From 4abf13a93f1bedfa2d7e86ffa35df6658d35c3c7 Mon Sep 17 00:00:00 2001 From: Ray Walker Date: Sat, 16 May 2026 19:56:21 +1000 Subject: [PATCH] ci: fix attestation job never running on releases MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The attest job was always skipped on normal push releases because its `if:` lacked the `!failure() && !cancelled()` guard. When validate-inputs (only runs for manual dispatch) was skipped, the attest job cascaded to skipped regardless of release_created being true. Also decouple publish from attest — attestation failure should never block PyPI publishing. Remove continue-on-error from the core attest step so failures surface instead of being silently swallowed. Closes #107 --- .github/workflows/release-please.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index c2c1d63..c018487 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -161,7 +161,7 @@ jobs: attest: name: Attest Build Provenance and SBOM needs: [release-please, validate-inputs, build-wheels, build-sdist] - if: needs.release-please.outputs.release_created == 'true' || github.event.inputs.force_release == 'true' + if: ${{ !failure() && !cancelled() && (needs.release-please.outputs.release_created == 'true' || github.event.inputs.force_release == 'true') }} runs-on: ubuntu-latest permissions: id-token: write @@ -183,7 +183,6 @@ jobs: uses: actions/attest-build-provenance@96b4a1ef7235a096b17240c259729fdd70c83d45 # v2 with: subject-path: dist/* - continue-on-error: true - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: @@ -230,7 +229,7 @@ jobs: publish: name: Publish to PyPI - needs: [release-please, build-wheels, build-sdist, attest] + needs: [release-please, build-wheels, build-sdist] if: ${{ !failure() && !cancelled() && (needs.release-please.outputs.release_created == 'true' || github.event.inputs.force_release == 'true') }} runs-on: ubuntu-latest environment: release