security: add PEP 740 attestations to PyPI publish by govindkavaturi-art · Pull Request #17 · cueapi/cueapi-python

govindkavaturi-art · 2026-04-12T19:55:54Z

Summary

Pin pypa/gh-action-pypi-publish to commit SHA (v1.14.0)
Enable attestations: true for PEP 740 provenance on every release
Add test job before publish — tests must pass before PyPI release
Add explicit permissions: { contents: read } at workflow level
Bump version to 0.1.1 for attestation validation release

Test plan

CI passes
After merge, tag v0.1.1 triggers publish workflow
Verify cueapi-sdk 0.1.1 on PyPI has attestation badge

🤖 Generated with Claude Code

- Pin pypa/gh-action-pypi-publish to SHA (v1.14.0) - Enable attestations: true for PEP 740 provenance - Add test job before publish (tests must pass before release) - Add explicit permissions: { contents: read } at workflow level - Bump version to 0.1.1 - Document attestation in README Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

SDK tests are integration tests requiring staging API + service containers. They run on PRs via feature-to-main.yml. The publish workflow trusts that tests passed during the PR process. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Gk and others added 2 commits April 12, 2026 12:55

fix: remove test job from publish workflow

7f2e4e6

SDK tests are integration tests requiring staging API + service containers. They run on PRs via feature-to-main.yml. The publish workflow trusts that tests passed during the PR process. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

govindkavaturi-art merged commit bc5b84c into main Apr 12, 2026
3 of 4 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

security: add PEP 740 attestations to PyPI publish#17

security: add PEP 740 attestations to PyPI publish#17
govindkavaturi-art merged 2 commits into
mainfrom
security/trusted-publish-attestations

govindkavaturi-art commented Apr 12, 2026

Uh oh!

Labels

1 participant