CI: Add GitHub artifact attestations to package distribution

matthewfeickert · matthewfeickert · commit a5e6e93ca739 · 2024-05-27T14:53:34.000-05:00
* Add generation of GitHub artifact attestations to built sdist and wheel before upload. c.f.: - https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/ - https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
diff --git a/.github/workflows/cibuildwheel.yml b/.github/workflows/cibuildwheel.yml
@@ -189,6 +189,8 @@ jobs:
     environment: release
     permissions:
       id-token: write
+      attestations: write
+      contents: read
     steps:
       - name: Download packages
         uses: actions/download-artifact@v4
@@ -200,5 +202,10 @@ jobs:
       - name: Print out packages
         run: ls dist
 
+      - name: Generate artifact attestation for sdist and wheel
+        uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d  # v1.1.2
+        with:
+          subject-path: dist/matplotlib-*
+
       - name: Publish package distributions to PyPI
         uses: pypa/gh-action-pypi-publish@81e9d935c883d0b210363ab89cf05f3894778450  # v1.8.14
