mirror of
https://github.com/pypa/gh-action-pypi-publish.git
synced 2024-10-06 11:24:15 -04:00
8a08d61689
Some checks failed
🧪 / smoke-test (push) Has been cancelled
PR #236 This patch adds PEP 740 attestation generation to the workflow: when the Trusted Publishing flow is used, this will generate a publish attestation for each distribution being uploaded. These generated attestations are then fed into `twine`, which newly supports them via `--attestations`. Ref: https://github.com/pypi/warehouse/issues/15871
14 lines
396 B
Text
14 lines
396 B
Text
twine
|
|
|
|
# NOTE: Used to detect an ambient OIDC credential for OIDC publishing,
|
|
# NOTE: as well as PEP 740 attestations.
|
|
id ~= 1.0
|
|
|
|
# NOTE: This is pulled in transitively through `twine`, but we also declare
|
|
# NOTE: it explicitly here because `oidc-exchange.py` uses it.
|
|
# Ref: https://github.com/di/id
|
|
requests
|
|
|
|
# NOTE: Used to generate attestations.
|
|
pypi-attestations ~= 0.0.11
|
|
sigstore ~= 3.2.0
|