Skip to content

docs: bake CI hardening into a 2.2.1 release #30

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
cohenrobinson merged 1 commit into from
May 10, 2026
Merged

docs: bake CI hardening into a 2.2.1 release #30

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion CONTRIBUTING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -151,7 +151,11 @@ Maintainers do not run `git tag` by hand for normal releases.
build → SLSA build provenance attestation → CycloneDX SBOM +
attestation → upload artefacts → wait on the `pypi` Environment
reviewer → sigstore sign → PyPI Trusted Publishing → GitHub Release
with wheel + sdist + signatures + SBOM attached.
with wheel + sdist + sigstore signatures + SBOM + the in-toto
provenance bundle (`provenance/aemo_mdff_reader.intoto.jsonl`)
attached. The provenance file lets external scanners (Scorecard,
in-toto verifiers) confirm the artefacts were built by this
workflow without a round-trip to the GitHub attestations API.
7. Approve the deployment in the `pypi` Environment when GitHub
notifies you. The publish completes; verify at
https://pypi.org/project/aemo-mdff-reader/ and
Expand Down
Loading