-
-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Generate digital attestations for PyPI (PEP 740) #198
Conversation
with: | ||
attestations: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So this is what actually generates the attestations, and even though the feature is still experimental we can still enable it here (and in the other repos) and let gh-action-pypi-publish
deal with potential API changes, right?
I guess the other changes are unrelated, but it was convenient to bundle them together.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, pretty much. There's a chance we may need to change config here too, but gh-action-pypi-publish
should deal with most of it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just out of curiosity, do you know what caused the changes below?
Some of them seem backward, at least coming from Python (e.g. removing the double space before #
and adding spaces within []
and {}
), at least coming from Python.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They nearly all came from the pyproject-fmt upgrade from 1.x to 2.x.
We needed to bump actionlint so it wouldn't fail on the new attestations config, then I updated the other pre-commit at the same time.
One pyproject-fmt change is to align all the comments. Before, we just so happened to manually align them. Now, it automatically does it. I'm not sure why pyproject-fmt chose a single space, but it's a TOML file, not a Python file.
(Looks like it's using this TOML formatter which has align_comments
but no option for how many spaces.)
I manually adjusted this into a single line:
include = [
"python_docs_theme/",
]
to:
include = [ "python_docs_theme/" ]
The extra spaces are also from pyproject-fmt, and common in examples in the spec: https://toml.io/en/v1.0.0
Again, this TOML not Python. I guess I might slightly prefer more a Python-y style, but having an autoformatter keep things consistent, and easier to compare across projects, is much more valuable for me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, I figured that TOML might be following different conventions, and it makes sense to be consistent with those.
Thanks for looking into this!
PEP 740 ("Index support for digital attestations") introduces signatures which links the PyPI package to the GitHub repo, and helps users verify the source and authenticity of packages.
PyPI is still implementing support, but we can already start using it, which should also help them test out.