mirror of
https://gitcode.com/gh_mirrors/gh/gh-action-pypi-publish.git
synced 2026-07-02 18:27:49 +00:00
📝 Reflect the PR #277 changes in README
This makes minimum modifications to indicate that `attestations` is not on by default.
This commit is contained in:
@@ -111,16 +111,17 @@ filter to the job:
|
|||||||
> Generating and uploading digital attestations currently requires
|
> Generating and uploading digital attestations currently requires
|
||||||
> authentication with a [trusted publisher].
|
> authentication with a [trusted publisher].
|
||||||
|
|
||||||
You can generate signed [digital attestations] for all the distribution files and
|
Generating signed [digital attestations] for all the distribution files
|
||||||
upload them all together by enabling the `attestations` setting:
|
and uploading them all together is now on by default for all projects
|
||||||
|
using Trusted Publishing. To disable it, set `attestations` as follows:
|
||||||
|
|
||||||
```yml
|
```yml
|
||||||
with:
|
with:
|
||||||
attestations: true
|
attestations: false
|
||||||
```
|
```
|
||||||
|
|
||||||
This will use [Sigstore] to create attestation
|
The attestation objects are created using [Sigstore] for each
|
||||||
objects for each distribution package, signing them with the identity provided
|
distribution package, signing them with the identity provided
|
||||||
by the GitHub's OIDC token associated with the current workflow. This means
|
by the GitHub's OIDC token associated with the current workflow. This means
|
||||||
both the trusted publishing authentication and the attestations are tied to the
|
both the trusted publishing authentication and the attestations are tied to the
|
||||||
same identity.
|
same identity.
|
||||||
|
|||||||
Reference in New Issue
Block a user