Spun out of the senior-dev review of #1.
Background
The current release workflow (`.github/workflows/release.yml`) builds an sdist + wheel on `v*` tags, runs `twine check`, and attaches the artifacts to a GitHub Release.
It does not sign the artifacts and it does not publish to PyPI. Both are intentional for now (see the inline comment in `release.yml` and the PyPI deferral in `docs/roadmap.md`).
Action when PyPI is wired
Once the HeOCR org configures PyPI trusted publishing (OIDC), this repo should:
- Add a `publish` job to `release.yml` that uses `pypa/gh-action-pypi-publish` (SHA-pinned) with `id-token: write` permission and `environment: pypi`.
- Add Sigstore signing of the same artifacts using `sigstore/gh-action-sigstore-python` (SHA-pinned), publishing the resulting `.sigstore` bundles alongside the wheel/sdist on the GitHub Release.
- Document verification in `SECURITY.md` so consumers can verify a release before installing.
Why not in #1
PyPI publishing is the prerequisite. Signing artifacts that nobody downloads is overhead with no consumer-visible benefit. Land both together when PyPI is on.
Spun out of the senior-dev review of #1.
Background
The current release workflow (`.github/workflows/release.yml`) builds an sdist + wheel on `v*` tags, runs `twine check`, and attaches the artifacts to a GitHub Release.
It does not sign the artifacts and it does not publish to PyPI. Both are intentional for now (see the inline comment in `release.yml` and the PyPI deferral in `docs/roadmap.md`).
Action when PyPI is wired
Once the HeOCR org configures PyPI trusted publishing (OIDC), this repo should:
Why not in #1
PyPI publishing is the prerequisite. Signing artifacts that nobody downloads is overhead with no consumer-visible benefit. Land both together when PyPI is on.