fix: sign releases with Sigstore

dannyadair · dannyadair · commit e6b0f62f7c57 · 2025-05-10T02:16:14.000+12:00
More of a `ci:` but I want to trigger a release to confirm
diff --git a/.github/workflows/semantic-release.yaml b/.github/workflows/semantic-release.yaml
@@ -59,12 +59,18 @@ jobs:
           fi
           exit $status
 
+      - name: Sign the release with Sigstore
+        if: steps.release.outputs.released == 'true'
+        uses: sigstore/gh-action-sigstore-python@v3.0.0
+        with:
+          inputs: dist/*
+
       - name: Publish package distributions to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
         if: steps.release.outputs.released == 'true'
+        uses: pypa/gh-action-pypi-publish@release/v1
 
       - name: Publish package distributions to GitHub Releases
-        uses: python-semantic-release/publish-action@v9.21.1
         if: steps.release.outputs.released == 'true'
+        uses: python-semantic-release/publish-action@v9.21.1
         with:
           github_token: ${{ secrets.SEMANTIC_RELEASE_TOKEN }}
