From 15a5b06d78e50289b8d3b2bd3ad35674702ecd81 Mon Sep 17 00:00:00 2001
From: jremitz <jake@remitz.us>
Date: Wed, 8 Apr 2026 07:39:35 -0500
Subject: [PATCH] ci: enable Sigstore attestations for PyPI releases

Add attestations: true to pypa/gh-action-pypi-publish and
attestations: write permission so each release generates
verifiable Sigstore provenance tied to the GitHub Actions workflow.

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .github/workflows/release.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9b3a0d6..857808d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -79,6 +79,7 @@ jobs:
     environment: release
     permissions:
       id-token: write
+      attestations: write
     steps:
       - uses: actions/download-artifact@v4
         with:
@@ -90,3 +91,4 @@ jobs:
         with:
           packages-dir: dist
           verbose: true
+          attestations: true