There might be a way to attest build provenance, so lets check it out.
The following snipped could be helpful:
- name: Attest build provenance
uses: actions/attest-build-provenance@v1
with:
subject-path: dist/*.whl, dist/*.tar.gz
- name: Publish to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
attestations: true # uploads attestations alongside the package
There might be a way to attest build provenance, so lets check it out.
The following snipped could be helpful: