Skip to content

Add PyPI release workflow with PEP 740 attestations#54

Merged
negillett merged 3 commits into
mainfrom
pypi-release-pep740
May 21, 2026
Merged

Add PyPI release workflow with PEP 740 attestations#54
negillett merged 3 commits into
mainfrom
pypi-release-pep740

Conversation

@negillett
Copy link
Copy Markdown
Member

@negillett negillett commented May 21, 2026

Summary

  • Add release-pypi.yml to build, publish, and sign Python SDK releases on
    SemVer tags via PyPI trusted publishing (PEP 740 attestations) and Cosign
    metadata on GitHub Releases.
  • Set PyPI package metadata in pyproject.toml (intentproof, project URLs,
    keywords) per ADR-012 SDK distribution posture.
  • Refresh the signing dry-run workflow to use pytest and the current reusable
    signing workflow pin.

Test plan

  • PATH=".venv/bin:$PATH" pytest -q (91 passed, 100% coverage)
  • PATH=".venv/bin:$PATH" bash ./scripts/check-coverage.sh 95
  • After merge: configure PyPI trusted publisher for
    IntentProof/intentproof-sdk-python, tag v0.2.0, verify
    pip download --require-hashes + cosign verify-blob (Task acceptance)

Review

  • Internal review found no blocking issues. Residual risk: first real PyPI
    publish requires PyPI trusted-publisher configuration and a tagged release
    run before acceptance can be marked complete.

Add PyPI release workflow with PEP 740 attestations
3d9ee15 
Wire release-pypi.yml for trusted publishing on SemVer tags,
publish metadata in pyproject.toml, and align the signing dry run
with pytest and the current reusable signing workflow.

Signed-off-by: Nathan Gillett <nathan@intentproof.io>
@cursor
Copy link
Copy Markdown

cursor Bot commented May 21, 2026
edited
Loading

PR Summary

Medium Risk
Introduces new automated release/publishing and signing workflows plus a PyPI package rename/metadata update; main risk is misconfigured release automation or publishing under the wrong package/version.

Overview
Adds a new release-pypi.yml workflow that runs on vMAJOR.MINOR.PATCH tags (or manual dispatch) to test with pytest+coverage, sync pyproject.toml version from the tag/ref, build sdists/wheels, publish to PyPI using the reusable release-build-sign.yml workflow (with PEP 740 attestations), sign the built artifacts, and upload distributions plus signing metadata to the GitHub Release.

Updates the signing dry-run workflow to use pytest with dev deps and switches the reusable signing workflow pin/subject_name to intentproof.

Adjusts pyproject.toml package metadata for PyPI distribution, including renaming the project to intentproof and adding authors/keywords and project URLs.

Reviewed by Cursor Bugbot for commit e43bc82. Bugbot is set up for automated code reviews on this repo. Configure here.

cursor[bot]
cursor Bot reviewed May 21, 2026
View reviewed changes
Comment thread .github/workflows/release-pypi.yml Outdated
Fix release version injection in PyPI workflow
01da175 
Pass release_version through env and read it with os.environ
instead of interpolating workflow inputs into inline Python.

Signed-off-by: Nathan Gillett <nathan@intentproof.io>
cursor[bot]
cursor Bot reviewed May 21, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 01da175. Configure here.

Comment thread .github/workflows/release-pypi.yml
Grant attestations permissions to PyPI release jobs
e43bc82 
Add attestations: write and packages: write on publish and sign
jobs that call the reusable signing workflow, matching the dry run.

Signed-off-by: Nathan Gillett <nathan@intentproof.io>
@negillett negillett merged commit c38ec85 into main May 21, 2026
3 checks passed
@negillett negillett deleted the pypi-release-pep740 branch May 21, 2026 13:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@negillett