-
Notifications
You must be signed in to change notification settings - Fork 0
68 lines (61 loc) · 2.59 KB
/
pypi-publish.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
name: Publish to PyPI
on:
workflow_dispatch:
inputs:
run_id:
description: The run of wheel-builder to use for finding artifacts.
required: true
environment:
description: Which PyPI environment to upload to
required: true
type: choice
options: ["testpypi", "pypi"]
workflow_run:
workflows: ["Wheel Builder"]
types: [completed]
permissions:
contents: read
jobs:
publish:
runs-on: ubuntu-latest
# We're not actually verifying that the triggering push event was for a
# tag, because github doesn't expose enough information to do so.
# wheel-builder.yml currently only has push events for tags.
if: github.event_name == 'workflow_dispatch' || (github.event.workflow_run.event == 'push' && github.event.workflow_run.conclusion == 'success')
permissions:
id-token: "write"
steps:
- uses: actions/setup-python@v4
with:
python-version: "3.9"
- name: Install Python dependencies
run: pip install twine sigstore
- uses: dawidd6/action-download-artifact@v3
with:
path: dist/
run_id: ${{ github.event.inputs.run_id || github.event.workflow_run.id }}
- run: |
echo "OIDC_AUDIENCE=pypi" >> $GITHUB_ENV
echo "PYPI_DOMAIN=pypi.org" >> $GITHUB_ENV
echo "TWINE_REPOSITORY=pypi" >> $GITHUB_ENV
echo "TWINE_USERNAME=__token__" >> $GITHUB_ENV
echo "TWINE_PASSWORD=${TWINE_PASSWORD}" >> $GITHUB_ENV
env:
TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
if: github.event_name == 'workflow_run' || (github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'pypi')
- run: |
echo "OIDC_AUDIENCE=testpypi" >> $GITHUB_ENV
echo "PYPI_DOMAIN=test.pypi.org" >> $GITHUB_ENV
echo "TWINE_REPOSITORY=testpypi" >> $GITHUB_ENV
echo "TWINE_USERNAME=__token__" >> $GITHUB_ENV
echo "TWINE_PASSWORD=${TWINE_PASSWORD}" >> $GITHUB_ENV
env:
TWINE_PASSWORD: ${{ secrets.TEST_PYPI_API_TOKEN }}
if: github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'testpypi'
- run: twine upload --skip-existing $(find dist/ -type f -name 'streamxfer*')
# Do not perform sigstore signatures for things for TestPyPI. This is
# because there's nothing that would prevent a malicious PyPI from
# serving a signed TestPyPI asset in place of a release intended for
# PyPI.
- run: sigstore sign $(find dist/ -type f -name 'streamxfer*')
if: env.TWINE_REPOSITORY == 'pypi'