GCP Artifact Registry is an OCI Container Image Registry.
It looks like there there are a few GitHub Actions for pushing container image artifacts to GCP Artifact Registry: https://github.com/marketplace?query=artifact+registry&type=...
FWIW, though it may not be necessary for a plain Python package, "pypa/cibuildwheel" is the easy way to build a Python package for various platforms in CI.
SLSA.dev, Sigstore;
GitHub supports artifact attestations and storing attestations in an OCI Image store FWIU. Does GCP Artifact Registry support attestations?
"Using artifact attestations to establish provenance for builds" https://docs.github.com/en/actions/security-for-github-actio...
> GCP Artifact Registry is an OCI Container Image Registry.
That is one of the supported formats (and maybe most common), but not the only one.
https://cloud.google.com/artifact-registry/docs/supported-fo...
The Python one behaves just like PyPI, you just need to specify the URL provide credentials.
GitHub specifically doesn't have Python package index (PEP 503, PEP 740) support on their roadmap: https://github.com/github/roadmap/issues/94#issuecomment-158...
GitLab has Python package registry support (503?): https://docs.gitlab.com/user/packages/pypi_repository/
Gitea has Python package registry support (503?): https://docs.gitea.com/usage/packages/pypi
PyPI supports attestations for Python packages when built by Trusted Publishers: https://docs.pypi.org/attestations/ :
> PyPI uses the in-toto Attestation Framework for the attestations it accepts. [ in-toto/attestation spec: https://github.com/in-toto/attestation/blob/main/spec/README... ]
> Currently, PyPI allows the following attestation predicates:
> SLSA Provenance, PyPI Publish
Artifact Registry > Artifact Registry documentation > Guides > Manage Python packages: https://cloud.google.com/artifact-registry/docs/python/manag... :
> [Artifact Registry] private repositories use the canonical Python repository implementation, the simple repository API (PEP 503), and work with installation tools like pip.
PEP 503 – Simple Repository API: https://peps.python.org/pep-0503/
PEP 740 – Index support for digital attestations: https://peps.python.org/pep-0740/