Skip to content

Sign khisto binary

Sign khisto binary #25

Workflow file for this run

name: pip packaging
on:
workflow_dispatch:
inputs:
python_repository:
description: python repository
type: choice
default: None # no publishing to any Package Index by default
options: [None, testpypi, pypi]
signature-activation:
type: boolean
required: true
default: false
description: Sign khisto binary
push:
tags: ['*']
pull_request:
paths:
- .github/workflows/pack-pip.yaml
- pyproject.toml
- CMakeLists.txt
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
defaults:
run:
shell: bash
jobs:
build-wheel:
name: Build wheel
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-24.04, ubuntu-24.04-arm, windows-2025-vs2026, windows-11-vs2026-arm, macos-15-intel, macos-15]
env:
SIGN_WINDOWS_WHEELS: ${{ github.event_name == 'workflow_dispatch' && inputs.signature-activation }}
steps:
- uses: actions/checkout@v6
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.13'
- name: Set up UV
uses: astral-sh/setup-uv@v6
with:
enable-cache: true
- name: Load Visual C++ Environment Variables (Windows)
if: runner.os == 'Windows'
shell: cmd
run: |
call "C:\\Program Files\\Microsoft Visual Studio\\18\\Enterprise\\VC\\Auxiliary\\Build\\vcvars64.bat"
set >> %GITHUB_ENV%
- name: Build wheels
uses: pypa/cibuildwheel@v3.3.1
- name: Test built wheel
run: |
uv venv .test-env
uv pip install --python .test-env --find-links=wheelhouse "khisto[all]"
uv sync --python .test-env --group dev --no-install-project
uv run --python .test-env pytest tests/ --no-cov
- name: Install wheel package for signing
if: runner.os == 'Windows' && env.SIGN_WINDOWS_WHEELS == 'true'
run: python -m pip install wheel
- name: Unpack khisto wheel
if: runner.os == 'Windows' && env.SIGN_WINDOWS_WHEELS == 'true'
run: |
mkdir -p wheelhouse/unpacked
python -m wheel unpack wheelhouse/khisto-*.whl --dest wheelhouse/unpacked
- name: Setup SM_CLIENT_CERT_FILE from base64 secret data
if: runner.os == 'Windows' && env.SIGN_WINDOWS_WHEELS == 'true'
run: |
echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV"
echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12
- name: Sign unpacked wheel binaries
if: runner.os == 'Windows' && env.SIGN_WINDOWS_WHEELS == 'true'
uses: digicert/code-signing-software-trust-action@v1.2.1
with:
input: wheelhouse/unpacked/
keypair-alias: ${{ env.KEYPAIR }}
simple-signing-mode: true
env:
SM_HOST: ${{ secrets.SM_HOST }}
SM_API_KEY: ${{ secrets.SM_API_KEY }}
SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
- name: Repack signed wheels
if: runner.os == 'Windows' && env.SIGN_WINDOWS_WHEELS == 'true'
run: |
rm wheelhouse/khisto-*.whl
python -m wheel pack wheelhouse/unpacked/khisto-* --dest-dir wheelhouse
- uses: actions/upload-artifact@v7
with:
name: pkg-wheel-${{ matrix.os }}
path: wheelhouse/*.whl
if-no-files-found: error
release-testpypi:
# Publish only on tag pushes in the KhiopsML repository
if: github.ref_type == 'tag' && github.repository_owner == 'KhiopsML' && inputs.python_repository == 'testpypi'
name: Publish to Test.PyPI.org
needs: [build-wheel]
runs-on: ubuntu-latest
permissions:
id-token: write
environment:
name: testpypi
steps:
- uses: actions/download-artifact@v7
with:
pattern: pkg-*
path: dist
merge-multiple: true
- uses: pypa/gh-action-pypi-publish@release/v1
with:
verbose: true
repository-url: https://test.pypi.org/legacy/
release-pypi:
# Publish only on tag pushes in the KhiopsML repository
name: Publish to PyPI.org
if: github.ref_type == 'tag' && github.repository_owner == 'KhiopsML' && inputs.python_repository == 'pypi'
needs: [build-wheel]
runs-on: ubuntu-latest
permissions:
id-token: write
environment:
name: pypi
steps:
- uses: actions/download-artifact@v7
with:
pattern: pkg-*
path: dist
merge-multiple: true
- uses: pypa/gh-action-pypi-publish@release/v1
with:
verbose: true