We need to obtain PyPI Publish Attestations when available to more accurately identify publishing workflows. We could obtain this info from deps.dev. See this package as an example: https://deps.dev/pypi/ultralytics
The provenance file should also be obtainable from PyPI: https://pypi.org/integrity/package-name/version/wheel-name/provenance, e.g., https://pypi.org/integrity/ultralytics/8.3.70/ultralytics-8.3.70-py3-none-any.whl/provenance
We need to obtain PyPI Publish Attestations when available to more accurately identify publishing workflows. We could obtain this info from deps.dev. See this package as an example: https://deps.dev/pypi/ultralytics
The provenance file should also be obtainable from PyPI: https://pypi.org/integrity/package-name/version/wheel-name/provenance, e.g., https://pypi.org/integrity/ultralytics/8.3.70/ultralytics-8.3.70-py3-none-any.whl/provenance