github3.py/.github/workflows/release.yml at main · sigmavirus24/github3.py · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
name: Publish to PyPI

on:
  push:
    tags:
      - "*"

permissions:
  contents: read

jobs:
  build:
    name: "Build dists"
    runs-on: "ubuntu-latest"
    environment:
      name: "publish"
    outputs:
      hashes: ${{ steps.hash.outputs.hashes }}

    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
        with:
          egress-policy: audit

      - name: "Checkout repository"
        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"

      - name: "Setup Python"
        uses: "actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405"
        with:
          python-version: "3.x"

      - name: "Install dependencies"
        run: python -m pip install build==0.8.0

      - name: "Build dists"
        run: |
          SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct) \
          python -m build

      - name: "Generate hashes"
        id: hash
        run: |
          cd dist && echo "::set-output name=hashes::$(sha256sum * | base64 -w0)"

      - name: "Upload dists"
        uses: "actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a"
        with:
          name: "dist"
          path: "dist/"
          if-no-files-found: error
          retention-days: 5

  provenance:
    needs: [build]
    permissions:
      actions: read
      contents: write
      id-token: write # Needed to access the workflow's OIDC identity.
    uses: "slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0"
    with:
      base64-subjects: "${{ needs.build.outputs.hashes }}"
      upload-assets: true
      compile-generator: true # Workaround for https://github.com/slsa-framework/slsa-github-generator/issues/1163

  publish:
    name: "Publish"
    if: startsWith(github.ref, 'refs/tags/')
    needs: ["build", "provenance"]
    permissions:
      contents: write
      id-token: write
    runs-on: "ubuntu-latest"

    steps:
    - name: Harden the runner (Audit all outbound calls)
      uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
      with:
        egress-policy: audit

    - name: "Download dists"
      uses: "actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c"
      with:
        name: "dist"
        path: "dist/"

    - name: "Publish dists to PyPI"
      uses: "pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b"