From bbeeb6dbd232da6d49e79e091e185fb1c16dd669 Mon Sep 17 00:00:00 2001
From: Bruno Oliveira <nicoddemus@gmail.com>
Date: Thu, 16 May 2024 07:55:32 -0300
Subject: [PATCH] Attest build provenance (#431)

This uses the new build provenance support added in https://github.com/hynek/build-and-inspect-python-package/blob/main/CHANGELOG.md#250---2024-05-13.
---
 .github/workflows/deploy.yml | 9 ++++++++-
 .github/workflows/test.yml   | 9 +++++++--
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 39d0512..0788ee0 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -12,6 +12,10 @@ jobs:
 
   package:
     runs-on: ubuntu-latest
+    # Required by attest-build-provenance-github.
+    permissions:
+      id-token: write
+      attestations: write
     env:
       SETUPTOOLS_SCM_PRETEND_VERSION: ${{ github.event.inputs.version }}
 
@@ -20,6 +24,9 @@ jobs:
 
     - name: Build and Check Package
       uses: hynek/build-and-inspect-python-package@v1.5
+      with:
+        attest-build-provenance-github: 'true'
+
 
   deploy:
     needs: package
@@ -33,7 +40,7 @@ jobs:
     - uses: actions/checkout@v3
 
     - name: Download Package
-      uses: actions/download-artifact@v3
+      uses: actions/download-artifact@v4
       with:
         name: Packages
         path: dist
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 7bc8f62..d217028 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -17,10 +17,15 @@ jobs:
 
   package:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      attestations: write
     steps:
       - uses: actions/checkout@v3
       - name: Build and Check Package
-        uses: hynek/build-and-inspect-python-package@v1.5
+        uses: hynek/build-and-inspect-python-package@v2.5.0
+        with:
+          attest-build-provenance-github: 'true'
 
   test:
 
@@ -49,7 +54,7 @@ jobs:
     - uses: actions/checkout@v3
 
     - name: Download Package
-      uses: actions/download-artifact@v3
+      uses: actions/download-artifact@v4
       with:
         name: Packages
         path: dist