From d9eb72c561dbccba4277ed059a32fe4bfd4f510e Mon Sep 17 00:00:00 2001
From: Shaan Majid <70789625+shaanmajid@users.noreply.github.com>
Date: Tue, 16 Jun 2026 17:52:17 -0700
Subject: [PATCH 1/3] ci: add PyPI publish attestations via
 astral-sh/attest-action

---
 .github/workflows/release.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index bd5d0d043..d5655ae37 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -261,6 +261,13 @@ jobs:
             ./*.tar.gz
             ./*.whl
       - uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7
+      - name: Generate PyPI publish attestations
+        uses: astral-sh/attest-action@f589a42a7efb6fe400b4f400de60b4bc90390027 # v0.0.6
+        if: ${{ startsWith(github.ref, 'refs/tags/') }}
+        with:
+          paths: |
+            ./*.tar.gz
+            ./*.whl
       - name: Publish (dry run)
         if: ${{ !startsWith(github.ref, 'refs/tags/') }}
         run: uv publish --dry-run '*'

From c7752d67f999691f6fab3a113f2ae2beb14c713f Mon Sep 17 00:00:00 2001
From: Shaan Majid <70789625+shaanmajid@users.noreply.github.com>
Date: Tue, 16 Jun 2026 17:52:41 -0700
Subject: [PATCH 2/3] ci: remove redundant GitHub attestation and attestations:
 write perm

---
 .github/workflows/release.yml | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d5655ae37..3ceebce00 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -240,8 +240,6 @@ jobs:
       id-token: write
       # Used to upload release artifacts.
       contents: write
-      # Use to generate artifact attestation.
-      attestations: write
     name: Publish to PyPI
     runs-on: ubuntu-latest
     environment:
@@ -253,13 +251,6 @@ jobs:
         with:
           pattern: wheels-*
           merge-multiple: true
-      - name: Generate artifact attestation
-        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4
-        if: ${{ startsWith(github.ref, 'refs/tags/') }}
-        with:
-          subject-path: |
-            ./*.tar.gz
-            ./*.whl
       - uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7
       - name: Generate PyPI publish attestations
         uses: astral-sh/attest-action@f589a42a7efb6fe400b4f400de60b4bc90390027 # v0.0.6

From d5d0215339dd9aefc8be8b3441f80f426619e9c4 Mon Sep 17 00:00:00 2001
From: Shaan Majid <70789625+shaanmajid@users.noreply.github.com>
Date: Tue, 16 Jun 2026 17:53:03 -0700
Subject: [PATCH 3/3] ci: remove unused contents: write perm from PyPI publish
 job

---
 .github/workflows/release.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3ceebce00..627499bac 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -238,8 +238,6 @@ jobs:
       # Used to sign the release's artifacts
       # and upload to PyPI using trusted publisher.
       id-token: write
-      # Used to upload release artifacts.
-      contents: write
     name: Publish to PyPI
     runs-on: ubuntu-latest
     environment: