-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: Add GitHub artifact attestations to package distribution #933
ci: Add GitHub artifact attestations to package distribution #933
Conversation
@henryiii I saw that you reran the failing Pyodide wheel tests, but they're still failing, though have to be unrelated to this PR. |
You requested review from me, but Henry normally handles boost-histogram. I can work on this if Henry is busy. |
Thanks @HDembinski. If @henryiii normally covers this then I'll let him get to it whenever he has time — no rush here. Thanks though! |
Yes, I've just been hoping the pyodide test would resolve, but it looks like something has changed and I'll need to debug. Doing so in #934. For my understanding, this only shows up in GitHub's page for now (and in the future PyPI might accept them too)? |
updates: - [github.com/python-jsonschema/check-jsonschema: 0.28.2 → 0.28.4](python-jsonschema/check-jsonschema@0.28.2...0.28.4)
* Add generation of GitHub artifact attestations to built sdist and wheel before upload. c.f.: - https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/ - https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
90a50fa
to
859da6c
Compare
Thanks! |
Once this runs during a release the attestations will be uploaded to https://github.com/scikit-hep/boost-histogram/attestations and can be verified from a wheel or sdist artifact using the |
c.f.:
python-jsonschema/check-jsonschema
pre-commit hook to recognizeattestations
permissions
key.