ci: Add GitHub artifact attestations to package distribution (#151)

* Add generation of GitHub artifact attestations to built sdist and wheel before upload. c.f.: - https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/ - https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
recast-hep · Jun 17, 2024 · 3938a26 · 3938a26
1 parent f94aa65
commit 3938a26
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/.github/workflows/publish-package.yml b/.github/workflows/publish-package.yml
@@ -14,10 +14,16 @@ on:
     types: [published]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build Python distribution
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      attestations: write
 
     steps:
 
@@ -51,6 +57,16 @@ jobs:
     - name: List contents of wheel
       run: python -m zipfile --list dist/recast_atlas-*.whl
 
+    - name: Generate artifact attestation for sdist and wheel
+      # If publishing to TestPyPI or PyPI
+      if: >-
+        (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && github.repository == 'recast-hep/recast-atlas')
+        || (github.event_name == 'workflow_dispatch' && github.event.inputs.publish == 'true' && github.repository == 'recast-hep/recast-atlas')
+        || (github.event_name == 'release' && github.event.action == 'published' && github.repository == 'recast-hep/recast-atlas')
+      uses: actions/attest-build-provenance@534b352d658f90498fd148d231fdbf88f3886a3a # v1.3.1
+      with:
+        subject-path: "dist/recast_atlas-*"
+
     - name: Upload distribution artifact
       uses: actions/upload-artifact@v4
       with: