[Django] #36563: Adopt PEP 740 attestations for Django release files on PyPI

12 views
Skip to first unread message

Django

unread,
Aug 20, 2025, 12:05:49 PM8/20/25
to django-...@googlegroups.com
#36563: Adopt PEP 740 attestations for Django release files on PyPI
-------------------------------------+-------------------------------------
Reporter: JaeHyuckSa | Type: New
| feature
Status: new | Component: Packaging
Version: 5.2 | Severity: Normal
Keywords: PEP740, PyPI, | Triage Stage:
provenance, attestations, | Unreviewed
release-process |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Following the Django Forum discussion (https://forum.djangoproject.com/t
/adopt-pep-740-digital-attestations-for-django-releases/42460/4), I’d like
to explore adding PEP 740 provenance (digital attestations) for Django’s
sdists and wheels on PyPI. This looks doable without runtime changes; the
work should be limited to the release process and docs.

(A) Keep the current manual release and still adopt PEP 740 by setting up
Trusted Publishing on PyPI, generating attestations with pypi-
attestations, and uploading with twine upload --attestations. Adding a
brief post-upload check in the release guide using PyPI’s Integrity API
also seems reasonable. Uploading attestations will likely require a
Trusted Publisher identity.

(B) Alternatively, move releases to GitHub Actions with Trusted Publishing
and use pypa/gh-action-pypi-publish@release/v1. This path would require
changing Django’s release method to GitHub Actions and defining that
workflow in our docs/release process.
--
Ticket URL: <https://code.djangoproject.com/ticket/36563>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,
Aug 20, 2025, 12:15:02 PM8/20/25
to django-...@googlegroups.com
#36563: Adopt PEP 740 attestations for Django release files on PyPI
-------------------------------------+-------------------------------------
Reporter: JaeHyuckSa | Owner: (none)
Type: New feature | Status: new
Component: Packaging | Version: 5.2
Severity: Normal | Resolution:
Keywords: PEP740, PyPI, | Triage Stage:
provenance, attestations, | Unreviewed
release-process |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by JaeHyuckSa):

In my view, this work is primarily permissions-related, so it may be
difficult for me to drive it directly; however, if the ticket is approved,
I’d be happy to contribute in a supporting role.
--
Ticket URL: <https://code.djangoproject.com/ticket/36563#comment:1>

Django

unread,
Aug 20, 2025, 12:28:53 PM8/20/25
to django-...@googlegroups.com
#36563: Adopt PEP 740 attestations for Django release files on PyPI
-------------------------------------+-------------------------------------
Reporter: JaeHyuckSa | Owner: (none)
Type: New feature | Status: new
Component: Packaging | Version: dev
Severity: Normal | Resolution:
Keywords: PEP740, PyPI, | Triage Stage:
provenance, attestations, | Unreviewed
release-process |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by JaeHyuckSa):

* version: 5.2 => dev

--
Ticket URL: <https://code.djangoproject.com/ticket/36563#comment:2>

Django

unread,
Aug 21, 2025, 9:16:02 AM8/21/25
to django-...@googlegroups.com
#36563: Adopt PEP 740 attestations for Django release files on PyPI
-------------------------------------+-------------------------------------
Reporter: JaeHyuckSa | Owner: (none)
Type: New feature | Status: closed
Component: Packaging | Version: dev
Severity: Normal | Resolution: wontfix
Keywords: PEP740, PyPI, | Triage Stage:
provenance, attestations, | Unreviewed
release-process |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Natalia Bidart):

* resolution: => wontfix
* status: new => closed

Comment:

Hello JaeHyuckSa, thank you for the ticket and the forum post
conversation. As mentioned there, this is far from trivial and warrants a
much deeper conversation since, currently, releases are performed with a
fully manual procedure (see docs:
https://docs.djangoproject.com/en/dev/internals/howto-release-django/)

I'll close as `wontfix` following the documented triage procedure.
--
Ticket URL: <https://code.djangoproject.com/ticket/36563#comment:3>

Django

unread,
Aug 21, 2025, 11:07:39 AM8/21/25
to django-...@googlegroups.com
#36563: Adopt PEP 740 attestations for Django release files on PyPI
-------------------------------------+-------------------------------------
Reporter: JaeHyuckSa | Owner: (none)
Type: New feature | Status: closed
Component: Packaging | Version: dev
Severity: Normal | Resolution: wontfix
Keywords: PEP740, PyPI, | Triage Stage:
provenance, attestations, | Unreviewed
release-process |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by JaeHyuckSa):

I completely understand. I also thought lightly of this matter at first,
but it turned out there’s actually a lot more to discuss than I expected.
--
Ticket URL: <https://code.djangoproject.com/ticket/36563#comment:4>
Reply all
Reply to author
Forward
0 new messages