From 635fbe2bff805c86c0df1db463f4c5eea087aec6 Mon Sep 17 00:00:00 2001
From: Bruno Oliveira <nicoddemus@gmail.com>
Date: Fri, 17 May 2024 08:19:13 -0300
Subject: [PATCH] Attest package provenance (#12333)

Use the new build provenance support added in [build-and-inspect-python-package 2.5.0](https://github.com/hynek/build-and-inspect-python-package/blob/main/CHANGELOG.md#250---2024-05-13).

More information: https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/

Tested also in https://github.com/pytest-dev/pytest-mock/pull/431.

Note: even though it is technically necessary only for the `deploy` workflow, as the `test` workflow does not publish its packages, decided to always attest the provenance in both cases to avoid any surprises related to this (say a misconfiguration) when deploying.
---
 .github/workflows/deploy.yml | 9 ++++++++-
 .github/workflows/test.yml   | 2 +-
 changelog/12333.trivial.rst  | 1 +
 3 files changed, 10 insertions(+), 2 deletions(-)
 create mode 100644 changelog/12333.trivial.rst

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index cc0e6331d..20a72270f 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -19,6 +19,11 @@ jobs:
       SETUPTOOLS_SCM_PRETEND_VERSION: ${{ github.event.inputs.version }}
     timeout-minutes: 10
 
+    # Required by attest-build-provenance-github.
+    permissions:
+      id-token: write
+      attestations: write
+
     steps:
     - uses: actions/checkout@v4
       with:
@@ -26,7 +31,9 @@ jobs:
         persist-credentials: false
 
     - name: Build and Check Package
-      uses: hynek/build-and-inspect-python-package@v2.4.0
+      uses: hynek/build-and-inspect-python-package@v2.5.0
+      with:
+        attest-build-provenance-github: 'true'
 
   deploy:
     if: github.repository == 'pytest-dev/pytest'
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 443474067..df801864f 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -35,7 +35,7 @@ jobs:
         fetch-depth: 0
         persist-credentials: false
     - name: Build and Check Package
-      uses: hynek/build-and-inspect-python-package@v2.4.0
+      uses: hynek/build-and-inspect-python-package@v2.5.0
 
   build:
     needs: [package]
diff --git a/changelog/12333.trivial.rst b/changelog/12333.trivial.rst
new file mode 100644
index 000000000..32c4c5771
--- /dev/null
+++ b/changelog/12333.trivial.rst
@@ -0,0 +1 @@
+pytest releases are now attested using the recent `Artifact Attestation <https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/>` support from GitHub, allowing users to verify the provenance of pytest's sdist and wheel artifacts.