feat: enable Sigstore wheel attestations on PyPI publish

zeevdr · claude · zeevdr · commit a853de07f1a5 · 2026-06-03T09:58:45.000+03:00
Set attestations: true in the pypa/gh-action-pypi-publish step so each release wheel is signed via the existing OIDC trusted-publishing identity. Add a Supply Chain Security section to README documenting how users can verify attestations with pip download + gh attestation verify. Closes #7 Refs opendecree/decree#16 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -27,6 +27,7 @@ jobs:
         with:
           packages-dir: sdk/dist/
           print-hash: true
+          attestations: true
       - run: gh release create "${{ github.ref_name }}" --generate-notes sdk/dist/*.whl sdk/dist/*.tar.gz
         env:
           GH_TOKEN: ${{ github.token }}
diff --git a/README.md b/README.md
@@ -85,6 +85,20 @@ Runnable examples in the [`examples/`](examples/) directory:
 
 For detailed concepts (schemas, typed values, versioning, auth), see the [main OpenDecree docs](https://github.com/opendecree/decree).
 
+## Supply Chain Security
+
+Each release wheel is signed with [Sigstore](https://www.sigstore.dev/) via the GitHub Actions
+OIDC identity. Attestations are visible on the [PyPI project page](https://pypi.org/project/opendecree/).
+
+To verify a downloaded wheel locally:
+
+```bash
+pip download opendecree --no-deps
+gh attestation verify opendecree-*.whl --repo opendecree/decree-python
+```
+
+> See [decree#16](https://github.com/opendecree/decree/issues/16) for the org-wide attestation plan.
+
 ## Requirements
 
 - Python 3.11+
