|
| 1 | +name: Publish |
| 2 | +on: |
| 3 | + push: |
| 4 | + tags: |
| 5 | + - '*' |
| 6 | +jobs: |
| 7 | + build: |
| 8 | + runs-on: ubuntu-latest |
| 9 | + outputs: |
| 10 | + hash: ${{ steps.hash.outputs.hash }} |
| 11 | + steps: |
| 12 | + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c |
| 13 | + - uses: actions/setup-python@5ccb29d8773c3f3f653e1705f474dfaa8a06a912 |
| 14 | + with: |
| 15 | + python-version: '3.x' |
| 16 | + cache: 'pip' |
| 17 | + cache-dependency-path: 'pdm.lock' |
| 18 | + - uses: actions/cache@58c146cc91c5b9e778e71775dfe9bf1442ad9a12 |
| 19 | + with: |
| 20 | + path: ~/.cache/pdm |
| 21 | + key: ${{ matrix.python }}-pdm-${{ hashFiles('pdm.lock') }} |
| 22 | + restore-keys: ${{ matrix.python }}-pdm- |
| 23 | + - run: pip install pdm |
| 24 | + # Use the commit date instead of the current date during the build. |
| 25 | + - run: echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV |
| 26 | + - run: pdm build |
| 27 | + # Generate hashes used for provenance. |
| 28 | + - name: generate hash |
| 29 | + id: hash |
| 30 | + run: cd dist && echo "hash=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT |
| 31 | + - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce |
| 32 | + with: |
| 33 | + path: ./dist |
| 34 | + provenance: |
| 35 | + needs: ['build'] |
| 36 | + permissions: |
| 37 | + actions: read |
| 38 | + id-token: write |
| 39 | + contents: write |
| 40 | + # Can't pin with hash due to how this workflow works. |
| 41 | + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0 |
| 42 | + with: |
| 43 | + base64-subjects: ${{ needs.build.outputs.hash }} |
| 44 | + create-release: |
| 45 | + # Upload the sdist, wheels, and provenance to a GitHub release. They remain |
| 46 | + # available as build artifacts for a while as well. |
| 47 | + needs: ['provenance'] |
| 48 | + runs-on: ubuntu-latest |
| 49 | + permissions: |
| 50 | + contents: write |
| 51 | + steps: |
| 52 | + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a |
| 53 | + - name: create release |
| 54 | + run: > |
| 55 | + gh release create --draft --repo ${{ github.repository }} |
| 56 | + ${{ github.ref_name }} |
| 57 | + *.intoto.jsonl/* artifact/* |
| 58 | + env: |
| 59 | + GH_TOKEN: ${{ github.token }} |
| 60 | + publish-pypi: |
| 61 | + needs: ['provenance'] |
| 62 | + # Wait for approval before attempting to upload to PyPI. This allows reviewing the |
| 63 | + # files in the draft release. |
| 64 | + environment: 'publish' |
| 65 | + runs-on: ubuntu-latest |
| 66 | + steps: |
| 67 | + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a |
| 68 | + # Try uploading to Test PyPI first, in case something fails. |
| 69 | + - uses: pypa/gh-action-pypi-publish@c7f29f7adef1a245bd91520e94867e5c6eedddcc |
| 70 | + with: |
| 71 | + password: ${{ secrets.TEST_PYPI_TOKEN }} |
| 72 | + repository_url: https://test.pypi.org/legacy/ |
| 73 | + packages_dir: artifact/ |
| 74 | + - uses: pypa/gh-action-pypi-publish@c7f29f7adef1a245bd91520e94867e5c6eedddcc |
| 75 | + with: |
| 76 | + password: ${{ secrets.PYPI_TOKEN }} |
| 77 | + packages_dir: artifact/ |
0 commit comments