-
Notifications
You must be signed in to change notification settings - Fork 0
48 lines (38 loc) · 1.31 KB
/
Copy pathsigstore.yml
File metadata and controls
48 lines (38 loc) · 1.31 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# Sigstore Signing - Cryptographic signing for Python releases
# https://docs.sigstore.dev/
# Signs your Python package distributions using Sigstore's keyless signing,
# providing verifiable provenance for your releases.
name: Sign Release (Sigstore)
on:
release:
types: [published]
permissions:
contents: read
id-token: write # Required for Sigstore OIDC
jobs:
sign:
name: Sign Python Distribution
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: "3.x"
- name: Install build dependencies
run: pip install build==1.2.2.post1
- name: Build distribution
run: python -m build
- name: Sign with Sigstore
uses: sigstore/gh-action-sigstore-python@04cffa1d795717b140764e8b640de88853c92acc # v3.3.0
with:
inputs: ./dist/*.tar.gz ./dist/*.whl
- name: Upload signed artifacts
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: signed-dist
path: |
dist/*.tar.gz
dist/*.whl
dist/*.sigstore.json