feat(attest-for-pypi): add PyPI attestation action#75
Conversation
Wiz Scan Summary
To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension. |
There was a problem hiding this comment.
Pull request overview
This pull request introduces a new GitHub Action for generating PyPI-compatible attestations using Sigstore. The action wraps GitHub's attestation functionality with PyPI-specific configuration and includes a safety check to prevent use on private repositories.
Changes:
- Added a composite GitHub Action that generates Sigstore attestations with PyPI's predicate type
- Provided comprehensive documentation covering usage, permissions, and security considerations
- Included MIT license and initial changelog for version 0.1.0
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| actions/attest-for-pypi/action.yml | Implements the composite action with repository visibility checks and attestation generation |
| actions/attest-for-pypi/README.md | Documents the action's purpose, usage examples, inputs/outputs, and security considerations |
| actions/attest-for-pypi/LICENSE | Adds MIT license for the action |
| actions/attest-for-pypi/CHANGELOG.md | Records the initial 0.1.0 release with key features |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Removed `github_token` and `upload-artifact` inputs from README.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This pull request introduces a new GitHub Action,
attest-for-pypi, designed to generate PyPI-compatible attestations for Python packages using the Sigstore framework. The action is tailored for integration into CI/CD pipelines and ensures that attestations are only created for public repositories to prevent information leakage. The pull request includes comprehensive documentation, licensing, and the initial implementation of the action.Key changes include:
New Action Implementation:
action.ymldefining the composite action, which generates attestations for Python distribution files using Sigstore and PyPI's publish attestation marker. The action includes a safety check to ensure it only runs on public repositories and exposes configurable inputs and outputs.Documentation:
README.mdexplaining the purpose, usage, permissions, example workflows, inputs/outputs, and security considerations for theattest-for-pypiaction.CHANGELOG.mddocumenting the first release and key features, such as PyPI-compatible attestations, Sigstore support, and public repo checks.Licensing:
LICENSEto clarify usage and distribution rights.