From a96b7e6c37e4f13b8b41a526f09763a8e3c3598b Mon Sep 17 00:00:00 2001
From: Shi Cheng <cshi@ripple.com>
Date: Tue, 7 Oct 2025 10:49:42 +0800
Subject: [PATCH 1/4] generate provenance for pypi

---
 .github/workflows/publish_to_pypi.yml | 25 ++++++++++++++++++++++++-
 pyproject.toml                        |  4 ++--
 2 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/publish_to_pypi.yml b/.github/workflows/publish_to_pypi.yml
index eab0e0195..f4d471d37 100644
--- a/.github/workflows/publish_to_pypi.yml
+++ b/.github/workflows/publish_to_pypi.yml
@@ -8,6 +8,10 @@ jobs:
   build:
     name: Build distribution 📦
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      attestations: write
     env:
       POETRY_VERSION: 2.1.1
 
@@ -37,6 +41,17 @@ jobs:
         with:
           name: python-package-distributions
           path: dist/
+      - name: Generate build provenance attestation
+        id: provenance
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: "dist/*"
+      - name: Store provenance attestation
+        if: steps.provenance.outputs.bundle-path != ''
+        uses: actions/upload-artifact@v4
+        with:
+          name: python-package-provenance
+          path: ${{ steps.provenance.outputs.bundle-path }}
   publish-to-pypi:
     name: >-
       Publish Python 🐍 distribution 📦 to PyPI
@@ -60,6 +75,7 @@ jobs:
         with:
           verbose: true
           verify-metadata: true
+          attestations: true
 
   github-release:
     name: >-
@@ -80,6 +96,11 @@ jobs:
         with:
           name: python-package-distributions
           path: dist/
+      - name: Download provenance attestations
+        uses: actions/download-artifact@v4
+        with:
+          name: python-package-provenance
+          path: provenance/
       - name: Sign the dists with Sigstore
         uses: sigstore/gh-action-sigstore-python@v2.1.1
         with:
@@ -103,5 +124,7 @@ jobs:
           # sigstore-produced signatures and certificates.
         run: >-
           gh release upload
-          '${{ github.ref_name }}' dist/**
+          '${{ github.ref_name }}'
+          dist/**
+          provenance/**
           --repo '${{ github.repository }}'
diff --git a/pyproject.toml b/pyproject.toml
index d43de1036..d7cb411ff 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
-name = "xrpl-py"
-version = "4.3.0"
+name = "xrpl-py-cheng"
+version = "4.3.1"
 description = "A complete Python library for interacting with the XRP ledger"
 license = "ISC"
 readme = "README.md"

From 225b77cef122a25d8cb497fc389295b4415a675b Mon Sep 17 00:00:00 2001
From: Shi Cheng <cshi@ripple.com>
Date: Tue, 7 Oct 2025 11:09:54 +0800
Subject: [PATCH 2/4] require review

fix poetry installation
---
 .github/workflows/publish_to_pypi.yml | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/publish_to_pypi.yml b/.github/workflows/publish_to_pypi.yml
index f4d471d37..82f24578e 100644
--- a/.github/workflows/publish_to_pypi.yml
+++ b/.github/workflows/publish_to_pypi.yml
@@ -1,8 +1,8 @@
 name: Publish xrpl-py 🐍 distribution 📦 to PyPI
 on:
+  workflow_dispatch:
   push:
-    tags:
-      - "*"
+
 
 jobs:
   build:
@@ -21,7 +21,7 @@ jobs:
         uses: actions/setup-python@v5
         with:
           # Use the lowest supported version of Python for CI/CD
-          python-version: "3.8"
+          python-version: "3.8.19"
       - name: Load cached .local
         id: cache-poetry
         uses: actions/cache@v3
@@ -58,6 +58,9 @@ jobs:
     needs: build # Explicit dependency on build job
     runs-on: ubuntu-latest
     timeout-minutes: 10 # Adjust based on typical publishing time
+    environment:
+      name: official-release
+      url: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
     permissions:
       # More information about Trusted Publishing and OpenID Connect: https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/
       id-token: write # IMPORTANT: mandatory for trusted publishing

From b159185ab57a1a822b0f6438c3551c4709a406be Mon Sep 17 00:00:00 2001
From: Shi Cheng <cshi@ripple.com>
Date: Tue, 7 Oct 2025 12:06:23 +0800
Subject: [PATCH 3/4] fix poetry dependency/fix provenance

---
 .github/workflows/publish_to_pypi.yml | 16 ++++++++++------
 pyproject.toml                        |  4 ++--
 2 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/publish_to_pypi.yml b/.github/workflows/publish_to_pypi.yml
index 82f24578e..fb25afa3d 100644
--- a/.github/workflows/publish_to_pypi.yml
+++ b/.github/workflows/publish_to_pypi.yml
@@ -21,7 +21,7 @@ jobs:
         uses: actions/setup-python@v5
         with:
           # Use the lowest supported version of Python for CI/CD
-          python-version: "3.8.19"
+          python-version: "3.9"
       - name: Load cached .local
         id: cache-poetry
         uses: actions/cache@v3
@@ -29,11 +29,15 @@ jobs:
           path: /home/runner/.local
           key: dotlocal-${{ env.POETRY_VERSION }}-${{ hashFiles('poetry.lock') }}
       - name: Install poetry
-        if: steps.cache-poetry.outputs.cache-hit != 'true'
+        env:
+          PIP_INDEX_URL: https://pypi.org/simple
+          PIP_NO_CACHE_DIR: "1"
         run: |
-          curl -sSL "https://install.python-poetry.org/" | python - --version "${{ env.POETRY_VERSION }}"
-          echo "${HOME}/.local/bin" >> $GITHUB_PATH
-          poetry --version || exit 1  # Verify installation
+          set -euo pipefail
+          python -m pip install --upgrade pip
+          python -m pip install "dulwich>=0.22.6,<0.23.0"
+          python -m pip install "https://github.com/python-poetry/poetry/releases/download/${POETRY_VERSION}/poetry-${POETRY_VERSION}-py3-none-any.whl"
+          poetry --version
       - name: Build a binary wheel and a source tarball
         run: poetry build
       - name: Store the distribution packages
@@ -105,7 +109,7 @@ jobs:
           name: python-package-provenance
           path: provenance/
       - name: Sign the dists with Sigstore
-        uses: sigstore/gh-action-sigstore-python@v2.1.1
+        uses: sigstore/gh-action-sigstore-python@v3.0.1
         with:
           inputs: >-
             ./dist/*.tar.gz
diff --git a/pyproject.toml b/pyproject.toml
index d7cb411ff..d43de1036 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
-name = "xrpl-py-cheng"
-version = "4.3.1"
+name = "xrpl-py"
+version = "4.3.0"
 description = "A complete Python library for interacting with the XRP ledger"
 license = "ISC"
 readme = "README.md"

From 719dee427788a7387cff35aaabc6db8930e22ab8 Mon Sep 17 00:00:00 2001
From: Shi Cheng <cshi@ripple.com>
Date: Thu, 9 Oct 2025 10:54:05 +0800
Subject: [PATCH 4/4] revert trigger

---
 .github/workflows/publish_to_pypi.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/publish_to_pypi.yml b/.github/workflows/publish_to_pypi.yml
index fb25afa3d..e4f6add54 100644
--- a/.github/workflows/publish_to_pypi.yml
+++ b/.github/workflows/publish_to_pypi.yml
@@ -1,7 +1,8 @@
 name: Publish xrpl-py 🐍 distribution 📦 to PyPI
 on:
-  workflow_dispatch:
   push:
+    tags:
+      - "*"
 
 
 jobs: