Skip to content

Commit

Permalink
ci: Use GitHub attestations (#1132)
Browse files Browse the repository at this point in the history
* ci: Use GitHub attestations

* Replace old step

* Upload artifacts to release

* Change the asset name
  • Loading branch information
edgarrmondragon authored May 22, 2024
1 parent e7ba0a7 commit bb557ea
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 8 deletions.
36 changes: 28 additions & 8 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,26 @@ jobs:
ref: ${{ github.event.inputs.tag || github.ref }}
- uses: hynek/build-and-inspect-python-package@eb6b0c7cc5e1f38eec42c970925e1b3420faa015

upload-to-release:
name: Upload to GitHub Release
if: startsWith(github.ref, 'refs/tags/') || github.event_name == 'workflow_dispatch'
runs-on: ubuntu-latest
needs: [build]
permissions:
contents: write # IMPORTANT: mandatory for making GitHub Releases

steps:
- uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e
with:
name: Packages
path: dist
- uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd
with:
file: dist/**
tag: ${{ github.event.inputs.tag || github.ref }}
overwrite: false
file_glob: true

publish:
name: Publish to PyPI
if: startsWith(github.ref, 'refs/tags/') || github.event.inputs.publish == 'true'
Expand All @@ -51,22 +71,22 @@ jobs:
runs-on: ubuntu-latest
needs: [build]
permissions:
contents: write # IMPORTANT: mandatory for making GitHub Releases
id-token: write # IMPORTANT: mandatory for sigstore
contents: write # IMPORTANT: mandatory for making GitHub Releases
id-token: write # IMPORTANT: mandatory for attestations
attestations: write # IMPORTANT: mandatory for attestations

steps:
- uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e
with:
name: Packages
path: dist
- uses: sigstore/gh-action-sigstore-python@61f6a500bbfdd9a2a339cf033e5421951fbc1cd2
- uses: actions/attest-build-provenance@eab7f69317b589ac05272d67712fdd10ab3d4d1d
id: attest
with:
inputs: >-
./dist/*.tar.gz
./dist/*.whl
subject-path: "./dist/citric*"
- uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd
with:
file: dist/**
file: ${{ steps.attest.outputs.bundle-path }}
tag: ${{ github.event.inputs.tag || github.ref }}
overwrite: false
file_glob: true
asset_name: attestations.intoto.jsonl
3 changes: 3 additions & 0 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,9 @@ repos:
rev: v2.2.6
hooks:
- id: codespell
# TODO: Use inline ignores, e.g. # codespell:ignore intoto
# https://github.com/codespell-project/codespell/issues/3387
args: [-L, intoto]
additional_dependencies:
- tomli

Expand Down

0 comments on commit bb557ea

Please sign in to comment.