Adopt PEP 740 attestations for Django release files on PyPI

[JaeHyuckSa]

Following the Django Forum discussion (​https://forum.djangoproject.com/t/adopt-pep-740-digital-attestations-for-django-releases/42460/4), I’d like to explore adding PEP 740 provenance (digital attestations) for Django’s sdists and wheels on PyPI. This looks doable without runtime changes; the work should be limited to the release process and docs.

(A) Keep the current manual release and still adopt PEP 740 by setting up Trusted Publishing on PyPI, generating attestations with pypi-attestations, and uploading with twine upload --attestations. Adding a brief post-upload check in the release guide using PyPI’s Integrity API also seems reasonable. Uploading attestations will likely require a Trusted Publisher identity.

(B) Alternatively, move releases to GitHub Actions with Trusted Publishing and use pypa/gh-action-pypi-publish@release/v1. This path would require changing Django’s release method to GitHub Actions and defining that workflow in our docs/release process.

[JaeHyuckSa]

In my view, this work is primarily permissions-related, so it may be difficult for me to drive it directly; however, if the ticket is approved, I’d be happy to contribute in a supporting role.

[Natalia Bidart]

Hello JaeHyuckSa, thank you for the ticket and the forum post conversation. As mentioned there, this is far from trivial and warrants a much deeper conversation since, currently, releases are performed with a fully manual procedure (see docs: ​https://docs.djangoproject.com/en/dev/internals/howto-release-django/)

I'll close as wontfix following the documented triage procedure.

[JaeHyuckSa]

I completely understand. I also thought lightly of this matter at first, but it turned out there’s actually a lot more to discuss than I expected.