Skip to content

Commit d96ecda

Browse files
committed
chore(ci): restrict OIDC token to publish job
1 parent f7a8e85 commit d96ecda

1 file changed

Lines changed: 30 additions & 10 deletions

File tree

.github/workflows/release.yml

Lines changed: 30 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -8,18 +8,11 @@ name: release
88
permissions: {}
99

1010
jobs:
11-
pypi:
12-
name: upload release to PyPI
11+
build:
12+
name: build release distributions
1313
runs-on: ubuntu-latest
14-
environment: release
1514
permissions:
16-
# Used for OIDC publishing.
17-
# Used to sign the release's artifacts with sigstore-python.
18-
id-token: write
19-
20-
# Used to attach signing artifacts to the published release.
21-
contents: write
22-
15+
contents: read
2316
steps:
2417
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
2518
with:
@@ -35,6 +28,33 @@ jobs:
3528
- name: build
3629
run: python -m build
3730

31+
- name: upload distributions
32+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
33+
with:
34+
name: distributions
35+
path: dist/
36+
if-no-files-found: error
37+
38+
pypi:
39+
name: upload release to PyPI
40+
runs-on: ubuntu-latest
41+
needs: build
42+
environment: release
43+
permissions:
44+
# Used for OIDC publishing.
45+
# Used to sign the release's artifacts with sigstore-python.
46+
id-token: write
47+
48+
# Used to attach signing artifacts to the published release.
49+
contents: write
50+
51+
steps:
52+
- name: download distributions
53+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
54+
with:
55+
name: distributions
56+
path: dist/
57+
3858
- name: publish
3959
uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
4060
with:

0 commit comments

Comments
 (0)