Merge 54e5a03d42 into fb13cb3069

📝 Reflect the PR #277 changes in README
This makes minimum modifications to indicate that `attestations` is not on by default.
2024-11-30 21:22:28 +08:00 · 2024-10-30 02:25:03 +01:00 · 2024-10-30 02:20:55 +01:00 · 2024-10-30 02:04:39 +01:00 · 2024-10-28 14:31:58 -04:00 · 2024-10-28 14:29:41 -04:00
4 changed files with 14 additions and 11 deletions
--- a/README.md
+++ b/README.md
@ -111,16 +111,17 @@ filter to the job:
 > Generating and uploading digital attestations currently requires
 > authentication with a [trusted publisher].

-You can generate signed [digital attestations] for all the distribution files and
-upload them all together by enabling the `attestations` setting:
+Generating signed [digital attestations] for all the distribution files
+and uploading them all together is now on by default for all projects
+using Trusted Publishing. To disable it, set `attestations` as follows:

 ```yml
   with:
-     attestations: true
+     attestations: false
 ```

-This will use [Sigstore] to create attestation
-objects for each distribution package, signing them with the identity provided
+The attestation objects are created using [Sigstore] for each
+distribution package, signing them with the identity provided
 by the GitHub's OIDC token associated with the current workflow. This means
 both the trusted publishing authentication and the attestations are tied to the
 same identity.
--- a/action.yml
+++ b/action.yml
@ -86,7 +86,7 @@ inputs:
      Enable experimental support for PEP 740 attestations.
      Only works with PyPI and TestPyPI via Trusted Publishing.
    required: false
-    default: 'false'
+    default: 'true'
 branding:
  color: yellow
  icon: upload-cloud
--- a/requirements/runtime.in
+++ b/requirements/runtime.in
@ -10,8 +10,8 @@ id ~= 1.0
 requests

 # NOTE: Used to generate attestations.
-pypi-attestations ~= 0.0.12
-sigstore ~= 3.2.0
+pypi-attestations ~= 0.0.13
+sigstore ~= 3.5.1

 # NOTE: Used to detect the PyPI package name from the distribution files
 packaging
--- a/requirements/runtime.txt
+++ b/requirements/runtime.txt
@ -72,7 +72,9 @@ pkginfo==1.10.0
 platformdirs==4.2.2
    # via sigstore
 pyasn1==0.6.0
-    # via sigstore
+    # via
+    #   pypi-attestations
+    #   sigstore
 pycparser==2.22
    # via cffi
 pydantic==2.7.1
@ -91,7 +93,7 @@ pyjwt==2.8.0
    # via sigstore
 pyopenssl==24.1.0
    # via sigstore
-pypi-attestations==0.0.12
+pypi-attestations==0.0.13
    # via -r runtime.in
 python-dateutil==2.9.0.post0
    # via betterproto
@ -117,7 +119,7 @@ rich==13.7.1
    #   twine
 securesystemslib==1.0.0
    # via tuf
-sigstore==3.2.0
+sigstore==3.5.1
    # via
    #   -r runtime.in
    #   pypi-attestations
Author	SHA1	Message	Date
Brendon Smith	438644dd34	Merge `54e5a03d42` into `fb13cb3069`	2024-10-30 02:25:03 +01:00
Sviatoslav Sydorenko	fb13cb3069	📝 Reflect the PR #277 changes in README This makes minimum modifications to indicate that `attestations` is not on by default.	2024-10-30 02:20:55 +01:00
Sviatoslav Sydorenko	72ead1a85a	Merge PRs #276 and #277 into release/v1	2024-10-30 02:04:39 +01:00
William Woodruff	0126dcac8e	action: enable attestations by default Signed-off-by: William Woodruff <william@trailofbits.com>	2024-10-28 14:31:58 -04:00
William Woodruff	335e8b00ae	bump sigstore==3.5.1 Signed-off-by: William Woodruff <william@trailofbits.com>	2024-10-28 14:29:41 -04:00
William Woodruff	1545e96dcb	requirements: bump sigstore, pypi-attestations Signed-off-by: William Woodruff <william@trailofbits.com>	2024-10-22 12:40:04 -04:00