Description
Issue Description
I'm filing this as a reminder issue for myself, although if someone wants to get to it before I do please feel free 🙂
TL;DR: The current GitHub Actions publishing guide has sections like this that reference gh-action-sigstore-python for signing. This step is strictly superfluous now that PEP 740 has been implemented on PyPI, since the publishing step (or more generally, any step that chooses to make an attestation) does the signing implicitly.
As such, references to gh-action-sigstore-python should probably be fully removed and replaced with notes about how attestations currently work by default when using a supported Trusted Publishing provider (currently GitHub and GitLab, but others as well in the future). Keeping the references in place is liable to cause user confusion:
- The signatures produces by
gh-action-sigstore-pythonaren't format-compatible with what PEP 740 expects, meaning they really only end up in the GitHub release artifacts, where they have limited value; - Having two+ signing steps means the user ends up with multiple sets of signatures per artifact, which is confusing.
Neither of these results in breakage, but we can eliminate them as sources of confusion 🙂
Code of Conduct
- I am aware that participants in this repository must follow the PSF Code of Conduct.