mirror of
https://gitcode.com/gh_mirrors/gh/gh-action-pypi-publish.git
synced 2026-07-02 10:25:13 +00:00
📝 Reflect the PR #277 changes in README
This makes minimum modifications to indicate that `attestations` is not on by default.
This commit is contained in:
@@ -111,16 +111,17 @@ filter to the job:
|
||||
> Generating and uploading digital attestations currently requires
|
||||
> authentication with a [trusted publisher].
|
||||
|
||||
You can generate signed [digital attestations] for all the distribution files and
|
||||
upload them all together by enabling the `attestations` setting:
|
||||
Generating signed [digital attestations] for all the distribution files
|
||||
and uploading them all together is now on by default for all projects
|
||||
using Trusted Publishing. To disable it, set `attestations` as follows:
|
||||
|
||||
```yml
|
||||
with:
|
||||
attestations: true
|
||||
attestations: false
|
||||
```
|
||||
|
||||
This will use [Sigstore] to create attestation
|
||||
objects for each distribution package, signing them with the identity provided
|
||||
The attestation objects are created using [Sigstore] for each
|
||||
distribution package, signing them with the identity provided
|
||||
by the GitHub's OIDC token associated with the current workflow. This means
|
||||
both the trusted publishing authentication and the attestations are tied to the
|
||||
same identity.
|
||||
|
||||
Reference in New Issue
Block a user