id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
36563	Adopt PEP 740 attestations for Django release files on PyPI	JaeHyuckSa		"Following the Django Forum discussion (https://forum.djangoproject.com/t/adopt-pep-740-digital-attestations-for-django-releases/42460/4), I’d like to explore adding PEP 740 provenance (digital attestations) for Django’s sdists and wheels on PyPI. This looks doable without runtime changes; the work should be limited to the release process and docs.

(A) Keep the current manual release and still adopt PEP 740 by setting up Trusted Publishing on PyPI, generating attestations with pypi-attestations, and uploading with twine upload --attestations. Adding a brief post-upload check in the release guide using PyPI’s Integrity API also seems reasonable. Uploading attestations will likely require a Trusted Publisher identity.

(B) Alternatively, move releases to GitHub Actions with Trusted Publishing and use pypa/gh-action-pypi-publish@release/v1. This path would require changing Django’s release method to GitHub Actions and defining that workflow in our docs/release process."	New feature	closed	Packaging	dev	Normal	wontfix	PEP740, PyPI, provenance, attestations, release-process	JaeHyuckSa	Unreviewed	0	0	0	0	0	0