Is it possible/planned to add the sigstore output to the output files? #367
-
|
Hello everyone, I checked the packaging user guide today and saw that my personal approach was apparently based on an outdated version of the guide since I still had a separate Sadly this means I (apparently?) cannot include the My question is this: Am I missing something / is support for including these files in the action output planned? And if not, would I have to use the with:
attestations: falseoption on this action and add the Best Regards |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
There's a plan to start uploading to GH attestations directly. Though, it requires some work. |
Beta Was this translation helpful? Give feedback.
-
|
Sounds sensible. I was just wondering about those Thanks for the quick reply ❤️ |
Beta Was this translation helpful? Give feedback.
-
|
No problem :) I extended the response a little. |
Beta Was this translation helpful? Give feedback.
There's a plan to start uploading to GH attestations directly. Though, it requires some work.
I don't think we'll be exposing publish attestations. Though you can probably retrieve them from PyPI if you really need.
Don't disable attentions. You can't upload manually crafted ones.
If you want, you can produce signatures separately. I tend to do so myself, in separate jobs. I use GH-native, Sigstore and SLSA. I think, one example where you can find this is ansible/awx-plugins, another one would be cherrypy/cheroot.
Though, William thinks people should just drop the sigstore step..