1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
name: Publish to PyPI
on:
push:
tags:
- "*"
permissions:
contents: read
jobs:
build:
name: "Build dists"
runs-on: "ubuntu-latest"
environment:
name: "publish"
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
steps:
- name: "Checkout repository"
uses: "actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8"
with:
persist-credentials: false
- name: "Setup Python"
uses: "actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065"
with:
python-version: "3.x"
- name: "Install dependencies"
run: python -m pip install build
- name: "Build dists"
run: |
SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct) \
python -m build
- name: "Generate hashes"
id: hash
run: |
cd dist && echo "hashes=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
- name: "Upload dists"
uses: "actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02"
with:
name: "dist"
path: "dist/"
if-no-files-found: error
retention-days: 5
provenance:
needs: [build]
permissions:
actions: read
contents: write
id-token: write # Needed to access the workflow's OIDC identity.
uses: "slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0"
with:
base64-subjects: "${{ needs.build.outputs.hashes }}"
upload-assets: true
compile-generator: true # Workaround for https://github.com/slsa-framework/slsa-github-generator/issues/1163
publish:
name: "Publish to PyPI"
if: startsWith(github.ref, 'refs/tags/')
needs: ["build", "provenance"]
permissions:
contents: write
id-token: write
runs-on: "ubuntu-latest"
steps:
- name: "Download dists"
uses: "actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0"
with:
name: "dist"
path: "dist/"
- name: "Publish dists to PyPI"
uses: "pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc"
|
