ci: Add GitHub artifact attestations to package distribution

matthewfeickert · matthewfeickert · commit 427fe83f5c92 · 2024-05-21T18:47:19.000-05:00
* Add generation of GitHub artifact attestations to built sdist and wheel before upload. c.f.: - https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/ - https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
diff --git a/.github/workflows/cibuildwheel.yml b/.github/workflows/cibuildwheel.yml
@@ -199,6 +199,8 @@ jobs:
     environment: release
     permissions:
       id-token: write
+      attestations: write
+      contents: read
     steps:
       - name: Download packages
         uses: actions/download-artifact@v4
@@ -210,5 +212,10 @@ jobs:
       - name: Print out packages
         run: ls dist
 
+      - name: Generate artifact attestation for sdist and wheel
+      uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
+      with:
+        subject-path: dist/matplotlib-*
+
       - name: Publish package distributions to PyPI
         uses: pypa/gh-action-pypi-publish@81e9d935c883d0b210363ab89cf05f3894778450  # v1.8.14
