chore(deps): Bump sigstore/gh-action-sigstore-python #70
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SPDX-License-Identifier: Apache-2.0 | |
| --- | |
| name: Build, test, and upload PyPI package | |
| on: | |
| push: | |
| branches: | |
| - main | |
| tags: | |
| - "v*" | |
| pull_request: | |
| branches: | |
| - main | |
| release: | |
| types: | |
| - published | |
| permissions: {} | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| build-package: | |
| name: Build and check packages | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - uses: hynek/build-and-inspect-python-package@fe0a0fb1925ca263d076ca4f2c13e93a6e92a33e # v2.17.0 | |
| # push to Test PyPI on | |
| # - a new GitHub release is published | |
| # - a PR is merged into main branch | |
| publish-test-pypi: | |
| name: Publish packages to test.pypi.org | |
| environment: pypi | |
| if: | | |
| github.repository_owner == 'python-wheel-build' && ( | |
| github.event.action == 'published' || | |
| (github.event_name == 'push' && github.ref == 'refs/heads/main') | |
| ) | |
| permissions: | |
| contents: read | |
| # see https://docs.pypi.org/trusted-publishers/ | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| needs: build-package | |
| steps: | |
| - name: Fetch build artifacts | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: Packages | |
| path: dist | |
| - name: Upload to Test PyPI | |
| uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 | |
| with: | |
| repository-url: https://test.pypi.org/legacy/ | |
| # push to Production PyPI on | |
| # - a new GitHub release is published | |
| publish-pypi: | |
| name: Publish release to pypi.org | |
| environment: pypi | |
| if: | | |
| github.repository_owner == 'python-wheel-build' && github.event.action == 'published' | |
| permissions: | |
| # see https://docs.pypi.org/trusted-publishers/ | |
| id-token: write | |
| # allow gh release upload | |
| contents: write | |
| runs-on: ubuntu-latest | |
| needs: build-package | |
| steps: | |
| - name: Fetch build artifacts | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: Packages | |
| path: dist | |
| - uses: sigstore/gh-action-sigstore-python@04cffa1d795717b140764e8b640de88853c92acc # v3.3.0 | |
| with: | |
| inputs: >- | |
| ./dist/*.tar.gz | |
| ./dist/*.whl | |
| - name: Upload artifacts and signatures to GitHub release | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| run: >- | |
| gh release upload '${{ github.ref_name }}' dist/* --repo '${{ github.repository }}' | |
| # PyPI does not accept .sigstore artifacts and | |
| # gh-action-pypi-publish has no option to ignore them. | |
| - name: Remove sigstore signatures before uploading to PyPI | |
| run: rm ./dist/*.sigstore | |
| - name: Upload to PyPI | |
| uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 |