-
Notifications
You must be signed in to change notification settings - Fork 3
153 lines (146 loc) · 5.2 KB
/
build-publish.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
name: Build and publish
on:
workflow_dispatch:
push:
tags:
- 'v*.*.*'
branches:
- trunk
permissions: # added using https://github.com/step-security/secure-repo
contents: read
jobs:
build:
name: Build package
runs-on: ubuntu-latest
steps:
- name: Checkout this repo
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Set up Python
uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
with:
python-version: '3.11'
- name: Install Poetry
uses: abatilo/actions-poetry@7b6d33e44b4f08d7021a1dee3c044e9c253d6439 # v3.0.0
with:
poetry-version: '1.8.2'
# The dark mode and light mode Atsign logos in the GitHub README don't
# show properly on PyPI so we have a copy of the README.md in
# README.PyPI.md with just the light mode logo.
# That README is generated here from a stub header line plus the rest
# of the main README.md
- name: Generate README for PyPI
run: |
mv README.PyPI.md.stub README.PyPI.md
tail -n +2 README.md >> README.PyPI.md
- name: Build using Poetry
run: |
poetry build
- name: Store the distribution packages
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: python-package-distributions
path: dist/
publish-to-testpypi:
name: Publish package to TestPyPI
needs:
- build
runs-on: ubuntu-latest
environment:
name: testpypi
url: https://test.pypi.org/p/atsdk
permissions:
id-token: write # IMPORTANT: mandatory for trusted publishing
steps:
- name: Download all the dists
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: python-package-distributions
path: dist/
- name: Publish distribution to TestPyPI
uses: pypa/gh-action-pypi-publish@897895f1e160c830e369f9779632ebc134688e1b # v1.10.2
with:
skip-existing: true
attestations: true
repository-url: https://test.pypi.org/legacy/
publish-to-pypi:
name: Publish package to PyPI
if: startsWith(github.ref, 'refs/tags/v') # only publish to PyPI on tag pushes
needs:
- build
runs-on: ubuntu-latest
environment:
name: pypi
url: https://pypi.org/p/atsdk
permissions:
id-token: write # IMPORTANT: mandatory for trusted publishing
steps:
- name: Download all the dists
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: python-package-distributions
path: dist/
- name: Publish distribution to PyPI
uses: pypa/gh-action-pypi-publish@897895f1e160c830e369f9779632ebc134688e1b # v1.10.2
with:
skip-existing: true
attestations: true
github-release:
name: Attest Python distribution artifacts and upload them to the GitHub Release
needs:
- publish-to-pypi
runs-on: ubuntu-latest
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
permissions:
contents: write # IMPORTANT: mandatory for making GitHub Releases
id-token: write # IMPORTANT: mandatory for sigstore
attestations: write
steps:
- name: Checkout requirements.txt
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
sparse-checkout: requirements.txt
sparse-checkout-cone-mode: false
- name: Download all the dists
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: python-package-distributions
path: dist/
- name: Install Syft
uses: anchore/sbom-action/download-syft@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2
- name: Generate SBOMs
run: |
syft scan file:./requirements.txt \
-o 'spdx-json=dist/sbom.spdx.json' \
-o 'cyclonedx-json=dist/sbom.cyclonedx.json'
- name: Generate SHA256 checksums
working-directory: dist
run: sha256sum * > checksums.txt
- id: hash
name: Pass artifact hashes for SLSA provenance
working-directory: dist
run: |
echo "hashes=$(cat checksums.txt | base64 -w0)" >> "$GITHUB_OUTPUT"
- name: Attest the release artifacts
uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
with:
subject-path: 'dist/**'
- name: Upload artifact signatures to GitHub Release
env:
GITHUB_TOKEN: ${{ github.token }}
# Upload to GitHub Release using the `gh` CLI.
# `dist/` contains the built packages
run: >-
gh release upload
'${{ github.ref_name }}' dist/**
--repo '${{ github.repository }}'
provenance:
needs: [github-release]
permissions:
actions: read # Needed for detection of GitHub Actions environment.
id-token: write # Needed for provenance signing and ID
contents: write # Needed for release uploads
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 # 5a775b367a56d5bd118a224a811bba288150a563
with:
base64-subjects: "${{ needs.github-release.outputs.hashes }}"
upload-assets: true