mirror of
https://github.com/pypa/gh-action-pypi-publish.git
synced 2024-11-21 16:11:01 -05:00
📝 Reflect the PR #277 changes in README
Some checks failed
🧪 / smoke-test (push) Has been cancelled
Some checks failed
🧪 / smoke-test (push) Has been cancelled
This makes minimum modifications to indicate that `attestations` is not on by default.
This commit is contained in:
Sviatoslav Sydorenko
parent
72ead1a85a
commit
fb13cb3069
1 changed files with 6 additions and 5 deletions
11
README.md
11
README.md
|
|
@ -111,16 +111,17 @@ filter to the job:
|
|||
> Generating and uploading digital attestations currently requires
|
||||
> authentication with a [trusted publisher].
|
||||
|
||||
You can generate signed [digital attestations] for all the distribution files and
|
||||
upload them all together by enabling the `attestations` setting:
|
||||
Generating signed [digital attestations] for all the distribution files
|
||||
and uploading them all together is now on by default for all projects
|
||||
using Trusted Publishing. To disable it, set `attestations` as follows:
|
||||
|
||||
```yml
|
||||
with:
|
||||
attestations: true
|
||||
attestations: false
|
||||
```
|
||||
|
||||
This will use [Sigstore] to create attestation
|
||||
objects for each distribution package, signing them with the identity provided
|
||||
The attestation objects are created using [Sigstore] for each
|
||||
distribution package, signing them with the identity provided
|
||||
by the GitHub's OIDC token associated with the current workflow. This means
|
||||
both the trusted publishing authentication and the attestations are tied to the
|
||||
same identity.
|
||||
|
|
|
|||
Loading…
Reference in a new issue