Closed
Description
What's the problem this feature will solve?
gh-action-pypi-publish is now advertising that you can use PEP740 attestations, that are now on by default. This is not documented or explained anywhere.
Describe the solution you'd like
Neither https://docs.pypi.org/trusted-publishers/using-a-publisher/ nor https://docs.pypi.org/trusted-publishers/security-model/ describe PEP740 or what attestations do.
https://pypi.org/help/ does not mention it either.
I don't see any indication how to upload attestations (though I understand it's on by default now, so probably I don't need to do anything.) I also don't see any indication of where the attestations go and how to verify that they exist and are correct.