mirror of
https://github.com/pypa/gh-action-pypi-publish
synced 2024-11-30 21:22:28 +08:00
Compare commits
1 Commits
438644dd34
...
3b32042864
| Author | SHA1 | Date | |
|---|---|---|---|
|
3b32042864 |
11
README.md
11
README.md
@ -111,17 +111,16 @@ filter to the job:
|
|||||||
> Generating and uploading digital attestations currently requires
|
> Generating and uploading digital attestations currently requires
|
||||||
> authentication with a [trusted publisher].
|
> authentication with a [trusted publisher].
|
||||||
|
|
||||||
Generating signed [digital attestations] for all the distribution files
|
You can generate signed [digital attestations] for all the distribution files and
|
||||||
and uploading them all together is now on by default for all projects
|
upload them all together by enabling the `attestations` setting:
|
||||||
using Trusted Publishing. To disable it, set `attestations` as follows:
|
|
||||||
|
|
||||||
```yml
|
```yml
|
||||||
with:
|
with:
|
||||||
attestations: false
|
attestations: true
|
||||||
```
|
```
|
||||||
|
|
||||||
The attestation objects are created using [Sigstore] for each
|
This will use [Sigstore] to create attestation
|
||||||
distribution package, signing them with the identity provided
|
objects for each distribution package, signing them with the identity provided
|
||||||
by the GitHub's OIDC token associated with the current workflow. This means
|
by the GitHub's OIDC token associated with the current workflow. This means
|
||||||
both the trusted publishing authentication and the attestations are tied to the
|
both the trusted publishing authentication and the attestations are tied to the
|
||||||
same identity.
|
same identity.
|
||||||
|
|||||||
@ -86,7 +86,7 @@ inputs:
|
|||||||
Enable experimental support for PEP 740 attestations.
|
Enable experimental support for PEP 740 attestations.
|
||||||
Only works with PyPI and TestPyPI via Trusted Publishing.
|
Only works with PyPI and TestPyPI via Trusted Publishing.
|
||||||
required: false
|
required: false
|
||||||
default: 'true'
|
default: 'false'
|
||||||
branding:
|
branding:
|
||||||
color: yellow
|
color: yellow
|
||||||
icon: upload-cloud
|
icon: upload-cloud
|
||||||
|
|||||||
@ -10,8 +10,8 @@ id ~= 1.0
|
|||||||
requests
|
requests
|
||||||
|
|
||||||
# NOTE: Used to generate attestations.
|
# NOTE: Used to generate attestations.
|
||||||
pypi-attestations ~= 0.0.13
|
pypi-attestations ~= 0.0.12
|
||||||
sigstore ~= 3.5.1
|
sigstore ~= 3.2.0
|
||||||
|
|
||||||
# NOTE: Used to detect the PyPI package name from the distribution files
|
# NOTE: Used to detect the PyPI package name from the distribution files
|
||||||
packaging
|
packaging
|
||||||
|
|||||||
@ -72,9 +72,7 @@ pkginfo==1.10.0
|
|||||||
platformdirs==4.2.2
|
platformdirs==4.2.2
|
||||||
# via sigstore
|
# via sigstore
|
||||||
pyasn1==0.6.0
|
pyasn1==0.6.0
|
||||||
# via
|
# via sigstore
|
||||||
# pypi-attestations
|
|
||||||
# sigstore
|
|
||||||
pycparser==2.22
|
pycparser==2.22
|
||||||
# via cffi
|
# via cffi
|
||||||
pydantic==2.7.1
|
pydantic==2.7.1
|
||||||
@ -93,7 +91,7 @@ pyjwt==2.8.0
|
|||||||
# via sigstore
|
# via sigstore
|
||||||
pyopenssl==24.1.0
|
pyopenssl==24.1.0
|
||||||
# via sigstore
|
# via sigstore
|
||||||
pypi-attestations==0.0.13
|
pypi-attestations==0.0.12
|
||||||
# via -r runtime.in
|
# via -r runtime.in
|
||||||
python-dateutil==2.9.0.post0
|
python-dateutil==2.9.0.post0
|
||||||
# via betterproto
|
# via betterproto
|
||||||
@ -119,7 +117,7 @@ rich==13.7.1
|
|||||||
# twine
|
# twine
|
||||||
securesystemslib==1.0.0
|
securesystemslib==1.0.0
|
||||||
# via tuf
|
# via tuf
|
||||||
sigstore==3.5.1
|
sigstore==3.2.0
|
||||||
# via
|
# via
|
||||||
# -r runtime.in
|
# -r runtime.in
|
||||||
# pypi-attestations
|
# pypi-attestations
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user