Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: Use GitHub attestations #1132

Merged
merged 8 commits into from
May 22, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 28 additions & 8 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,26 @@ jobs:
ref: ${{ github.event.inputs.tag || github.ref }}
- uses: hynek/build-and-inspect-python-package@eb6b0c7cc5e1f38eec42c970925e1b3420faa015

upload-to-release:
name: Upload to GitHub Release
if: startsWith(github.ref, 'refs/tags/') || github.event_name == 'workflow_dispatch'
runs-on: ubuntu-latest
needs: [build]
permissions:
contents: write # IMPORTANT: mandatory for making GitHub Releases

steps:
- uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e
with:
name: Packages
path: dist
- uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd
with:
file: dist/**
tag: ${{ github.event.inputs.tag || github.ref }}
overwrite: false
file_glob: true

publish:
name: Publish to PyPI
if: startsWith(github.ref, 'refs/tags/') || github.event.inputs.publish == 'true'
Expand All @@ -51,22 +71,22 @@ jobs:
runs-on: ubuntu-latest
needs: [build]
permissions:
contents: write # IMPORTANT: mandatory for making GitHub Releases
id-token: write # IMPORTANT: mandatory for sigstore
contents: write # IMPORTANT: mandatory for making GitHub Releases
id-token: write # IMPORTANT: mandatory for attestations
attestations: write # IMPORTANT: mandatory for attestations
edgarrmondragon marked this conversation as resolved.
Show resolved Hide resolved

steps:
- uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e
with:
name: Packages
path: dist
- uses: sigstore/gh-action-sigstore-python@61f6a500bbfdd9a2a339cf033e5421951fbc1cd2
- uses: actions/attest-build-provenance@eab7f69317b589ac05272d67712fdd10ab3d4d1d
id: attest
with:
inputs: >-
./dist/*.tar.gz
./dist/*.whl
subject-path: "./dist/citric*"
- uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd
with:
file: dist/**
file: ${{ steps.attest.outputs.bundle-path }}
tag: ${{ github.event.inputs.tag || github.ref }}
overwrite: false
file_glob: true
asset_name: attestations.intoto.jsonl
edgarrmondragon marked this conversation as resolved.
Show resolved Hide resolved
3 changes: 3 additions & 0 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,9 @@ repos:
rev: v2.2.6
hooks:
- id: codespell
# TODO: Use inline ignores, e.g. # codespell:ignore intoto
# https://github.com/codespell-project/codespell/issues/3387
args: [-L, intoto]
additional_dependencies:
- tomli

Expand Down