📝 Reflect the PR #277 changes in README

This makes minimum modifications to indicate that `attestations` is
not on by default.
This commit is contained in:
Sviatoslav Sydorenko 2024-10-30 02:20:55 +01:00
parent 72ead1a85a
commit fb13cb3069
No known key found for this signature in database
GPG Key ID: 9345E8FEA89CA455
1 changed files with 6 additions and 5 deletions

View File

@ -111,16 +111,17 @@ filter to the job:
> Generating and uploading digital attestations currently requires > Generating and uploading digital attestations currently requires
> authentication with a [trusted publisher]. > authentication with a [trusted publisher].
You can generate signed [digital attestations] for all the distribution files and Generating signed [digital attestations] for all the distribution files
upload them all together by enabling the `attestations` setting: and uploading them all together is now on by default for all projects
using Trusted Publishing. To disable it, set `attestations` as follows:
```yml ```yml
with: with:
attestations: true attestations: false
``` ```
This will use [Sigstore] to create attestation The attestation objects are created using [Sigstore] for each
objects for each distribution package, signing them with the identity provided distribution package, signing them with the identity provided
by the GitHub's OIDC token associated with the current workflow. This means by the GitHub's OIDC token associated with the current workflow. This means
both the trusted publishing authentication and the attestations are tied to the both the trusted publishing authentication and the attestations are tied to the
same identity. same identity.