release machinery: fix attestation and circleci

Author: ankith26

.circleci/config.yml

@@ -52,5 +52,15 @@ jobs:
 # See: https://circleci.com/docs/2.0/configuration-reference/#workflows
 workflows:
   build-arm:
+    when:
+      equal: [ "", << pipeline.parameters.GHA_Actor >> ]
+    jobs:
+      - linux-arm-wheels
+
+  # run a separate, identical release job only if triggered
+  build-arm-release:
+    when:
+      not:
+        equal: [ "", << pipeline.parameters.GHA_Actor >> ]
     jobs:
       - linux-arm-wheels

.github/workflows/release-gh-draft.yml

@@ -32,6 +32,11 @@ jobs:
   draft-release:
     needs: [manylinux-aarch64, manylinux, macos, windows, sdist]
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      attestations: write
+      contents: write
+
     steps:
       - uses: actions/[email protected]
 
@@ -55,13 +60,10 @@ jobs:
         id: ver
         run: echo "VER=${GITHUB_REF_NAME#'release/'}" >> $GITHUB_OUTPUT
 
-      # First generate release.sha512sum which contains hashes of all release files, then
-      # encrypt these hashes so that the hash file itself cannot be tampered with.
-      - name: Generate release hashes (encrypted)
-        run: |
-          cd pygame-wheels
-          sha512sum * > release.sha512sum
-          gpg --batch --output release.sha512sum.gpg --passphrase ${{ secrets.GITHUB_TOKEN }} --symmetric release.sha512sum
+      - name: Generate release attestation
+        uses: actions/[email protected]
+        with:
+          subject-path: "pygame-wheels/*"
 
       - name: Draft a release
         uses: softprops/action-gh-release@v2

.github/workflows/release-pypi.yml

@@ -23,16 +23,18 @@ jobs:
           zipBall: false
           out-file-path: "dist"
 
-      # Check that all the files that successfully uploaded from the release-gh-draft
-      # action have not been tampered with. This however ignores any extra files that
-      # were manually added.
-      - name: Verify release hashes
+      - name: Verify release attestation
+        env:
+          GH_TOKEN: ${{ github.token }}
         run: |
-          cd dist
-          gpg --batch --output release.decrypted.sha512sum --passphrase ${{ secrets.GITHUB_TOKEN }} --decrypt release.sha512sum.gpg
-          diff -s release.sha512sum release.decrypted.sha512sum
-          sha512sum -c release.decrypted.sha512sum
-          rm release.*
+          for fname in dist/*; do
+            if gh attestation verify $fname -R ${{ github.repository }}; then
+              echo "[ALLOWED] $fname"
+            else
+              rm $fname
+              echo "[DELETED] $fname"
+            fi
+          done
 
       - name: Publish to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1