release: enable PEP 740 attestations (#291)

This enables attestation generation while uploading, and removes the old gh-action-sigstore step that only produces bundles on the GitHub release. Signed-off-by: William Woodruff <[email protected]> Co-authored-by: Dustin Ingram <[email protected]>
di · Nov 6, 2024 · cb18851 · cb18851
1 parent b4f38c7
commit cb18851
Showing 1 changed file with 2 additions and 8 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -64,7 +64,7 @@ jobs:
     needs: [build, generate-provenance]
     runs-on: ubuntu-latest
     permissions:
-      id-token: write # To upload via OIDC.
+      id-token: write # To upload via OIDC + generate attestations.
     steps:
       - name: Download artifacts directories # goes to current working directory
         uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
@@ -73,24 +73,18 @@ jobs:
         uses: pypa/gh-action-pypi-publish@61da13deb5f5124fb1536194f82ed3d9bbc7e8f3 # v1.12.0
         with:
           packages-dir: built-packages/
+          attestations: true
 
   release-github:
     needs: [build, generate-provenance]
     runs-on: ubuntu-latest
     permissions:
       # Needed to upload release assets.
       contents: write
-      # Needed to sign release assets.
-      id-token: write
     steps:
       - name: Download artifacts directories # goes to current working directory
         uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
 
-      - name: Sign artifacts
-        uses: sigstore/[email protected]
-        with:
-          inputs: ./built-packages/*.tar.gz ./built-packages/*.whl
-
       - name: Upload artifacts to GitHub
         # Confusingly, this action also supports updating releases, not
         # just creating them. This is what we want here, since we've manually