v1.10.0 #255
Replies: 3 comments 17 replies
-
I turned on attestations and i'm getting this error:
happy to share more if that'd help. Here's the workflow - it works fine without attestations, and here's the specific job. |
Beta Was this translation helpful? Give feedback.
-
The attestations feature worked for me! https://github.com/steiza/simplepypi/actions/runs/10813914412/job/29999063162 I see that the publish attestation is logged in the Action workflow logs and sent to Sigstore Rekor transparency log - that's great. Is the attestation currently being stored by Warehouse? Is there a CLI command I could run to see / verify the publish attestation, or an API where I could download it? |
Beta Was this translation helpful? Give feedback.
-
@webknjaz @woodruffw does attestation work with a split build and publish env? Something like https://github.com/tox-dev/tox/blob/main/.github/workflows/release.yml#L10-L46. Or are we loosing build env info should we split it as such? 🤔 |
Beta Was this translation helpful? Give feedback.
-
🔏 Anything fancy, eh?
This time, @woodruffw💰 implemented support for PEP 740 attestations functionality in #236 and #245. This is a big deal, as it is a huge step forward to replacing what the deprecated GPG signatures used to provide in a more meaningful way.
Important
✨ Please, do opt into trying this feature out early. It can be enabled as follows:
Leave any feedback on this in this release discussion or the PR.
🙏 And please, thank William for working on this amazing improvement for the ecosystem! The overall effort is tracked @ pypi/warehouse#15871, by the way.
🪞 Full Diff: v1.9.0...v1.10.0
🧔♂️ Release Manager: @webknjaz 🇺🇦
This discussion was created from the release v1.10.0.
Beta Was this translation helpful? Give feedback.
All reactions