Skip to content

Disable PEP 740 attestations for PyPI publishing #16944

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
zanieb merged 1 commit into from
Dec 3, 2025
Merged

Disable PEP 740 attestations for PyPI publishing #16944

zanieb merged 1 commit into from
Dec 3, 2025

Conversation

@woodruffw
Copy link
Member

@woodruffw woodruffw commented Dec 3, 2025

Summary

This broke the release and I haven't figured out why yet.

Test Plan

Blame my past self.

@woodruffw woodruffw requested a review from zanieb December 3, 2025 00:35
@woodruffw woodruffw self-assigned this Dec 3, 2025
@woodruffw woodruffw temporarily deployed to uv-test-registries December 3, 2025 00:38 — with GitHub Actions Inactive
@woodruffw woodruffw mentioned this pull request Dec 3, 2025
Merged
@woodruffw woodruffw added the internal A refactor or improvement that is not user-facing label Dec 3, 2025
@woodruffw
Copy link
Member Author

woodruffw commented Dec 3, 2025
edited
Loading

Triage: this is a reusable workflows thing, namely pypi/warehouse#11096 (hello past me).

Specifically, what's happening here is that the attestation is from release.yml @ astral-sh/uv, while the publisher identity on PyPI (which it needs to match) is publish-pypi.yml @ astral-sh/uv. This happens because release.yml is the calling workflow, while publish-pypi.yml is the callee.

Relevant tlog: https://search.sigstore.dev/?logIndex=737467510

Actual error:

DEBUG Response code for https://upload.pypi.org/legacy/: 400 Bad Request
DEBUG Upload error response: {"message": "The server could not comply with the request since it is either malformed or otherwise incorrect.\n\n\nInvalid attestations supplied during upload: Could not verify the uploaded artifact using the included attestation: Verification failed: Certificate's Build Config URI (<Extension(oid=<ObjectIdentifier(oid=1.3.6.1.4.1.57264.1.18, name=Unknown OID)>, critical=False, value=<UnrecognizedExtension(oid=<ObjectIdentifier(oid=1.3.6.1.4.1.57264.1.18, name=Unknown OID)>, value=b'\\x0cMhttps://github.com/astral-sh/uv/.github/workflows/release.yml@refs/heads/main')>)>) does not match expected Trusted Publisher (publish-pypi.yml @ astral-sh/uv)\n\n", "code": "400 Invalid attestations supplied during upload: Could not verify the uploaded artifact using the included attestation: Verification failed: Certificate's Build Config URI (<Extension(oid=<ObjectIdentifier(oid=1.3.6.1.4.1.57264.1.18, name=Unknown OID)>, critical=False, value=<UnrecognizedExtension(oid=<ObjectIdentifier(oid=1.3.6.1.4.1.57264.1.18, name=Unknown OID)>, value=b'\\x0cMhttps://github.com/astral-sh/uv/.github/workflows/release.yml@refs/heads/main')>)>) does not match expected Trusted Publisher (publish-pypi.yml @ astral-sh/uv)", "title": "Bad Request"}
error: Failed to publish `wheels_uv_build/uv_build-0.9.15-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl` to https://upload.pypi.org/legacy/
  Caused by: Upload failed with status code 400 Bad Request. Server says: 400 Invalid attestations supplied during upload: Could not verify the uploaded artifact using the included attestation: Verification failed: Certificate's Build Config URI (<Extension(oid=<ObjectIdentifier(oid=1.3.6.1.4.1.57264.1.18, name=Unknown OID)>, critical=False, value=<UnrecognizedExtension(oid=<ObjectIdentifier(oid=1.3.6.1.4.1.57264.1.18, name=Unknown OID)>, value=b'\x0cMhttps://github.com/astral-sh/uv/.github/workflows/release.yml@refs/heads/main')>)>) does not match expected Trusted Publisher (publish-pypi.yml @ astral-sh/uv)
Error: Process completed with exit code 2.

@zanieb zanieb merged commit 18a3652 into main Dec 3, 2025
101 checks passed
@zanieb zanieb deleted the ww/disable-740 branch December 3, 2025 00:50
This was referenced Dec 3, 2025
Merged
Merged
zanieb added a commit that referenced this pull request Dec 3, 2025
@zanieb
Temporarily drop crates-publish from the release for 0.9.15 re-run (#…
89c411f 
…16945)

See #16944

The `crates.io` publish succeeded and is not idempotent (i.e., it'll
fail on another publish attempt) so we will skip it for a re-run of the
release workflow.
zanieb added a commit that referenced this pull request Dec 3, 2025
@zanieb
Amend the 0.9.15 changelog (#16946)
5eafae3 
See #16944
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zanieb zanieb Awaiting requested review from zanieb

Assignees

@woodruffw woodruffw

Labels

internal A refactor or improvement that is not user-facing

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@woodruffw @zanieb