-
Notifications
You must be signed in to change notification settings - Fork 5
122 lines (108 loc) · 3.9 KB
/
python-publish.yml
File metadata and controls
122 lines (108 loc) · 3.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
# This workflows will upload a Python Package using Twine when a release is created
# For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries
name: Upload Python Package
on:
release:
types: [published] # Once manually verified, draft is released
# No support for reusable workflows (yet): https://github.com/pypi/warehouse/issues/11096
pull_request:
types: [opened, synchronize, reopened]
permissions:
contents: read
jobs:
build:
name: Build distribution 📦
runs-on: ubuntu-latest
steps:
- name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)"
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
egress-policy: block
allowed-endpoints: >+
github.com:443
api.github.com:443
release-assets.githubusercontent.com:443
pypi.org:443
files.pythonhosted.org:443
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
fetch-depth: 0 # Fetches all history and tags
- name: Set up Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: '3.x'
- name: Install dependencies
run: python -m pip install .[wheel]
- name: Build a binary wheel and a source tarball
run: python3 -m build
- name: Generate SBOM for Python distribution
run: python script/create_sbom.py --py --output-dir dist-sbom
- name: Store the distribution packages
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: python-package-distributions
path: dist/
- name: Store the SBOM
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: python-sbom
path: dist-sbom/
publish-to-testpypi:
name: Publish Python distribution 📦 to TestPyPI
needs:
- build
runs-on: ubuntu-latest
environment:
name: testpypi
url: https://test.pypi.org/p/dfetch
permissions:
id-token: write
steps:
- name: Download all the dists
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v5
with:
name: python-package-distributions
path: dist/
- name: Publish distribution 📦 to TestPyPI
uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1
with:
repository-url: https://test.pypi.org/legacy/
skip-existing: true
- name: Test install from TestPyPI
run: |
pip install --pre --index-url https://test.pypi.org/simple/ dfetch --extra-index-url https://pypi.org/simple --user
dfetch --help
deploy:
if: github.event_name == 'release'
runs-on: ubuntu-latest
needs:
- build
environment:
name: pypi
url: https://pypi.org/p/dfetch
permissions:
id-token: write
contents: write
steps:
- name: Download all the dists
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v5
with:
name: python-package-distributions
path: dist/
- name: Publish distribution 📦 to PyPI
uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1
with:
skip-existing: true
- name: Download SBOM
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v5
with:
name: python-sbom
path: dist-sbom/
- name: Upload SBOM to GitHub Release
uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v2.5.0
with:
tag_name: ${{ github.event.release.tag_name }}
files: dist-sbom/*
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}