ci: keep cosign bundles outside dist/ so PyPI publish does not reject them#60
Merged
Conversation
…ut-signature/--output-certificate)
The Release workflow's "Sign distributions with cosign" step was failing
the v1.1.4 release run with:
Flag --output-signature has been deprecated, please use --bundle
Flag --output-certificate has been deprecated, please use --bundle
Error: signing dist/pyaigis-1.1.4-py3-none-any.whl:
create bundle file: open : no such file or directory
cosign v3 removed the two legacy output flags and now requires a single
--bundle <path> that contains both the signature and the Sigstore
certificate. Replace the two-file flow with a per-artifact .cosign.bundle.
The bundle file is uploaded to the GitHub Release artifacts step
(softprops/action-gh-release with `files: dist/*`) so downstream verifiers
can still fetch the signature material from the release page; verification
with `cosign verify-blob --bundle ...` is the documented v3 flow.
Signed-off-by: killertcell428 <killertcell428@gmail.com>
… them The v1.1.4 release run (after the cosign v3 --bundle fix in #59) failed in the Publish → PyPI step with: Checking dist/pyaigis-1.1.4-py3-none-any.whl: PASSED Checking dist/pyaigis-1.1.4-py3-none-any.whl.cosign.bundle: ERROR InvalidDistribution: Unknown distribution format: 'pyaigis-1.1.4-py3-none-any.whl.cosign.bundle' pypa/gh-action-pypi-publish runs metadata verification across every file in dist/ and rejects extensions it does not recognise. The cosign bundle is not a PEP 740 attestation and does not belong in dist/. Changes: - Sign step writes bundles to dist-signatures/ (separate dir) instead of next to the wheel/sdist. - Add a second upload-artifact for python-package-signatures so the bundles survive to the GitHub Release job. - Release job downloads BOTH artifacts into a release-files/ directory and uploads everything together to the GitHub Release. PyPI publish keeps reading from dist/ unchanged, so the verification step now sees only wheels and sdists. Signed-off-by: killertcell428 <killertcell428@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
After #59 made cosign output a
.cosign.bundleper artifact, the v1.1.4 release run failed at PyPI publish:```
Checking dist/pyaigis-1.1.4-py3-none-any.whl.cosign.bundle:
ERROR InvalidDistribution: Unknown distribution format
```
pypa/gh-action-pypi-publishverifies every file indist/against PyPI's accepted distribution formats and rejects anything else. The cosign bundle is not a PEP 740 attestation, so it can't live indist/.Changes
dist-signatures/directoryupload-artifactforpython-package-signaturesrelease-files/and attaches everything to the GitHub Release togetherPyPI publish keeps reading from
dist/unchanged — it now only sees wheels and sdists, as it expects.Test plan
🤖 Generated with Claude Code