Switch to actions/attest-build-provenance@v1

.github/workflows/release.yml

@@ -71,7 +71,6 @@ jobs:
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
           repository-url: "https://test.pypi.org/legacy/"
-          attestations: true
 
   github-release:
     name: Release on GitHub
@@ -82,36 +81,57 @@ jobs:
       name: GitHub
       url: "https://github.com/ei-grad/flask-shell-ipython/releases/"
     permissions:
-      contents: write  # IMPORTANT: mandatory for making GitHub Releases
-      id-token: write  # IMPORTANT: mandatory for sigstore
+      contents: write
+      id-token: write
     steps:
+      - uses: actions/checkout@v4
+      - name: Extract Version from Tag
+        run: echo "VERSION_FROM_GIT_REF=${GITHUB_REF#refs/tags/v}" >> $GITHUB_ENV
+      - name: Extract Version from pyproject.toml
+        run: |
+          VERSION_FROM_PYPROJECT=$(python -c "import toml; print(toml.load('pyproject.toml')['project']['version'])")
+          echo "VERSION_FROM_PYPROJECT=$VERSION_FROM_PYPROJECT" >> $GITHUB_ENV
+      - name: Ensure version consistency
+        run: |
+          if [ "$VERSION_FROM_GIT_REF" != "$VERSION_FROM_PYPROJECT" ]; then
+            echo "Error: Version from tag ($VERSION_FROM_GIT_REF) does not match version in pyproject.toml ($VERSION_FROM_PYPROJECT)"
+            exit 1
+          fi
+          echo VERSION=$VERSION_FROM_GIT_REF >> $GITHUB_ENV
+      - name: Extract changelog for release notes
+        id: changelog
+        run: |
+          CHANGELOG=$(awk -v version="$VERSION" '{
+              if ($0 ~ "^## \\[" version "\\]") inSection = 1;
+              else if ($0 ~ "^## \\[" && inSection) inSection = 0;
+              if (inSection) print $0;
+          }' CHANGELOG.md)
+          echo '::set-output name=section::${CHANGELOG}'
+      - name: Validate changelog content
+        if: steps.changelog.outputs.section == ''
+        run: echo "Changelog section for release notes is empty" && exit 1
       - name: Download artifacts
         uses: actions/download-artifact@v4
-      - name: Sign the dists with Sigstore
-        uses: sigstore/[email protected]
+      - name: Attest build provenance
+        uses: actions/attest-build-provenance@v1
         with:
-          inputs: >-
-            ./dist/*.tar.gz
-            ./dist/*.whl
+          subject-path: dist/*
       - name: Create GitHub Release
         env:
           GITHUB_TOKEN: ${{ github.token }}
         run: >-
-          gh release create
-          '${{ github.ref_name }}'
-          --repo '${{ github.repository }}'
-          --generate-notes
+          gh release create '${{ github.ref_name }}'
+          --draft
+          --notes '${{ steps.changelog.outputs.section }}'
       - name: Upload artifact signatures to GitHub Release
         env:
           GITHUB_TOKEN: ${{ github.token }}
         run: >-
-          gh release upload
-          '${{ github.ref_name }}' dist/**
-          --repo '${{ github.repository }}'
+          gh release upload '${{ github.ref_name }}' dist/**
 
   pypi-publish:
     name: Release on PyPI
-    needs: test
+    needs: github-release
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
     runs-on: ubuntu-latest
     environment:
@@ -124,5 +144,3 @@ jobs:
         uses: actions/download-artifact@v4
       - name: Publish package distributions to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          attestations: true

pyproject.toml

@@ -33,6 +33,7 @@ dependencies = [
 
 [project.urls]
 Homepage = "https://github.com/ei-grad/flask-shell-ipython"
+Changelog = "https://github.com/ei-grad/flask-shell-ipython/blob/main/CHANGELOG.md"
 
 [project.entry-points."flask.commands"]
 shell = "flask_shell_ipython:shell"