A GitHub Action that generates PEP 740 publish attestations for your Python packages.
To use this action, you should be using Trusted Publishing to publish your packages (to pyx, PyPI, or another compatible index).
Warning
This action is currently in an early stage of development. Releases may contain significant breaking changes until it is declared stable.
Important
This action is primarily useful for directly publishing with uv publish
and other upload tools that support PEP 740 attestations directly.
You do not need this action if you're using pypa/gh-action-pypi-publish,
as that action has built-in support for PEP 740 attestations.
To use this action, you must have a Trusted Publisher configured for your project on your target index (or indices). Refer to your index's documentation for more information on Trusted Publishing:
As with Trusted Publishing itself, this action requires the id-token: write
permission on your publishing job. For example:
permissions:
id-token: write # for Trusted Publishing + attest-action
contents: read # for actions/checkout, if you're in a private repoIn order to upload the resulting attestations to an index, you must use a publishing tool that supports PEP 740 attestations. Such tools include:
- uv (
uv publish) versions 0.9.12 and later - twine (
twine upload) versions 5.1.0 and later
Tip
We recommend using uv publish with this action, as it does not require
any additional installation or configuration.
Add astral-sh/attest-action directly above your publishing step in your
publishing job.
For example:
jobs:
publish:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
needs: [build]
steps:
- uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
- uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
with:
name: dist
- uses: astral-sh/attest-action@2c727738cea36d6c97dd85eb133ea0e0e8fe754b # v0.0.4
- run: uv publishImportant
Performing builds in a separate job is strongly encouraged as a way to improve both security and reproducibility.
If you have a custom path (or paths) to your distributions, you can specify them
via the paths input as whitespace-separated values.
- uses: astral-sh/attest-action@2c727738cea36d6c97dd85eb133ea0e0e8fe754b # v0.0.4
with:
paths: |
custom-dist-dir/*
wheelhouse/*Default: dist/*
One or more whitespace-separated directories or glob patterns to search for Python distributions to generate attestations for.
Recursive globs may be used, e.g. dist/** to find all distributions within
dist/ and its subdirectories.
Note
A bare directory path like dist/ is treated as dist/*.
Default: false
If false (the default), any existing publish attestations that would have
been overwritten will instead cause the action to fail.
If true, existing attestations will be overwritten.
This action currently has no outputs.
pyx-auth-action is licensed under either of
- Apache License, Version 2.0, (LICENSE-APACHE or https://www.apache.org/licenses/LICENSE-2.0)
- MIT license (LICENSE-MIT or https://opensource.org/licenses/MIT)
at your option.
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in pyx-auth-action by you, as defined in the Apache-2.0 license, shall be dually licensed as above, without any additional terms or conditions.
