From fbf925ee636327bc958859ba1179fdd37bbcde6e Mon Sep 17 00:00:00 2001
From: William Woodruff <william@astral.sh>
Date: Mon, 1 Dec 2025 13:01:33 -0500
Subject: [PATCH] Enable PEP 740 attestations when publishing to PyPI (#16910)

---
 .github/workflows/publish-pypi.yml | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml
index 9edc0575e..1ee2b563f 100644
--- a/.github/workflows/publish-pypi.yml
+++ b/.github/workflows/publish-pypi.yml
@@ -18,8 +18,7 @@ jobs:
     environment:
       name: release
     permissions:
-      # For PyPI's trusted publishing.
-      id-token: write
+      id-token: write # For PyPI's trusted publishing + PEP 740 attestations
     steps:
       - name: "Install uv"
         uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0
@@ -28,6 +27,9 @@ jobs:
           pattern: wheels_uv-*
           path: wheels_uv
           merge-multiple: true
+      - uses: astral-sh/attest-action@2c727738cea36d6c97dd85eb133ea0e0e8fe754b # v0.0.4
+        with:
+          paths: wheels_uv/*
       - name: Publish to PyPI
         run: uv publish -v wheels_uv/*
 
@@ -37,8 +39,7 @@ jobs:
     environment:
       name: release
     permissions:
-      # For PyPI's trusted publishing.
-      id-token: write
+      id-token: write # For PyPI's trusted publishing + PEP 740 attestations
     steps:
       - name: "Install uv"
         uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0
@@ -47,5 +48,8 @@ jobs:
           pattern: wheels_uv_build-*
           path: wheels_uv_build
           merge-multiple: true
+      - uses: astral-sh/attest-action@2c727738cea36d6c97dd85eb133ea0e0e8fe754b # v0.0.4
+        with:
+          paths: wheels_uv_build/*
       - name: Publish to PyPI
         run: uv publish -v wheels_uv_build/*