File: release.yml

package info (click to toggle)
python-id 1.6.1-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 220 kB
  • sloc: python: 905; makefile: 80; sh: 5
file content (97 lines) | stat: -rw-r--r-- 3,321 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
 
name: Release

on:
  release:
    types:
      - published

permissions: # added using https://github.com/step-security/secure-workflows
  contents: read

jobs:
  build:
    name: Build artifacts
    runs-on: ubuntu-latest
    outputs:
      hashes: ${{ steps.hash.outputs.hashes }}
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
        with:
          python-version: "3.x"
          cache: "pip"
          cache-dependency-path: pyproject.toml

      - name: deps
        run: python -m pip install -U build

      - name: build
        run: python -m build

      - name: Generate hashes for provenance
        shell: bash
        id: hash
        run: |
          # sha256sum generates sha256 hash for all artifacts.
          # base64 -w0 encodes to base64 and outputs on a single line.
          # sha256sum artifact1 artifact2 ... | base64 -w0
          echo "hashes=$(sha256sum ./dist/* | base64 -w0)" >> $GITHUB_OUTPUT

      - name: Upload built packages
        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: built-packages
          path: ./dist/
          if-no-files-found: warn

  generate-provenance:
    needs: [build]
    name: Generate build provenance
    permissions:
      actions: read # To read the workflow path.
      id-token: write # To sign the provenance.
      contents: write # To add assets to a release.
    # Currently this action needs to be referred by tag. More details at:
    # https://github.com/slsa-framework/slsa-github-generator#verification-of-provenance
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
    with:
      provenance-name: provenance-id-${{ github.event.release.tag_name }}.intoto.jsonl
      base64-subjects: "${{ needs.build.outputs.hashes }}"
      upload-assets: true

  release-pypi:
    needs: [build, generate-provenance]
    runs-on: ubuntu-latest
    permissions:
      id-token: write # To upload via OIDC + generate attestations.
    steps:
      - name: Download artifacts directories # goes to current working directory
        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0

      - name: publish
        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
        with:
          packages-dir: built-packages/
          attestations: true

  release-github:
    needs: [build, generate-provenance]
    runs-on: ubuntu-latest
    permissions:
      # Needed to upload release assets.
      contents: write
    steps:
      - name: Download artifacts directories # goes to current working directory
        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0

      - name: Upload artifacts to GitHub
        # Confusingly, this action also supports updating releases, not
        # just creating them. This is what we want here, since we've manually
        # created the release that triggered the action.
        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
        with:
          files: |
            built-packages/*