Skip to content

Comments

Collect and upload PEP 740 attestations during uv publish#16731

Merged
woodruffw merged 33 commits intomainfrom
ww/upload-attestations
Nov 24, 2025
Merged

Collect and upload PEP 740 attestations during uv publish#16731
woodruffw merged 33 commits intomainfrom
ww/upload-attestations

Conversation

@woodruffw
Copy link
Member

@woodruffw woodruffw commented Nov 13, 2025
edited
Loading

Summary

Still working on this.

TL;DR: This makes uv publish behave like twine upload: when a user does uv publish dist/* and dist/* includes attestations, we now group those attestations with their matching distribution and include them in the upload. This changes the behavior from the previous behavior, which silently skipped these (since they don't match the distribution filename format).

This is a step towards #15618: we don't produce attestations within uv itself yet, but this allows uv to upload them if they're already present as part of the distribution paths.

Test Plan

I've broken the uv-publish crate's functionality for collecting upload inputs a part a bit to make testing of the grouping logic easier; files_for_publishing is now group_files_for_publishing, with an interior helper (group_files) that does no I/O or filesystem ops. I've added unit tests for that inner helper to confirm our matching/grouping works as expected and doesn't regress on other publishing tests.

Separately, it'd be nice to have some kind of integration test with an index that supports attestations, like PyPI or TestPyPI. I'll need to think a bit about how best to do that 🙂

@woodruffw
Collect and upload PEP 740 attestations during uv publish
39d917c 
Signed-off-by: William Woodruff <william@astral.sh>
@woodruffw woodruffw temporarily deployed to uv-test-registries November 13, 2025 21:38 — with GitHub Actions Inactive
@woodruffw
clippy + fmt
9ee2563 
Signed-off-by: William Woodruff <william@astral.sh>
@woodruffw woodruffw temporarily deployed to uv-test-registries November 13, 2025 21:42 — with GitHub Actions Inactive
@woodruffw
publish: attach attestations during upload
fbbe3a0 
Signed-off-by: William Woodruff <william@astral.sh>
@woodruffw
fix snapshot, cleanup lints
18eb71e 
Signed-off-by: William Woodruff <william@astral.sh>
@woodruffw woodruffw temporarily deployed to uv-test-registries November 13, 2025 22:22 — with GitHub Actions Inactive
@woodruffw woodruffw temporarily deployed to uv-test-registries November 14, 2025 02:14 — with GitHub Actions Inactive
konstin
konstin reviewed Nov 14, 2025
View reviewed changes
@woodruffw
rename type, parse instead of validating
31c67bb 
Signed-off-by: William Woodruff <william@astral.sh>
@woodruffw
Copy link
Member Author

woodruffw commented Nov 14, 2025

Flagging one thing: unlike twine upload this currently sends attestations unconditionally if they're present, which may not play super well with various indices (they may reject the attestations form part rather than silently skipping it). I'll need to add this to our upload tests.

@woodruffw woodruffw temporarily deployed to uv-test-registries November 14, 2025 14:17 — with GitHub Actions Inactive
@woodruffw woodruffw temporarily deployed to uv-test-registries November 17, 2025 18:22 — with GitHub Actions Inactive
@woodruffw woodruffw temporarily deployed to uv-test-registries November 18, 2025 17:26 — with GitHub Actions Inactive
@woodruffw
test_publish: enable attestations on pypi upload test
df2dcad 
Signed-off-by: William Woodruff <william@astral.sh>
@woodruffw woodruffw temporarily deployed to uv-test-registries November 18, 2025 18:27 — with GitHub Actions Inactive
@woodruffw
debugging
ea44bc8 
Signed-off-by: William Woodruff <william@astral.sh>
@woodruffw woodruffw requested review from konstin and zanieb November 20, 2025 16:54
@woodruffw woodruffw self-assigned this Nov 20, 2025
@woodruffw woodruffw temporarily deployed to uv-test-registries November 20, 2025 17:50 — with GitHub Actions Inactive
@woodruffw woodruffw temporarily deployed to uv-test-registries November 20, 2025 18:05 — with GitHub Actions Inactive
zanieb
zanieb reviewed Nov 20, 2025
View reviewed changes
docs/guides/package.md
Comment on lines +191 to +192
`uv publish` does not currently generate attestations; attestations must
be created separately before publishing.
Copy link
Member

@zanieb zanieb Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we link or suggest how they would be created?

Copy link
Member Author

@woodruffw woodruffw Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The wrinkle here is that there's no good way to do this currently 😅 -- we could point users to pypi-attestations as a DIY approach, but that's a glue package that isn't really intended for direct usage.

(What gh-action-pypi-publish does is have a helper script that uses the pypi-attestations APIs.)

One option here would be to create astral-sh/pypi-attest as an action, which we'd then recommend at least until we have in-client attesting. That would only take me an hour or two to build.

@woodruffw woodruffw temporarily deployed to uv-test-registries November 20, 2025 22:49 — with GitHub Actions Inactive
@woodruffw woodruffw temporarily deployed to uv-test-registries November 21, 2025 15:13 — with GitHub Actions Inactive
konstin
konstin approved these changes Nov 24, 2025
View reviewed changes
@woodruffw woodruffw temporarily deployed to uv-test-registries November 24, 2025 14:07 — with GitHub Actions Inactive
@woodruffw woodruffw temporarily deployed to uv-test-registries November 24, 2025 20:39 — with GitHub Actions Inactive
@woodruffw woodruffw merged commit 7b3199f into main Nov 24, 2025
163 checks passed
@woodruffw woodruffw deleted the ww/upload-attestations branch November 24, 2025 21:47
@github-actions github-actions bot mentioned this pull request Nov 25, 2025
Merged
1 task
@BrewTestBot BrewTestBot mentioned this pull request Nov 25, 2025
Merged
tmeijn pushed a commit to tmeijn/dotfiles that referenced this pull request Nov 27, 2025
@tmeijn
build(deps): update astral-sh/uv to v0.9.13
a3e8466 
This MR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [astral-sh/uv](https://github.com/astral-sh/uv) | patch | `0.9.11` -> `0.9.13` |

MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot).

**Proposed changes to behavior should be submitted there as MRs.**

---

### Release Notes

<details>
<summary>astral-sh/uv (astral-sh/uv)</summary>

### [`v0.9.13`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0913)

[Compare Source](astral-sh/uv@0.9.12...0.9.13)

Released on 2025-11-26.

##### Bug fixes

- Revert "Allow `--with-requirements` to load extensionless inline-metadata scripts" to fix reading of requirements files from streams ([#&#8203;16861](astral-sh/uv#16861))
- Validate URL wheel tags against `Requires-Python` and required environments ([#&#8203;16824](astral-sh/uv#16824))

##### Documentation

- Drop unpublished crates from the uv crates.io README ([#&#8203;16847](astral-sh/uv#16847))
- Fix the links to uv in crates.io member READMEs ([#&#8203;16848](astral-sh/uv#16848))

### [`v0.9.12`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0912)

[Compare Source](astral-sh/uv@0.9.11...0.9.12)

Released on 2025-11-24.

##### Enhancements

- Allow `--with-requirements` to load extensionless inline-metadata scripts ([#&#8203;16744](astral-sh/uv#16744))
- Collect and upload PEP 740 attestations during `uv publish` ([#&#8203;16731](astral-sh/uv#16731))
- Prevent `uv export` from overwriting `pyproject.toml` ([#&#8203;16745](astral-sh/uv#16745))

##### Documentation

- Add a crates.io README for uv ([#&#8203;16809](astral-sh/uv#16809))
- Add documentation for intermediate Docker layers in a workspace ([#&#8203;16787](astral-sh/uv#16787))
- Enumerate workspace members in the uv crate README ([#&#8203;16811](astral-sh/uv#16811))
- Fix documentation links for crates ([#&#8203;16801](astral-sh/uv#16801))
- Generate a crates.io README for uv workspace members ([#&#8203;16812](astral-sh/uv#16812))
- Move the "Export" guide to the projects concept section ([#&#8203;16835](astral-sh/uv#16835))
- Update the cargo install recommendation to use crates ([#&#8203;16800](astral-sh/uv#16800))
- Use the word "internal" in crate descriptions ([#&#8203;16810](astral-sh/uv#16810))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this MR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box

---

This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi4xOS43IiwidXBkYXRlZEluVmVyIjoiNDIuMjEuMyIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiUmVub3ZhdGUgQm90Il19-->
@mkniewallner mkniewallner mentioned this pull request Dec 6, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zanieb zanieb zanieb left review comments

@konstin konstin konstin approved these changes

+1 more reviewer

@messerli-wallace messerli-wallace messerli-wallace approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@woodruffw woodruffw

Labels

enhancement New feature or improvement to existing functionality

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@woodruffw @zanieb @konstin @messerli-wallace