Merge pull request #1096 from matthewfeickert/ci/add-artifact-attesta…

…tions ci: Add GitHub artifact attestations to package distribution
CoffeaTeam · May 26, 2024 · 825e7e9 · 825e7e9
2 parents f1831f0 + d38f12f
commit 825e7e9
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -185,6 +185,10 @@ jobs:
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
     runs-on: ubuntu-latest
     needs: [test, test-vine]
+    permissions:
+      id-token: write
+      attestations: write
+      contents: read
     strategy:
       matrix:
         python-version: ["3.12"]
@@ -199,6 +203,12 @@ jobs:
     - name: Build package for PyPI
       run: |
         pipx run hatch build -t sdist -t wheel
+    - name: Verify the distribution
+      run: pipx run twine check --strict dist/*
+    - name: Generate artifact attestation for sdist and wheel
+      uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
+      with:
+        subject-path: "dist/coffea-*"
     - name: Publish package to PyPI
       uses: pypa/gh-action-pypi-publish@v1.8.14
       with: