command-scope-contract/.github/workflows/release.yml at main · madeinplutofabio/command-scope-contract · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
name: Release

on:
  push:
    tags:
      - "v*"

permissions:
  contents: read

# This workflow handles:
# 1. Build wheel + sdist
# 2. Dependency audit
# 3. Generate SBOM from clean wheel install
# 4. Publish to PyPI (trusted publishing — handles attestations)
# 5. Sign release artifacts (sigstore) for GitHub release only
# 6. Create GitHub release with signed artifacts + SBOM
#
# Prerequisites:
# - PyPI trusted publishing configured for this repository
#   (environment: pypi, package URL set)
# - Repository has GitHub Actions allowed to create releases
#
# Action versions are not yet pinned to SHA — that is a follow-up task.

jobs:
  build:
    name: Build Distribution
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6

      - name: Set up Python
        uses: actions/setup-python@v6
        with:
          python-version: "3.11"

      - name: Install build tools
        run: pip install build

      - name: Build wheel and sdist
        run: python -m build

      - name: Upload build artifacts
        uses: actions/upload-artifact@v7
        with:
          name: dist
          path: dist/

  audit:
    name: Dependency Audit
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6

      - name: Set up Python
        uses: actions/setup-python@v6
        with:
          python-version: "3.11"

      - name: Install package and audit tool
        run: |
          pip install -e .
          pip install pip-audit

      - name: Run pip-audit
        run: |
          # Skip CVEs with no fix available upstream.
          # CVE-2026-4539: pygments 2.19.2 — no patched version released yet.
          # Remove --ignore-vuln flags as upstream fixes become available.
          pip-audit --ignore-vuln CVE-2026-4539

  sbom:
    name: Generate SBOM
    runs-on: ubuntu-latest
    needs: build
    steps:
      - name: Set up Python
        uses: actions/setup-python@v6
        with:
          python-version: "3.11"

      - name: Download build artifacts
        uses: actions/download-artifact@v8
        with:
          name: dist
          path: dist/

      - name: Install wheel in clean environment
        run: |
          python -m venv sbom-env
          sbom-env/bin/pip install dist/*.whl

      - name: Generate CycloneDX SBOM
        run: |
          sbom-env/bin/pip install cyclonedx-bom
          sbom-env/bin/cyclonedx-py environment \
            --output-file sbom.json \
            --output-format json

      - name: Upload SBOM
        uses: actions/upload-artifact@v7
        with:
          name: sbom
          path: sbom.json

  publish-pypi:
    name: Publish to PyPI
    runs-on: ubuntu-latest
    needs: [build, audit]
    environment:
      name: pypi
      url: https://pypi.org/p/csc-runner
    permissions:
      id-token: write
    steps:
      - name: Download build artifacts
        uses: actions/download-artifact@v8
        with:
          name: dist
          path: dist/

      - name: Publish to PyPI
        uses: pypa/gh-action-pypi-publish@release/v1
        with:
          packages-dir: dist/

  sign-for-release:
    name: Sign Artifacts for GitHub Release
    runs-on: ubuntu-latest
    needs: build
    permissions:
      id-token: write
    steps:
      - name: Download build artifacts
        uses: actions/download-artifact@v8
        with:
          name: dist
          path: dist/

      - name: Sign with sigstore
        uses: sigstore/gh-action-sigstore-python@v3.2.0
        with:
          inputs: ./dist/*

      - name: Upload signed artifacts
        uses: actions/upload-artifact@v7
        with:
          name: dist-signed
          path: dist/

  github-release:
    name: Create GitHub Release
    runs-on: ubuntu-latest
    needs: [publish-pypi, sign-for-release, sbom]
    permissions:
      contents: write
    steps:
      - name: Download signed artifacts
        uses: actions/download-artifact@v8
        with:
          name: dist-signed
          path: dist/

      - name: Download SBOM
        uses: actions/download-artifact@v8
        with:
          name: sbom
          path: .

      - name: Create release
        uses: softprops/action-gh-release@v2
        with:
          files: |
            dist/*
            sbom.json
          generate_release_notes: true