Set up attestation of files in releases

https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/ This means users have the ability to check if the files available on PyPI are the ones originating from the GitHub Actions workflows in this repository, so they can check they haven't been altered.
Tenzer · Jun 27, 2024 · 6e0c331 · 6e0c331
1 parent 09a6dd9
commit 6e0c331
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/.github/workflows/release-to-pypi.yml b/.github/workflows/release-to-pypi.yml
@@ -10,6 +10,11 @@ jobs:
   build:
     runs-on: ubuntu-24.04
 
+    permissions:
+      attestations: write
+      contents: read
+      id-token: write
+
     steps:
       - uses: actions/checkout@v4
 
@@ -27,6 +32,11 @@ jobs:
       - name: Build package
         run: poetry build
 
+      - name: Attest
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: dist/*
+
       - name: Store release files
         uses: actions/upload-artifact@v4
         with: