From f9bafe121a3b5bbb6df6a32d82b32a5fbe620cc3 Mon Sep 17 00:00:00 2001
From: Michele <ScrappyCocco@users.noreply.github.com>
Date: Mon, 16 Mar 2026 09:34:00 +0000
Subject: [PATCH] Attestation workflow

---
 .github/workflows/manual-publish-version.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/manual-publish-version.yml b/.github/workflows/manual-publish-version.yml
index 179af72..f9e83f3 100644
--- a/.github/workflows/manual-publish-version.yml
+++ b/.github/workflows/manual-publish-version.yml
@@ -40,12 +40,18 @@ jobs:
       url: https://pypi.org/p/howlongtobeatpy
     permissions:
       id-token: write  # IMPORTANT: mandatory for trusted publishing
+      attestations: write
+      artifact-metadata: write
     steps:
     - name: Download all the dists
       uses: actions/download-artifact@v8
       with:
         name: python-package-distributions
         path: dist/
+    - name: Attest build provenance
+      uses: actions/attest@v4
+      with:
+        subject-path: dist/
     - name: Publish distribution 📦 to PyPI
       uses: pypa/gh-action-pypi-publish@release/v1