Skip to content

Fix PyPI publish: exclude Sigstore .sigstore.json files from dist/ #161

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jacksonpradolima merged 3 commits into from
Jan 1, 2026
Merged

Fix PyPI publish: exclude Sigstore .sigstore.json files from dist/ #161

jacksonpradolima merged 3 commits into from
Jan 1, 2026

Conversation

Copy link
Contributor

Copilot AI commented Jan 1, 2026
edited
Loading

PR #160 added attestations: false to prevent duplicate attestation creation, but deployments still failed. Sigstore v3 creates .sigstore.json files in dist/ that PyPI rejects (only accepts .whl/.tar.gz).

Changes

  • Move attestations pre-publish: Extract .sigstore.json files from dist/ to attestations/ after signing, before PyPI upload
  • Fix release asset patterns: Update from non-existent .sig/.pem to actual .sigstore.json files in new location
- name: Sign distributions with Sigstore
  uses: sigstore/[email protected]
  with:
    inputs: >-
      dist/*.whl
      dist/*.tar.gz

- name: Move Sigstore attestations out of dist
  run: |
    mkdir -p attestations
    if ls dist/*.sigstore.json 1> /dev/null 2>&1; then
      mv dist/*.sigstore.json attestations/
    fi

- name: Upload release assets
  uses: softprops/action-gh-release@v2
  with:
    files: |
      dist/*.whl
      dist/*.tar.gz
      attestations/*.sigstore.json
      dist/sbom.json

Note: README verification examples still reference deprecated .sig/.pem format; update separately for Sigstore v3 bundle verification.

Original prompt

@copilot the PR #160 was merged and I tried to deploy to pypi but I still see the error: https://github.com/jacksonpradolima/gsp-py/actions/runs/20643314856/job/59277919996
Fix it in other PR

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 1, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@jacksonpradolima jacksonpradolima marked this pull request as ready for review January 1, 2026 18:28
@jacksonpradolima jacksonpradolima self-requested a review as a code owner January 1, 2026 18:28
Copilot AI review requested due to automatic review settings January 1, 2026 18:28
Copilot AI changed the title [WIP] Fix error in PyPI deployment process Fix PyPI publish: exclude Sigstore .sigstore.json files from dist/ Jan 1, 2026
@jacksonpradolima jacksonpradolima merged commit c30328e into master Jan 1, 2026
10 of 14 checks passed
@jacksonpradolima jacksonpradolima deleted the copilot/fix-pypi-deployment-error branch January 1, 2026 18:30
Copilot AI reviewed Jan 1, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes the PyPI deployment failure that occurred after PR #160 was merged. The root cause was that Sigstore creates .sigstore.json attestation files in the dist/ directory, which PyPI rejects during upload. The fix moves these attestation files out of dist/ before the PyPI upload step while still including them in the GitHub release assets.

Key changes:

  • Added a step to move .sigstore.json attestation files from dist/ to a separate attestations/ directory
  • Updated release assets upload patterns to reference the new attestations/ directory instead of the old .sig and .pem file patterns

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot AI mentioned this pull request Jan 1, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jacksonpradolima jacksonpradolima Awaiting requested review from jacksonpradolima jacksonpradolima is a code owner

Assignees

@jacksonpradolima jacksonpradolima

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jacksonpradolima