From 45a00d63dd511f5ba7860ef0813e28c74d2a65b3 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Mon, 23 Feb 2026 14:27:31 +0000
Subject: [PATCH] Add build provenance attestation

---
 .github/workflows/publish-to-pypi.yaml     | 13 ++++++-------
 .github/workflows/publish-to-testpypi.yaml | 13 ++++++-------
 2 files changed, 12 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/publish-to-pypi.yaml b/.github/workflows/publish-to-pypi.yaml
index e16fac9..d7125d1 100644
--- a/.github/workflows/publish-to-pypi.yaml
+++ b/.github/workflows/publish-to-pypi.yaml
@@ -21,6 +21,7 @@ jobs:
     permissions:
       contents: write
       id-token: write  # For trusted publishing
+      attestations: write  # For artifact attestation
 
     steps:
     - name: Checkout repository
@@ -39,6 +40,11 @@ jobs:
     - name: Build the wheel
       run: python3 -m hatch build
 
+    - name: Attest build provenance
+      uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
+      with:
+        subject-path: ./dist/*
+
     - name: Upload artifacts
       uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
       with:
@@ -50,13 +56,6 @@ jobs:
       with:
         verbose: true
 
-    - name: Sign with sigstore
-      uses: sigstore/gh-action-sigstore-python@f832326173235dcb00dd5d92cd3f353de3188e6c # v3.1.0
-      with:
-        inputs: >-
-          ./dist/*.tar.gz
-          ./dist/*.whl
-
     - name: Create GitHub Release
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/publish-to-testpypi.yaml b/.github/workflows/publish-to-testpypi.yaml
index 62f7062..d13b8d4 100644
--- a/.github/workflows/publish-to-testpypi.yaml
+++ b/.github/workflows/publish-to-testpypi.yaml
@@ -18,6 +18,7 @@ jobs:
     permissions:
       contents: write
       id-token: write  # For trusted publishing
+      attestations: write  # For artifact attestation
 
     steps:
     - name: Checkout repository
@@ -51,6 +52,11 @@ jobs:
     - name: Build the wheel
       run: python3 -m hatch build
 
+    - name: Attest build provenance
+      uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
+      with:
+        subject-path: ./dist/*
+
     - name: Upload artifacts
       uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
       with:
@@ -63,13 +69,6 @@ jobs:
         repository-url: https://test.pypi.org/legacy/
         verbose: true
 
-    - name: Sign with sigstore
-      uses: sigstore/gh-action-sigstore-python@f832326173235dcb00dd5d92cd3f353de3188e6c # v3.1.0
-      with:
-        inputs: >-
-          ./dist/*.tar.gz
-          ./dist/*.whl
-
     - name: Create GitHub Release
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}