Merge pull request #270 from atsign-foundation/dependabot/github_acti… #187
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and publish | |
| on: | |
| workflow_dispatch: | |
| push: | |
| tags: | |
| - 'v*.*.*' | |
| branches: | |
| - trunk | |
| permissions: # added using https://github.com/step-security/secure-repo | |
| contents: read | |
| jobs: | |
| build: | |
| name: Build package | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout this repo | |
| uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
| - name: Set up Python | |
| uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 | |
| with: | |
| python-version: '3.11' | |
| - name: Install Poetry | |
| uses: abatilo/actions-poetry@7b6d33e44b4f08d7021a1dee3c044e9c253d6439 # v3.0.0 | |
| with: | |
| poetry-version: '1.8.2' | |
| # The dark mode and light mode Atsign logos in the GitHub README don't | |
| # show properly on PyPI so we have a copy of the README.md in | |
| # README.PyPI.md with just the light mode logo. | |
| # That README is generated here from a stub header line plus the rest | |
| # of the main README.md | |
| - name: Generate README for PyPI | |
| run: | | |
| mv README.PyPI.md.stub README.PyPI.md | |
| tail -n +2 README.md >> README.PyPI.md | |
| - name: Build using Poetry | |
| run: | | |
| poetry build | |
| - name: Store the distribution packages | |
| uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
| with: | |
| name: python-package-distributions | |
| path: dist/ | |
| publish-to-testpypi: | |
| name: Publish package to TestPyPI | |
| needs: | |
| - build | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: testpypi | |
| url: https://test.pypi.org/p/atsdk | |
| permissions: | |
| id-token: write # IMPORTANT: mandatory for trusted publishing | |
| steps: | |
| - name: Download all the dists | |
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| name: python-package-distributions | |
| path: dist/ | |
| - name: Publish distribution to TestPyPI | |
| uses: pypa/gh-action-pypi-publish@897895f1e160c830e369f9779632ebc134688e1b # v1.10.2 | |
| with: | |
| skip-existing: true | |
| attestations: true | |
| repository-url: https://test.pypi.org/legacy/ | |
| publish-to-pypi: | |
| name: Publish package to PyPI | |
| if: startsWith(github.ref, 'refs/tags/v') # only publish to PyPI on tag pushes | |
| needs: | |
| - build | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: pypi | |
| url: https://pypi.org/p/atsdk | |
| permissions: | |
| id-token: write # IMPORTANT: mandatory for trusted publishing | |
| steps: | |
| - name: Download all the dists | |
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| name: python-package-distributions | |
| path: dist/ | |
| - name: Publish distribution to PyPI | |
| uses: pypa/gh-action-pypi-publish@897895f1e160c830e369f9779632ebc134688e1b # v1.10.2 | |
| with: | |
| skip-existing: true | |
| attestations: true | |
| github-release: | |
| name: Attest Python distribution artifacts and upload them to the GitHub Release | |
| needs: | |
| - publish-to-pypi | |
| runs-on: ubuntu-latest | |
| outputs: | |
| hashes: ${{ steps.hash.outputs.hashes }} | |
| permissions: | |
| contents: write # IMPORTANT: mandatory for making GitHub Releases | |
| id-token: write # IMPORTANT: mandatory for sigstore | |
| attestations: write | |
| steps: | |
| - name: Checkout requirements.txt | |
| uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
| with: | |
| sparse-checkout: requirements.txt | |
| sparse-checkout-cone-mode: false | |
| - name: Download all the dists | |
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| name: python-package-distributions | |
| path: dist/ | |
| - name: Install Syft | |
| uses: anchore/sbom-action/download-syft@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2 | |
| - name: Generate SBOMs | |
| run: | | |
| syft scan file:./requirements.txt \ | |
| -o 'spdx-json=dist/sbom.spdx.json' \ | |
| -o 'cyclonedx-json=dist/sbom.cyclonedx.json' | |
| - name: Generate SHA256 checksums | |
| working-directory: dist | |
| run: sha256sum * > checksums.txt | |
| - id: hash | |
| name: Pass artifact hashes for SLSA provenance | |
| working-directory: dist | |
| run: | | |
| echo "hashes=$(cat checksums.txt | base64 -w0)" >> "$GITHUB_OUTPUT" | |
| - name: Attest the release artifacts | |
| uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3 | |
| with: | |
| subject-path: 'dist/**' | |
| - name: Upload artifact signatures to GitHub Release | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| # Upload to GitHub Release using the `gh` CLI. | |
| # `dist/` contains the built packages | |
| run: >- | |
| gh release upload | |
| '${{ github.ref_name }}' dist/** | |
| --repo '${{ github.repository }}' | |
| provenance: | |
| needs: [github-release] | |
| permissions: | |
| actions: read # Needed for detection of GitHub Actions environment. | |
| id-token: write # Needed for provenance signing and ID | |
| contents: write # Needed for release uploads | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 # 5a775b367a56d5bd118a224a811bba288150a563 | |
| with: | |
| base64-subjects: "${{ needs.github-release.outputs.hashes }}" | |
| upload-assets: true |