-
Notifications
You must be signed in to change notification settings - Fork 11
130 lines (109 loc) · 4.45 KB
/
pypi.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
# SPDX-License-Identifier: Apache-2.0
name: Build, test, and upload PyPI package
on:
push:
branches:
- "main"
tags:
- "v*"
pull_request:
branches:
- "main"
release:
types:
- published
env:
LC_ALL: en_US.UTF-8
defaults:
run:
shell: bash
permissions:
contents: read
jobs:
# Create and verify release artifacts
# - build source dist (tar ball) and wheel
# - validate artifacts with various tools
# - upload artifacts to GHA
build-package:
name: Build and check packages
runs-on: ubuntu-latest
steps:
- name: "Harden Runner"
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: "Checkout"
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
# for setuptools-scm
fetch-depth: 0
- name: "Build and Inspect"
uses: hynek/build-and-inspect-python-package@b4fc3f6ba2b3da04f09659be99e2a29fb6146a61 # v2.6.0
# push to Test PyPI on
# - a new GitHub release is published
# - a PR is merged into main branch
publish-test-pypi:
name: Publish packages to test.pypi.org
# environment: publish-test-pypi
if: ${{ false && (github.repository_owner == 'instructlab') && ((github.event.action == 'published') || ((github.event_name == 'push') && (github.ref == 'refs/heads/main'))) }}
permissions:
contents: read
# see https://docs.pypi.org/trusted-publishers/
id-token: write
runs-on: ubuntu-latest
needs: build-package
steps:
- name: "Harden Runner"
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: "Download build artifacts"
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: Packages
path: dist
- name: "Upload to Test PyPI"
uses: pypa/gh-action-pypi-publish@81e9d935c883d0b210363ab89cf05f3894778450 # v1.8.14
with:
repository-url: https://test.pypi.org/legacy/
# push to Production PyPI on
# - a new GitHub release is published
publish-pypi:
name: Publish release to pypi.org
# environment: publish-pypi
if: ${{ false && (github.repository_owner == 'instructlab') && (github.event.action == 'published') }}
permissions:
# see https://docs.pypi.org/trusted-publishers/
id-token: write
# allow gh release upload
contents: write
runs-on: ubuntu-latest
needs: build-package
steps:
- name: "Harden Runner"
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: "Download build artifacts"
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: Packages
path: dist
- name: "Sigstore sign package"
uses: sigstore/gh-action-sigstore-python@61f6a500bbfdd9a2a339cf033e5421951fbc1cd2 # v2.1.1
with:
inputs: |
./dist/*.tar.gz
./dist/*.whl
- name: "Upload artifacts and signatures to GitHub release"
run: |
gh release upload '${{ github.ref_name }}' dist/* --repo '${{ github.repository }}'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# PyPI does not accept .sigstore artifacts and
# gh-action-pypi-publish has no option to ignore them.
- name: "Remove sigstore signatures before uploading to PyPI"
run: |
rm ./dist/*.sigstore
- name: "Upload to PyPI"
uses: pypa/gh-action-pypi-publish@81e9d935c883d0b210363ab89cf05f3894778450 # v1.8.14