feat: SLSA attestations on PyPI publish + dependency-review workflow … #1
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| tags: ['v*'] | |
| permissions: | |
| contents: read | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| version: ${{ steps.version.outputs.version }} | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| persist-credentials: false | |
| - name: Set up Python | |
| uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 | |
| with: | |
| python-version: '3.12' | |
| - name: Extract version from tag | |
| id: version | |
| env: | |
| GH_REF: ${{ github.ref }} | |
| run: | | |
| version="${GH_REF#refs/tags/v}" | |
| echo "version=$version" >> "$GITHUB_OUTPUT" | |
| - name: Ensure tag matches pyproject version | |
| env: | |
| TAG_VERSION: ${{ steps.version.outputs.version }} | |
| run: | | |
| python - <<'PY' | |
| from pathlib import Path | |
| import tomllib | |
| import os | |
| import sys | |
| data = tomllib.loads(Path("pyproject.toml").read_text(encoding="utf-8")) | |
| project_version = data["project"]["version"] | |
| tag_version = os.environ["TAG_VERSION"] | |
| if project_version != tag_version: | |
| print( | |
| f"pyproject.toml version {project_version!r} does not match tag v{tag_version}", | |
| file=sys.stderr, | |
| ) | |
| raise SystemExit(1) | |
| PY | |
| - name: Install build tools | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install build twine | |
| - name: Build sdist and wheel | |
| run: python -m build | |
| - name: Check distribution metadata | |
| run: twine check dist/* | |
| - name: Upload build artifacts | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: dist | |
| path: dist/ | |
| publish-pypi: | |
| needs: [build] | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: pypi | |
| url: https://pypi.org/p/pipelock-verify | |
| permissions: | |
| id-token: write | |
| # attestations: write is required for SLSA / Sigstore provenance | |
| # attachments on the published distributions (PEP 740). | |
| attestations: write | |
| contents: read | |
| steps: | |
| - name: Download build artifacts | |
| uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 | |
| with: | |
| name: dist | |
| path: dist/ | |
| - name: Publish to PyPI with attestations | |
| uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4 | |
| with: | |
| # Emit SLSA / Sigstore attestations for each uploaded artifact | |
| # via the OIDC trusted publisher flow. Published alongside the | |
| # sdist and wheel so downstream consumers can verify provenance | |
| # with `gh attestation verify --owner luckyPipewrench`. | |
| attestations: true |