-
Notifications
You must be signed in to change notification settings - Fork 22
94 lines (90 loc) · 3.26 KB
/
Copy pathpublish.yml
File metadata and controls
94 lines (90 loc) · 3.26 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
name: Publish to PyPI
on:
release:
types: [published]
permissions: read-all
jobs:
build:
runs-on: ubuntu-latest
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Verify tag matches VERSION file
run: |
TAG="${GITHUB_REF#refs/tags/}"
TAG_VERSION="${TAG#v}"
FILE_VERSION="$(cat VERSION)"
if [ "$TAG_VERSION" != "$FILE_VERSION" ]; then
echo "::error::Release tag does not match VERSION file."
echo " Tag (raw): $TAG"
echo " Tag (normalized): $TAG_VERSION"
echo " VERSION file: $FILE_VERSION"
echo ""
echo "This almost always means VERSION was not bumped before the tag was cut."
echo "Fix: bump VERSION on master, delete the bad tag and release, re-tag, recreate the release."
exit 1
fi
echo "OK: tag $TAG matches VERSION $FILE_VERSION"
- uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
with:
python-version: "3.12"
- name: Build package
run: pip install build && python -m build
- name: Generate CycloneDX SBOM
run: |
pip install cyclonedx-bom
VERSION=$(cat VERSION)
mkdir -p sbom
python -m venv /tmp/sbom-env
/tmp/sbom-env/bin/pip install --upgrade pip
/tmp/sbom-env/bin/pip install --no-deps dist/*.whl
cyclonedx-py environment /tmp/sbom-env/bin/python \
--output-format JSON \
--output-file "sbom/bitmath-${VERSION}.cdx.json"
- name: Upload dist artifacts
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: dist
path: dist/
- name: Upload SBOM artifact
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: sbom
path: sbom/
publish:
needs: build
runs-on: ubuntu-latest
environment: pypi
permissions:
id-token: write
contents: write
steps:
- name: Download dist artifacts
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: dist
path: dist/
- name: Download SBOM artifact
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: sbom
path: sbom/
- name: Publish to PyPI
uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
with:
packages-dir: dist/
skip-existing: false
- name: Attach release artifacts to GitHub Release
# The .publish.attestation files are what Scorecard's Signed-Releases
# check looks for; it inspects GitHub release assets, not PyPI.
env:
GH_TOKEN: ${{ github.token }}
run: |
TAG="${GITHUB_REF#refs/tags/}"
gh release upload "$TAG" \
dist/bitmath-*.whl \
dist/bitmath-*.tar.gz \
dist/bitmath-*.publish.attestation \
sbom/bitmath-*.cdx.json \
--clobber --repo "$GITHUB_REPOSITORY"