Merge 54e5a03d42 into f7600683ef

2024-11-30 21:22:28 +08:00 · 2024-10-04 18:43:22 -04:00
4 changed files with 11 additions and 14 deletions
--- a/README.md
+++ b/README.md
@ -111,17 +111,16 @@ filter to the job:
 > Generating and uploading digital attestations currently requires
 > authentication with a [trusted publisher].

-Generating signed [digital attestations] for all the distribution files
-and uploading them all together is now on by default for all projects
-using Trusted Publishing. To disable it, set `attestations` as follows:
+You can generate signed [digital attestations] for all the distribution files and
+upload them all together by enabling the `attestations` setting:

 ```yml
   with:
-     attestations: false
+     attestations: true
 ```

-The attestation objects are created using [Sigstore] for each
-distribution package, signing them with the identity provided
+This will use [Sigstore] to create attestation
+objects for each distribution package, signing them with the identity provided
 by the GitHub's OIDC token associated with the current workflow. This means
 both the trusted publishing authentication and the attestations are tied to the
 same identity.
--- a/action.yml
+++ b/action.yml
@ -86,7 +86,7 @@ inputs:
      Enable experimental support for PEP 740 attestations.
      Only works with PyPI and TestPyPI via Trusted Publishing.
    required: false
-    default: 'true'
+    default: 'false'
 branding:
  color: yellow
  icon: upload-cloud
--- a/requirements/runtime.in
+++ b/requirements/runtime.in
@ -10,8 +10,8 @@ id ~= 1.0
 requests

 # NOTE: Used to generate attestations.
-pypi-attestations ~= 0.0.13
-sigstore ~= 3.5.1
+pypi-attestations ~= 0.0.12
+sigstore ~= 3.2.0

 # NOTE: Used to detect the PyPI package name from the distribution files
 packaging
--- a/requirements/runtime.txt
+++ b/requirements/runtime.txt
@ -72,9 +72,7 @@ pkginfo==1.10.0
 platformdirs==4.2.2
    # via sigstore
 pyasn1==0.6.0
-    # via
-    #   pypi-attestations
-    #   sigstore
+    # via sigstore
 pycparser==2.22
    # via cffi
 pydantic==2.7.1
@ -93,7 +91,7 @@ pyjwt==2.8.0
    # via sigstore
 pyopenssl==24.1.0
    # via sigstore
-pypi-attestations==0.0.13
+pypi-attestations==0.0.12
    # via -r runtime.in
 python-dateutil==2.9.0.post0
    # via betterproto
@ -119,7 +117,7 @@ rich==13.7.1
    #   twine
 securesystemslib==1.0.0
    # via tuf
-sigstore==3.5.1
+sigstore==3.2.0
    # via
    #   -r runtime.in
    #   pypi-attestations