top | item 42138035

(no title)

Even more, the previous way was to use GPG signatures, which were recently deprecated and removed. So you don't really have a choice.

>Where the only official workflow is "Use GitHub Actions".

Well you can do it manually with other solutions... as long as they are one of the four trusted publishers (see "Producing attestations manually does not bypass (...) restrictions on (...) Trusted Publishers":

https://docs.pypi.org/trusted-publishers/adding-a-publisher/...

This means that you literally can't do it manually, you have to rely on one of:

* Github

* Google Cloud

* ActiveState (I'm not familiar with it)

* Github.com (not just github, only that one instance)

Really surprising development, IMO.

discuss

burnt-resistor|1 year ago

It looks a lot like reinventing the wheel, but as an octagon.