actions
/
gh-action-pypi-publish
Template
mirror of https://github.com/pypa/gh-action-pypi-publish
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

📝 Reflect the PR #277 changes in README 

This makes minimum modifications to indicate that `attestations` is
not on by default.
This commit is contained in:
Sviatoslav Sydorenko 2024-10-30 02:20:55 +01:00
parent 72ead1a85a
commit fb13cb3069
No known key found for this signature in database
GPG Key ID: 9345E8FEA89CA455
1 changed files with 6 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
README.md
View File

@ -111,16 +111,17 @@ filter to the job:
> Generating and uploading digital attestations currently requires
> authentication with a [trusted publisher].
You can generate signed [digital attestations] for all the distribution files and
upload them all together by enabling the `attestations` setting:
Generating signed [digital attestations] for all the distribution files
and uploading them all together is now on by default for all projects
using Trusted Publishing. To disable it, set `attestations` as follows:
```yml
with:
attestations: true
attestations: false
```
This will use [Sigstore] to create attestation
objects for each distribution package, signing them with the identity provided
The attestation objects are created using [Sigstore] for each
distribution package, signing them with the identity provided
by the GitHub's OIDC token associated with the current workflow. This means
both the trusted publishing authentication and the attestations are tied to the
same identity.