mirror of
https://gitcode.com/gh_mirrors/gh/gh-action-pypi-publish.git
synced 2026-07-02 10:25:13 +00:00
Expose PEP 740 attestations functionality
PR #236 This patch adds PEP 740 attestation generation to the workflow: when the Trusted Publishing flow is used, this will generate a publish attestation for each distribution being uploaded. These generated attestations are then fed into `twine`, which newly supports them via `--attestations`. Ref: https://github.com/pypi/warehouse/issues/15871
This commit is contained in:
@@ -1,9 +1,14 @@
|
||||
twine
|
||||
|
||||
# NOTE: Used to detect an ambient OIDC credential for OIDC publishing.
|
||||
# NOTE: Used to detect an ambient OIDC credential for OIDC publishing,
|
||||
# NOTE: as well as PEP 740 attestations.
|
||||
id ~= 1.0
|
||||
|
||||
# NOTE: This is pulled in transitively through `twine`, but we also declare
|
||||
# NOTE: it explicitly here because `oidc-exchange.py` uses it.
|
||||
# Ref: https://github.com/di/id
|
||||
requests
|
||||
|
||||
# NOTE: Used to generate attestations.
|
||||
pypi-attestations ~= 0.0.11
|
||||
sigstore ~= 3.2.0
|
||||
|
||||
@@ -6,16 +6,41 @@
|
||||
#
|
||||
annotated-types==0.6.0
|
||||
# via pydantic
|
||||
betterproto==2.0.0b6
|
||||
# via sigstore-protobuf-specs
|
||||
certifi==2024.2.2
|
||||
# via requests
|
||||
cffi==1.16.0
|
||||
# via cryptography
|
||||
charset-normalizer==3.3.2
|
||||
# via requests
|
||||
cryptography==42.0.7
|
||||
# via
|
||||
# pyopenssl
|
||||
# pypi-attestations
|
||||
# sigstore
|
||||
dnspython==2.6.1
|
||||
# via email-validator
|
||||
docutils==0.21.2
|
||||
# via readme-renderer
|
||||
email-validator==2.1.1
|
||||
# via pydantic
|
||||
grpclib==0.4.7
|
||||
# via betterproto
|
||||
h2==4.1.0
|
||||
# via grpclib
|
||||
hpack==4.0.0
|
||||
# via h2
|
||||
hyperframe==6.0.1
|
||||
# via h2
|
||||
id==1.4.0
|
||||
# via -r runtime.in
|
||||
# via
|
||||
# -r runtime.in
|
||||
# sigstore
|
||||
idna==3.7
|
||||
# via requests
|
||||
# via
|
||||
# email-validator
|
||||
# requests
|
||||
importlib-metadata==7.1.0
|
||||
# via twine
|
||||
jaraco-classes==3.4.0
|
||||
@@ -34,33 +59,77 @@ more-itertools==10.2.0
|
||||
# via
|
||||
# jaraco-classes
|
||||
# jaraco-functools
|
||||
multidict==6.0.5
|
||||
# via grpclib
|
||||
nh3==0.2.17
|
||||
# via readme-renderer
|
||||
packaging==24.1
|
||||
# via pypi-attestations
|
||||
pkginfo==1.10.0
|
||||
# via twine
|
||||
platformdirs==4.2.2
|
||||
# via sigstore
|
||||
pyasn1==0.6.0
|
||||
# via sigstore
|
||||
pycparser==2.22
|
||||
# via cffi
|
||||
pydantic==2.7.1
|
||||
# via id
|
||||
# via
|
||||
# id
|
||||
# pypi-attestations
|
||||
# sigstore
|
||||
# sigstore-rekor-types
|
||||
pydantic-core==2.18.2
|
||||
# via pydantic
|
||||
pygments==2.18.0
|
||||
# via
|
||||
# readme-renderer
|
||||
# rich
|
||||
pyjwt==2.8.0
|
||||
# via sigstore
|
||||
pyopenssl==24.1.0
|
||||
# via sigstore
|
||||
pypi-attestations==0.0.11
|
||||
# via -r runtime.in
|
||||
python-dateutil==2.9.0.post0
|
||||
# via betterproto
|
||||
readme-renderer==43.0
|
||||
# via twine
|
||||
requests==2.32.0
|
||||
requests==2.32.3
|
||||
# via
|
||||
# -r runtime.in
|
||||
# id
|
||||
# requests-toolbelt
|
||||
# sigstore
|
||||
# tuf
|
||||
# twine
|
||||
requests-toolbelt==1.0.0
|
||||
# via twine
|
||||
rfc3986==2.0.0
|
||||
# via twine
|
||||
rfc8785==0.1.2
|
||||
# via sigstore
|
||||
rich==13.7.1
|
||||
# via twine
|
||||
twine==5.1.0
|
||||
# via
|
||||
# sigstore
|
||||
# twine
|
||||
securesystemslib==1.0.0
|
||||
# via tuf
|
||||
sigstore==3.2.0
|
||||
# via
|
||||
# -r runtime.in
|
||||
# pypi-attestations
|
||||
sigstore-protobuf-specs==0.3.2
|
||||
# via
|
||||
# pypi-attestations
|
||||
# sigstore
|
||||
sigstore-rekor-types==0.0.13
|
||||
# via sigstore
|
||||
six==1.16.0
|
||||
# via python-dateutil
|
||||
tuf==5.0.0
|
||||
# via sigstore
|
||||
twine==5.1.1
|
||||
# via -r runtime.in
|
||||
typing-extensions==4.11.0
|
||||
# via
|
||||
|
||||
Reference in New Issue
Block a user