Skip to content

v2.1.12

Choose a tag to compare

View all tags
@github-actions github-actions released this 10 Jun 13:31
· 131 commits to main since this release
v2.1.12
e8a93cb

Assurance: reproducible builds + sigstore-signed PyPI attestations

The "Trusted" assurance-track item: make a published release verifiable back to
its source. Builds were already attested (GitHub-native build provenance) with a
CycloneDX SBOM and OIDC trusted publishing; this adds the two missing pieces.

  • Reproducible builds. The release build pins SOURCE_DATE_EPOCH to the
    tagged commit's timestamp, so the wheel and sdist are byte-identical to a
    rebuild from the same source. A new reproducible-build CI job gates the
    property on every change (it builds twice and compares the artifact hashes).
  • Sigstore-signed PyPI attestations (PEP 740). The publish step now emits
    signed digital attestations to PyPI, so installers and auditors can verify an
    artifact's provenance directly from the index, alongside the existing
    gh attestation verify path.
  • docs/supply-chain.md documents the full posture (trusted publishing,
    both attestation roots, the SBOM, a reproducible-build verification recipe,
    and the supply-chain isolation contract), and records the full SLSA L3
    generator workflow as deferred by proportionality.

Release-pipeline and docs only; no package code changed.

Assets 5
Loading