> > > A quick read includes that these reviewers can include teams which I > interpret as it can easily be the whole of the PMC who have linked to a > GitHub account. >
I will explore it in detail when we will set it up. > > I wonder if a future enhancement would be to use an API to connect to the > ADP to confirm that releases to PyPi (and other distribution platforms) has > passed the PMC’s release VOTE! > > I guess yes - likely this can be done in several ways: 1) our reusable actions (if we have it) could add the step to connect to ADP and verify status before publishing 2) when implemented (it is a draft proposal now), ADP could use the provenance/attestation feature https://discuss.python.org/t/pep-740-index-support-for-digital-attestations/44498 - and upload ASF-signed attestations of voting. That - on its own - would not prevent uploads of non-voted artifact, but it would provide cryptographically verifiable attestations that it actually happened - when it did. 3) Eventually ASF could become a trusted publisher and we could publish packages directly from ADP (with attestation/ only after voting is done - up to our implementation). But that's quite a project on its own for ASF to become a trusted publisher because ASF is not a "general public" publisher like GitHub - so it would require changes in workflows on PyPI side. J.
