From a853de07f1a528a32fb7d8a4ba9b2a6b18ae8d94 Mon Sep 17 00:00:00 2001 From: zeevdr Date: Wed, 3 Jun 2026 09:58:45 +0300 Subject: [PATCH] feat: enable Sigstore wheel attestations on PyPI publish Set attestations: true in the pypa/gh-action-pypi-publish step so each release wheel is signed via the existing OIDC trusted-publishing identity. Add a Supply Chain Security section to README documenting how users can verify attestations with pip download + gh attestation verify. Closes #7 Refs opendecree/decree#16 Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/publish.yml | 1 + README.md | 14 ++++++++++++++ 2 files changed, 15 insertions(+) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 04af195..271be21 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -27,6 +27,7 @@ jobs: with: packages-dir: sdk/dist/ print-hash: true + attestations: true - run: gh release create "${{ github.ref_name }}" --generate-notes sdk/dist/*.whl sdk/dist/*.tar.gz env: GH_TOKEN: ${{ github.token }} diff --git a/README.md b/README.md index 332e47c..5b658c2 100644 --- a/README.md +++ b/README.md @@ -85,6 +85,20 @@ Runnable examples in the [`examples/`](examples/) directory: For detailed concepts (schemas, typed values, versioning, auth), see the [main OpenDecree docs](https://github.com/opendecree/decree). +## Supply Chain Security + +Each release wheel is signed with [Sigstore](https://www.sigstore.dev/) via the GitHub Actions +OIDC identity. Attestations are visible on the [PyPI project page](https://pypi.org/project/opendecree/). + +To verify a downloaded wheel locally: + +```bash +pip download opendecree --no-deps +gh attestation verify opendecree-*.whl --repo opendecree/decree-python +``` + +> See [decree#16](https://github.com/opendecree/decree/issues/16) for the org-wide attestation plan. + ## Requirements - Python 3.11+