Generate PEP 740 attestations for PyPI

AA-Turner · Oct 6, 2024 · 983635c · 983635c
1 parent e04d042
commit 983635c
Showing 1 changed file with 20 additions and 2 deletions.
diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml
@@ -29,10 +29,16 @@ jobs:
         run: |
           pip install -U pip
           pip install build twine
+          # resolution fails without betterproto and protobuf-specs
+          pip install "pypi-attestations~=0.0.12" "sigstore-protobuf-specs==0.3.2" "betterproto==2.0.0b6"
 
       - name: Build distribution
         run: python -m build
 
+      - name: Check distribution
+        run: |
+          twine check dist/*
+
       - name: Mint PyPI API token
         id: mint-token
         uses: actions/github-script@v7
@@ -59,14 +65,26 @@ jobs:
             core.setSecret(api_token)
             core.setOutput('api-token', api_token)
 
+      - name: Generate PEP 740 attestations
+        run: | 
+          python -m pypi_attestations sign dist/*
+
+      - name: Inspect PEP 740 attestations
+        run: | 
+          python -m pypi_attestations inspect dist/*.publish.attestation
+
+      - name: Verify PEP 740 attestations
+        run: | 
+          python -m pypi_attestations verify dist/*.whl --identity https://github.com/${{ github.repository }}/.github/workflows/create-release.yml@${{ github.ref }}
+          python -m pypi_attestations verify dist/*.tar.gz --identity https://github.com/${{ github.repository }}/.github/workflows/create-release.yml@${{ github.ref }}
+
       - name: Upload to PyPI
         env:
           TWINE_NON_INTERACTIVE: "true"
           TWINE_USERNAME: "__token__"
           TWINE_PASSWORD: "${{ steps.mint-token.outputs.api-token }}"
         run: |
-          twine check dist/*
-          twine upload dist/*
+          twine upload dist/* --attestations
 
   github-release:
     runs-on: ubuntu-latest