Collect and upload PEP 740 attestations during uv publish (#16731)

Co-authored-by: konsti <konstin@mailbox.org>

Author: woodruffw

Cargo.lock

@@ -108,6 +108,7 @@ dunce = { version = "1.0.5" }
 either = { version = "1.13.0" }
 encoding_rs_io = { version = "0.1.7" }
 etcetera = { version = "0.11.0" }
+fastrand = { version = "2.3.0" }
 flate2 = { version = "1.0.33", default-features = false, features = ["zlib-rs"] }
 fs-err = { version = "3.0.0", features = ["tokio"] }
 futures = { version = "0.3.30" }

Cargo.toml

@@ -7040,8 +7040,8 @@ pub struct DisplayTreeArgs {
 pub struct PublishArgs {
     /// Paths to the files to upload. Accepts glob expressions.
     ///
-    /// Defaults to the `dist` directory. Selects only wheels and source distributions, while
-    /// ignoring other files.
+    /// Defaults to the `dist` directory. Selects only wheels and source distributions
+    /// and their attestations, while ignoring other files.
     #[arg(default_value = "dist/*")]
     pub files: Vec<String>,
 
@@ -7147,6 +7147,13 @@ pub struct PublishArgs {
     /// and will perform validation against the index if supported, but will not upload any files.
     #[arg(long)]
     pub dry_run: bool,
+
+    /// Do not upload attestations for the published files.
+    ///
+    /// By default, uv attempts to upload matching PEP 740 attestations with each distribution
+    /// that is published.
+    #[arg(long, env = EnvVars::UV_PUBLISH_NO_ATTESTATIONS)]
+    pub no_attestations: bool,
 }
 
 #[derive(Args)]

crates/uv-cli/src/lib.rs

@@ -45,7 +45,7 @@ zeroize = { workspace = true }
 [dev-dependencies]
 doc-comment = "0.3"
 env_logger = "0.11.5"
-fastrand = "2"
+fastrand = { workspace = true }
 
 [package.metadata.docs.rs]
 default-target = "x86_64-unknown-linux-gnu"

crates/uv-keyring/Cargo.toml

@@ -49,6 +49,7 @@ url = { workspace = true }
 
 [dev-dependencies]
 insta = { workspace = true }
+fastrand = { workspace = true }
 
 [features]
 # Test only feature to enable non-HTTPS URL handling