sphinx-doc · Nov 25, 2024
diff --git a/‎.github/workflows/builddoc.yml
+2 b/‎.github/workflows/builddoc.yml
+2
diff --git a/‎.github/workflows/create-release.yml
+15-5 b/‎.github/workflows/create-release.yml
+15-5
@@ -22,6 +22,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Set up Python
       uses: actions/setup-python@v5
       with:
 
@@ -28,6 +28,8 @@ jobs:
       id-token: write  # for PyPI trusted publishing
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
@@ -62,11 +64,15 @@ jobs:
           show-summary: "true"
 
       - name: Convert attestations to PEP 740
-        # workflow_ref example: sphinx-doc/sphinx/.github/workflows/create-release.yml@refs/heads/master
         run: >
           python utils/convert_attestations.py
-          "${{ steps.attest.outputs.bundle-path }}"
-          "https://github.com/${{ github.workflow_ref }}"
+          "$BUNDLE_PATH"
+          "$SIGNER_IDENTITY"
+        env:
+          BUNDLE_PATH: "${{ steps.attest.outputs.bundle-path }}"
+          # workflow_ref example: sphinx-doc/sphinx/.github/workflows/create-release.yml@refs/heads/master
+          # this forms the "signer identity" for the attestations
+          SIGNER_IDENTITY: "https://github.com/${{ github.workflow_ref }}"
 
       - name: Inspect PEP 740 attestations
         run: |
@@ -75,8 +81,10 @@ jobs:
       - name: Prepare attestation bundles for uploading
         run: |
           mkdir -p /tmp/attestation-bundles
-          cp "${{ steps.attest.outputs.bundle-path }}" /tmp/attestation-bundles/
+          cp "$BUNDLE_PATH" /tmp/attestation-bundles/
           cp dist/*.publish.attestation /tmp/attestation-bundles/
+        env:
+          BUNDLE_PATH: "${{ steps.attest.outputs.bundle-path }}"
 
       - name: Upload attestation bundles
         uses: actions/upload-artifact@v4
@@ -97,7 +105,7 @@ jobs:
               headers: {Authorization: `bearer ${oidc_request_token}`},
             });
             const oidc_token = (await oidc_resp.json()).value;
-  
+
             // exchange the OIDC token for an API token
             const mint_resp = await fetch('https://pypi.org/_/oidc/github/mint-token', {
               method: 'post',
@@ -127,6 +135,8 @@ jobs:
       contents: write  # for softprops/action-gh-release to create GitHub release
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Get release version
         id: get_version
         uses: actions/github-script@v7