ci: Add GitHub artifact attestations to package distribution (#55)

* Add generation of GitHub artifact attestations to built sdist and wheel before upload. c.f.: - https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/ - https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
yadage · Jun 17, 2024 · 2bc5ae9 · 2bc5ae9
1 parent 838828b
commit 2bc5ae9
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/.github/workflows/publish-package.yml b/.github/workflows/publish-package.yml
@@ -17,10 +17,17 @@ on:
         - false
         - true
 
+permissions:
+  contents: read
+
 jobs:
   build-and-publish:
     name: Build and publish Python distro to (Test)PyPI
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      attestations: write
+
     steps:
     - uses: actions/checkout@v4
       with:
@@ -45,6 +52,13 @@ jobs:
       run: |
         python -m build .
 
+    - name: Generate artifact attestation for sdist and wheel
+      # If publishing to PyPI
+      if: github.event_name == 'release' && github.event.action == 'published' && github.repository == 'yadage/yadage-schemas'
+      uses: actions/attest-build-provenance@534b352d658f90498fd148d231fdbf88f3886a3a # v1.3.1
+      with:
+        subject-path: "dist/yadage_schemas-*"
+
     - name: Verify the distribution
       run: twine check dist/*