Skip to content

Attach wheel, sdist, and PEP 740 attestations to GitHub release#151

Merged
timlnx merged 1 commit into
masterfrom
attach-signed-artifacts-to-release
May 25, 2026
Merged

Attach wheel, sdist, and PEP 740 attestations to GitHub release#151
timlnx merged 1 commit into
masterfrom
attach-signed-artifacts-to-release

Conversation

@timlnx
Copy link
Copy Markdown
Owner

@timlnx timlnx commented May 25, 2026
edited
Loading

Summary

  • Scorecard's Signed-Releases check inspects GitHub release assets, not PyPI. Today the release page carries only the CycloneDX SBOM, so the check reports the release as unsigned even though PyPI has full PEP 740 attestations.
  • pypa/gh-action-pypi-publish already writes <dist>.publish.attestation files into dist/ (attestations are on by default in the pinned version).
  • Extend the existing release-upload step to attach the wheel, sdist, all .publish.attestation files, and the SBOM in one shot. Scorecard recognizes .publish.attestation as PEP 740 provenance.

Effect

  • Next release's GitHub release page will mirror what PyPI carries: distributable artifacts, sigstore-backed PEP 740 attestations, SBOM.
  • Scorecard Signed-Releases check should turn green on the next release. v2.1.0 stays warned until it ages out of the 5-release scan window (no backfill in this PR).

Test plan

  • Merge
  • Cut next release (whatever it ends up being)
  • Confirm GH release page has .whl, .tar.gz, two .publish.attestation files, plus the SBOM
  • Recheck Scorecard Signed-Releases result

@timlnx
Attach wheel, sdist, and PEP 740 attestations to GitHub release
7841009 
OpenSSF Scorecard's Signed-Releases check only inspects GitHub release
assets, not PyPI. Today the release page only carries the CycloneDX
SBOM, so Scorecard reports the release as unsigned and lacking
provenance even though PyPI has full PEP 740 attestations.

pypa/gh-action-pypi-publish writes <dist>.publish.attestation files
next to each wheel and sdist when attestations are enabled (the
action's default). Surface those files, plus the wheel and sdist
themselves, by extending the existing release-upload step to attach
everything in one shot. Scorecard recognizes .publish.attestation as
PEP 740 provenance and the check will pass on the next release.

The release page now mirrors what PyPI carries: artifacts, signatures,
and the SBOM. No new workflow steps, no new dependencies; just a wider
upload glob in the step that already runs.
@timlnx
Copy link
Copy Markdown
Owner Author

timlnx commented May 25, 2026

RPMs are flaking until the version is fixed

@timlnx timlnx merged commit 7781b96 into master May 25, 2026
38 of 69 checks passed
@timlnx timlnx deleted the attach-signed-artifacts-to-release branch May 25, 2026 13:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@timlnx