[8.2.x] Attest package provenance (#12335)

Co-authored-by: Bruno Oliveira <nicoddemus@gmail.com>
2024-05-17 08:20:32 -03:00 · 2024-05-17 08:20:32 -03:00 · f3dd93ad8d
parent bb5a1257b0
commit f3dd93ad8d
3 changed files with 10 additions and 2 deletions
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@ -19,6 +19,11 @@ jobs:
      SETUPTOOLS_SCM_PRETEND_VERSION: ${{ github.event.inputs.version }}
    timeout-minutes: 10

+    # Required by attest-build-provenance-github.
+    permissions:
+      id-token: write
+      attestations: write
+
    steps:
    - uses: actions/checkout@v4
      with:
@ -26,7 +31,9 @@ jobs:
        persist-credentials: false

    - name: Build and Check Package
-      uses: hynek/build-and-inspect-python-package@v2.4.0
+      uses: hynek/build-and-inspect-python-package@v2.5.0
+      with:
+        attest-build-provenance-github: 'true'

  deploy:
    if: github.repository == 'pytest-dev/pytest'
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -35,7 +35,7 @@ jobs:
        fetch-depth: 0
        persist-credentials: false
    - name: Build and Check Package
-      uses: hynek/build-and-inspect-python-package@v2.4.0
+      uses: hynek/build-and-inspect-python-package@v2.5.0

  build:
    needs: [package]
--- a/changelog/12333.trivial.rst
+++ b/changelog/12333.trivial.rst
@ -0,0 +1 @@
+pytest releases are now attested using the recent `Artifact Attestation <https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/>` support from GitHub, allowing users to verify the provenance of pytest's sdist and wheel artifacts.
				`@ -0,0 +1 @@`
				pytest releases are now attested using the recent `Artifact Attestation <https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/>` support from GitHub, allowing users to verify the provenance of pytest's sdist and wheel artifacts.