From 6e0c33113e0e0f107f042f11db1d496925f0fb3a Mon Sep 17 00:00:00 2001
From: Jeppe Fihl-Pearson <jeppe@tenzer.dk>
Date: Thu, 27 Jun 2024 21:37:44 +0100
Subject: [PATCH] Set up attestation of files in releases

https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/

This means users have the ability to check if the files available on PyPI are
the ones originating from the GitHub Actions workflows in this repository, so
they can check they haven't been altered.
---
 .github/workflows/release-to-pypi.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.github/workflows/release-to-pypi.yml b/.github/workflows/release-to-pypi.yml
index c6b88fb..2531b66 100644
--- a/.github/workflows/release-to-pypi.yml
+++ b/.github/workflows/release-to-pypi.yml
@@ -10,6 +10,11 @@ jobs:
   build:
     runs-on: ubuntu-24.04
 
+    permissions:
+      attestations: write
+      contents: read
+      id-token: write
+
     steps:
       - uses: actions/checkout@v4
 
@@ -27,6 +32,11 @@ jobs:
       - name: Build package
         run: poetry build
 
+      - name: Attest
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: dist/*
+
       - name: Store release files
         uses: actions/upload-artifact@v4
         with: