diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index 166c3467a..f6db5f65b 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -6,6 +6,8 @@ name: Upload Python Package on: release: types: [created] + pull_request: + types: [opened, synchronize, reopened] # Allows to run this workflow manually workflow_dispatch: @@ -14,12 +16,9 @@ permissions: contents: read jobs: - deploy: - + build: + name: Build distribution 📦 runs-on: ubuntu-latest - environment: PyPi - permissions: - id-token: write steps: - name: Harden the runner (Audit all outbound calls) @@ -28,16 +27,68 @@ jobs: egress-policy: audit - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v5.0.0 + with: + persist-credentials: false + fetch-depth: 0 # Fetches all history and tags - name: Set up Python uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: '3.x' - name: Install dependencies + run: python -m pip install --upgrade pip build --user + - name: Build a binary wheel and a source tarball + run: python3 -m build + - name: Store the distribution packages + uses: actions/upload-artifact@v4 + with: + name: python-package-distributions + path: dist/ + + publish-to-testpypi: + name: Publish Python distribution 📦 to TestPyPI + needs: + - build + runs-on: ubuntu-latest + + environment: + name: testpypi + url: https://test.pypi.org/p/dfetch + + permissions: + id-token: write + + steps: + - name: Download all the dists + uses: actions/download-artifact@v4 + with: + name: python-package-distributions + path: dist/ + - name: Publish distribution 📦 to TestPyPI + uses: pypa/gh-action-pypi-publish@release/v1 + with: + repository-url: https://test.pypi.org/legacy/ + + - name: Test install from TestPyPI run: | - python -m pip install --upgrade pip - pip install setuptools build - python -m pip install git+https://github.com/takluyver/twine@ec859fbfd285284e800461c45d22187f7948a275#egg=twine - - name: Build and publish - run: | - python -m build - twine upload dist/* + pip install --pre --index-url https://test.pypi.org/simple/ dfetch --extra-index-url https://pypi.org/simple --user + dfetch --help + + deploy: + if: github.event_name == 'release' + runs-on: ubuntu-latest + needs: + - build + environment: + name: pypi + url: https://pypi.org/p/dfetch + permissions: + id-token: write + + steps: + - name: Download all the dists + uses: actions/download-artifact@v4 + with: + name: python-package-distributions + path: dist/ + - name: Publish distribution 📦 to PyPI + uses: pypa/gh-action-pypi-publish@release/v1 diff --git a/CHANGELOG.rst b/CHANGELOG.rst index ba87489d7..90772eb5e 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -5,6 +5,8 @@ Release 0.11.0 (unreleased) * Don't show animation when running in CI (#702) * Improve logic for creating Purls in SBoM (#780) * Add External VCS reference to SBoM if possible (#780) +* Add security policy (#784) +* Add provenance / release attestation to pypi package (#784) Release 0.10.0 (released 2025-03-12) ==================================== diff --git a/pyproject.toml b/pyproject.toml index 87b50d389..0680474b1 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -22,13 +22,12 @@ keywords = [ "multi-project", "monorepo", ] -license = { text = "MIT" } +license = "MIT" classifiers = [ # Full list: https://pypi.python.org/pypi?%3Aaction=list_classifiers "Development Status :: 4 - Beta", "Environment :: Console", "Intended Audience :: Developers", - "License :: OSI Approved :: MIT License", "Programming Language :: Python :: 3.9", "Programming Language :: Python :: 3.10", "Programming Language :: Python :: 3.11", @@ -102,15 +101,16 @@ casts = ['asciinema==2.4.0'] [project.scripts] dfetch = "dfetch.__main__:main" -[tool.setuptools.dynamic] -version = { attr = "dfetch.__version__" } - [tool.setuptools.packages.find] include = ["dfetch", "dfetch.*"] [tool.setuptools.package-data] dfetch = ["resources/*.yaml"] +[tool.setuptools_scm] +local_scheme = "no-local-version" +version_scheme = "guess-next-dev" + [tool.isort] profile = "black"