From 050a862f2ef6bfac10de1b67404264099b0d6918 Mon Sep 17 00:00:00 2001
From: "Christopher J. Markiewicz" <markiewicz@stanford.edu>
Date: Mon, 27 Jan 2025 08:15:11 -0500
Subject: [PATCH] chore(ci): Add attestations to package build

---
 .github/workflows/pypi-package.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/pypi-package.yml b/.github/workflows/pypi-package.yml
index e96f376c..5f13478e 100644
--- a/.github/workflows/pypi-package.yml
+++ b/.github/workflows/pypi-package.yml
@@ -17,11 +17,17 @@ jobs:
   build-package:
     name: Build & verify package
     runs-on: ubuntu-latest
+    permissions:
+      attestations: write
+      id-token: write
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - uses: hynek/build-and-inspect-python-package@v2
+        with:
+          # Always true, but we will likely want to reuse this job in PR builds
+          attest-build-provenance-github: ${{ github.event_name != 'pull_request' }}
 
   auto-release-test-pypi:
     runs-on: ubuntu-latest