From 3757b87919696d4b51a1656668af1773b273b2e2 Mon Sep 17 00:00:00 2001
From: Chris Markiewicz <effigies@gmail.com>
Date: Fri, 4 Oct 2024 11:57:45 -0400
Subject: [PATCH] CI: Add attesations

---
 .github/workflows/wheels.yml | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/wheels.yml b/.github/workflows/wheels.yml
index fc11d7f..42b19a7 100644
--- a/.github/workflows/wheels.yml
+++ b/.github/workflows/wheels.yml
@@ -115,7 +115,11 @@ jobs:
     runs-on: ubuntu-latest
     environment: "Package deployment"
     needs: [pre-publish]
-    if: github.event_name == 'release'
+    if: github.event_name == 'release' && github.event.action == 'published'
+    permissions:
+      id-token: write
+      attestations: write
+
     steps:
       - uses: actions/download-artifact@v3
         with:
@@ -124,4 +128,12 @@ jobs:
         run: |
           mv dist/*/*.{tar.gz,whl} dist
           rmdir dist/*/
+
+      - name: Generate artifact attestations
+        uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
+        with:
+          subject-path: "dist/nipy_gradunwarp-*"
+
       - uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          attestations: true