From 78410097985b9ab6a5075edbed8f43a283770b46 Mon Sep 17 00:00:00 2001 From: Tim Case Date: Mon, 25 May 2026 08:07:38 -0500 Subject: [PATCH] Attach wheel, sdist, and PEP 740 attestations to GitHub release OpenSSF Scorecard's Signed-Releases check only inspects GitHub release assets, not PyPI. Today the release page only carries the CycloneDX SBOM, so Scorecard reports the release as unsigned and lacking provenance even though PyPI has full PEP 740 attestations. pypa/gh-action-pypi-publish writes .publish.attestation files next to each wheel and sdist when attestations are enabled (the action's default). Surface those files, plus the wheel and sdist themselves, by extending the existing release-upload step to attach everything in one shot. Scorecard recognizes .publish.attestation as PEP 740 provenance and the check will pass on the next release. The release page now mirrors what PyPI carries: artifacts, signatures, and the SBOM. No new workflow steps, no new dependencies; just a wider upload glob in the step that already runs. --- .github/workflows/publish.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 2682cf9..c3ae206 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -79,9 +79,16 @@ jobs: with: packages-dir: dist/ skip-existing: false - - name: Attach SBOM to GitHub Release + - name: Attach release artifacts to GitHub Release + # The .publish.attestation files are what Scorecard's Signed-Releases + # check looks for; it inspects GitHub release assets, not PyPI. env: GH_TOKEN: ${{ github.token }} run: | TAG="${GITHUB_REF#refs/tags/}" - gh release upload "$TAG" sbom/bitmath-*.cdx.json --clobber --repo "$GITHUB_REPOSITORY" + gh release upload "$TAG" \ + dist/bitmath-*.whl \ + dist/bitmath-*.tar.gz \ + dist/bitmath-*.publish.attestation \ + sbom/bitmath-*.cdx.json \ + --clobber --repo "$GITHUB_REPOSITORY"