Skip to content

Commit

Permalink
Merge pull request #3040 from pygame-community/ankith26-release-machi…
Browse files Browse the repository at this point in the history 
…nery

release machinery: fix attestation and circleci
  • Loading branch information
@ankith26
ankith26 authored Aug 7, 2024
2 parents a6e4941 + 2640077 commit 8e0c592
Show file tree
Hide file tree
Showing 3 changed files with 30 additions and 16 deletions.
10 changes: 10 additions & 0 deletions .circleci/config.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,5 +52,15 @@ jobs:
# See: https://circleci.com/docs/2.0/configuration-reference/#workflows
workflows:
build-arm:
when:
equal: [ "", << pipeline.parameters.GHA_Actor >> ]
jobs:
- linux-arm-wheels

# run a separate, identical release job only if triggered
build-arm-release:
when:
not:
equal: [ "", << pipeline.parameters.GHA_Actor >> ]
jobs:
- linux-arm-wheels
16 changes: 9 additions & 7 deletions .github/workflows/release-gh-draft.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,11 @@ jobs:
draft-release:
needs: [manylinux-aarch64, manylinux, macos, windows, sdist]
runs-on: ubuntu-latest
permissions:
id-token: write
attestations: write
contents: write

steps:
- uses: actions/[email protected]

Expand All @@ -55,13 +60,10 @@ jobs:
id: ver
run: echo "VER=${GITHUB_REF_NAME#'release/'}" >> $GITHUB_OUTPUT

# First generate release.sha512sum which contains hashes of all release files, then
# encrypt these hashes so that the hash file itself cannot be tampered with.
- name: Generate release hashes (encrypted)
run: |
cd pygame-wheels
sha512sum * > release.sha512sum
gpg --batch --output release.sha512sum.gpg --passphrase ${{ secrets.GITHUB_TOKEN }} --symmetric release.sha512sum
- name: Generate release attestation
uses: actions/[email protected]
with:
subject-path: "pygame-wheels/*"

- name: Draft a release
uses: softprops/action-gh-release@v2
Expand Down
20 changes: 11 additions & 9 deletions .github/workflows/release-pypi.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,16 +23,18 @@ jobs:
zipBall: false
out-file-path: "dist"

# Check that all the files that successfully uploaded from the release-gh-draft
# action have not been tampered with. This however ignores any extra files that
# were manually added.
- name: Verify release hashes
- name: Verify release attestation
env:
GH_TOKEN: ${{ github.token }}
run: |
cd dist
gpg --batch --output release.decrypted.sha512sum --passphrase ${{ secrets.GITHUB_TOKEN }} --decrypt release.sha512sum.gpg
diff -s release.sha512sum release.decrypted.sha512sum
sha512sum -c release.decrypted.sha512sum
rm release.*
for fname in dist/*; do
if gh attestation verify $fname -R ${{ github.repository }}; then
echo "[ALLOWED] $fname"
else
rm $fname
echo "[DELETED] $fname"
fi
done
- name: Publish to PyPI
uses: pypa/gh-action-pypi-publish@release/v1

0 comments on commit 8e0c592

Please sign in to comment.