From f3dd93ad8d62eb0a260d3090f31be82aafbcff13 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 17 May 2024 08:20:32 -0300 Subject: [PATCH] [8.2.x] Attest package provenance (#12335) Co-authored-by: Bruno Oliveira --- .github/workflows/deploy.yml | 9 ++++++++- .github/workflows/test.yml | 2 +- changelog/12333.trivial.rst | 1 + 3 files changed, 10 insertions(+), 2 deletions(-) create mode 100644 changelog/12333.trivial.rst diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index cc0e6331d45..20a72270fde 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -19,6 +19,11 @@ jobs: SETUPTOOLS_SCM_PRETEND_VERSION: ${{ github.event.inputs.version }} timeout-minutes: 10 + # Required by attest-build-provenance-github. + permissions: + id-token: write + attestations: write + steps: - uses: actions/checkout@v4 with: @@ -26,7 +31,9 @@ jobs: persist-credentials: false - name: Build and Check Package - uses: hynek/build-and-inspect-python-package@v2.4.0 + uses: hynek/build-and-inspect-python-package@v2.5.0 + with: + attest-build-provenance-github: 'true' deploy: if: github.repository == 'pytest-dev/pytest' diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 4434740675e..df801864fd8 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -35,7 +35,7 @@ jobs: fetch-depth: 0 persist-credentials: false - name: Build and Check Package - uses: hynek/build-and-inspect-python-package@v2.4.0 + uses: hynek/build-and-inspect-python-package@v2.5.0 build: needs: [package] diff --git a/changelog/12333.trivial.rst b/changelog/12333.trivial.rst new file mode 100644 index 00000000000..32c4c5771a7 --- /dev/null +++ b/changelog/12333.trivial.rst @@ -0,0 +1 @@ +pytest releases are now attested using the recent `Artifact Attestation ` support from GitHub, allowing users to verify the provenance of pytest's sdist and wheel artifacts.