024 · 2 comments

Comments

@blink1073
Copy link
Collaborator

GitHub now has full support for Artifact Attestations: https://github.blog/changelog/2024-06-25-artifact-attestations-is-generally-available/

The feature supersedes our usage of SigStore (#156), since it uses SigStore under the hood and has built-in support in the GitHub API/cli, e.g. gh attestation verify PATH/TO/ARTIFACT -o myorganization.

I am happy to make this change if there is agreement.

cc @webknjaz
@webknjaz
Copy link

Either that, or the official action. Keep the old job for making releases, perhaps reduce its privileges and add a new job with new privileges.

I actually filed an issue to update this in PyPUG yesterday, too.

The upload attestations will be built into the publish action once that work is completed, by the way.

@blink1073
Copy link
Collaborator Author

By official action do you mean actions/attest-build-provenance or sigstore/gh-action-sigstore-python?

You're saying it might get folded into gh-action-pypi-publish?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@webknjaz @blink1073