mirror of
https://github.com/pypa/gh-action-pypi-publish.git
synced 2024-11-24 17:40:59 -05:00
📝 Reflect the PR #277 changes in README
Some checks failed
🧪 / smoke-test (push) Has been cancelled
Some checks failed
🧪 / smoke-test (push) Has been cancelled
This makes minimum modifications to indicate that `attestations` is not on by default.
This commit is contained in:
parent
72ead1a85a
commit
fb13cb3069
1 changed files with 6 additions and 5 deletions
11
README.md
11
README.md
|
@ -111,16 +111,17 @@ filter to the job:
|
||||||
> Generating and uploading digital attestations currently requires
|
> Generating and uploading digital attestations currently requires
|
||||||
> authentication with a [trusted publisher].
|
> authentication with a [trusted publisher].
|
||||||
|
|
||||||
You can generate signed [digital attestations] for all the distribution files and
|
Generating signed [digital attestations] for all the distribution files
|
||||||
upload them all together by enabling the `attestations` setting:
|
and uploading them all together is now on by default for all projects
|
||||||
|
using Trusted Publishing. To disable it, set `attestations` as follows:
|
||||||
|
|
||||||
```yml
|
```yml
|
||||||
with:
|
with:
|
||||||
attestations: true
|
attestations: false
|
||||||
```
|
```
|
||||||
|
|
||||||
This will use [Sigstore] to create attestation
|
The attestation objects are created using [Sigstore] for each
|
||||||
objects for each distribution package, signing them with the identity provided
|
distribution package, signing them with the identity provided
|
||||||
by the GitHub's OIDC token associated with the current workflow. This means
|
by the GitHub's OIDC token associated with the current workflow. This means
|
||||||
both the trusted publishing authentication and the attestations are tied to the
|
both the trusted publishing authentication and the attestations are tied to the
|
||||||
same identity.
|
same identity.
|
||||||
|
|
Loading…
Reference in a new issue