From 5d1d64dd0ca5005b9628cedf3ab46dd45eceb689 Mon Sep 17 00:00:00 2001
From: Matthew Feickert <matthew.feickert@cern.ch>
Date: Tue, 21 May 2024 19:01:40 -0500
Subject: [PATCH 1/2] MNT: Update pre-commit hooks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

updates:
- [github.com/python-jsonschema/check-jsonschema: 0.28.1 → 0.28.4](https://github.com/python-jsonschema/check-jsonschema/compare/0.28.1...0.28.4)
---
 .pre-commit-config.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 2dc1ca5352c0..14817e95929f 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -79,7 +79,7 @@ repos:
       - id: yamllint
         args: ["--strict", "--config-file=.yamllint.yml"]
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 0.28.1
+    rev: 0.28.4
     hooks:
       # TODO: Re-enable this when https://github.com/microsoft/azure-pipelines-vscode/issues/567 is fixed.
       # - id: check-azure-pipelines

From a5e6e93ca7397683ea91b914ce2bddbec3ffd7ba Mon Sep 17 00:00:00 2001
From: Matthew Feickert <matthew.feickert@cern.ch>
Date: Tue, 21 May 2024 18:47:19 -0500
Subject: [PATCH 2/2] CI: Add GitHub artifact attestations to package
 distribution

* Add generation of GitHub artifact attestations to built sdist and wheel before upload. c.f.:
   - https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/
   - https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
---
 .github/workflows/cibuildwheel.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/workflows/cibuildwheel.yml b/.github/workflows/cibuildwheel.yml
index 2fa9569f3fb6..04c70a767ce0 100644
--- a/.github/workflows/cibuildwheel.yml
+++ b/.github/workflows/cibuildwheel.yml
@@ -189,6 +189,8 @@ jobs:
     environment: release
     permissions:
       id-token: write
+      attestations: write
+      contents: read
     steps:
       - name: Download packages
         uses: actions/download-artifact@v4
@@ -200,5 +202,10 @@ jobs:
       - name: Print out packages
         run: ls dist
 
+      - name: Generate artifact attestation for sdist and wheel
+        uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d  # v1.1.2
+        with:
+          subject-path: dist/matplotlib-*
+
       - name: Publish package distributions to PyPI
         uses: pypa/gh-action-pypi-publish@81e9d935c883d0b210363ab89cf05f3894778450  # v1.8.14