@@ -34,20 +34,27 @@ jobs:
3434 name : Build and check packages
3535 runs-on : ubuntu-latest
3636 steps :
37- - name : " Harden Runner"
38- uses : step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
39- with :
40- egress-policy : audit # TODO: change to 'egress-policy: block' after couple of runs
41-
42-
43- - name : " Checkout"
44- uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
45- with :
46- # for setuptools-scm
47- fetch-depth : 0
48-
49- - name : " Build and Inspect"
50- uses : hynek/build-and-inspect-python-package@c52c3a4710070b50470d903818a7b25115dcd076 # v2.13.0
37+ - name : " Harden Runner"
38+ uses : step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
39+ with :
40+ disable-sudo-and-containers : true
41+ egress-policy : block
42+ allowed-endpoints : >
43+ astral.sh:443
44+ files.pythonhosted.org:443
45+ github.com:443
46+ objects.githubusercontent.com:443
47+ pypi.org:443
48+ release-assets.githubusercontent.com:443
49+
50+ name : " Checkout"
51+ uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
52+ with :
53+ # for setuptools-scm
54+ fetch-depth : 0
55+
56+ - name : " Build and Inspect"
57+ uses : hynek/build-and-inspect-python-package@c52c3a4710070b50470d903818a7b25115dcd076 # v2.13.0
5158
5259 # push to Test PyPI on
5360 # - a new GitHub release is published
@@ -64,21 +71,29 @@ jobs:
6471 needs : build-package
6572
6673 steps :
67- - name : " Harden Runner"
68- uses : step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
69- with :
70- egress-policy : audit # TODO: change to 'egress-policy: block' after couple of runs
71-
72- - name : " Download build artifacts"
73- uses : actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
74- with :
75- name : Packages
76- path : dist
77-
78- - name : " Upload to Test PyPI"
79- uses : pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
80- with :
81- repository-url : https://test.pypi.org/legacy/
74+ - name : " Harden Runner"
75+ uses : step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
76+ with :
77+ disable-sudo-and-containers : true
78+ egress-policy : block
79+ allowed-endpoints : >
80+ fulcio.sigstore.dev:443
81+ ghcr.io:443
82+ pkg-containers.githubusercontent.com:443
83+ rekor.sigstore.dev:443
84+ test.pypi.org:443
85+ tuf-repo-cdn.sigstore.dev:443
86+
87+ name : " Download build artifacts"
88+ uses : actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
89+ with :
90+ name : Packages
91+ path : dist
92+
93+ - name : " Upload to Test PyPI"
94+ uses : pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
95+ with :
96+ repository-url : https://test.pypi.org/legacy/
8297
8398 # push to Production PyPI on
8499 # - a new GitHub release is published
@@ -96,36 +111,44 @@ jobs:
96111 needs : build-package
97112
98113 steps :
99- - name : " Harden Runner"
100- uses : step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
101- with :
102- egress-policy : audit # TODO: change to 'egress-policy: block' after couple of runs
103-
104- - name : " Download build artifacts"
105- uses : actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
106- with :
107- name : Packages
108- path : dist
109-
110- - name : " Sigstore sign package"
111- uses : sigstore/gh-action-sigstore-python@f7ad0af51a5648d09a20d00370f0a91c3bdf8f84 # v3.0.1
112- with :
113- inputs : |
114- ./dist/*.tar.gz
115- ./dist/*.whl
116- release-signing-artifacts : false
117-
118- - name : " Upload artifacts and signatures to GitHub release"
119- run : |
120- gh release upload '${{ github.ref_name }}' dist/* --repo '${{ github.repository }}'
121- env :
122- GH_TOKEN : ${{ secrets.GITHUB_TOKEN }}
123-
124- # PyPI does not accept .sigstore artifacts and
125- # gh-action-pypi-publish has no option to ignore them.
126- - name : " Remove sigstore signatures before uploading to PyPI"
127- run : |
128- rm ./dist/*.sigstore.json
129-
130- name : " Upload to PyPI"
131- uses : pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
114+ - name : " Harden Runner"
115+ uses : step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
116+ with :
117+ disable-sudo-and-containers : true
118+ egress-policy : block
119+ allowed-endpoints : >
120+ fulcio.sigstore.dev:443
121+ ghcr.io:443
122+ pkg-containers.githubusercontent.com:443
123+ rekor.sigstore.dev:443
124+ pypi.org:443
125+ tuf-repo-cdn.sigstore.dev:443
126+
127+ name : " Download build artifacts"
128+ uses : actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
129+ with :
130+ name : Packages
131+ path : dist
132+
133+ - name : " Sigstore sign package"
134+ uses : sigstore/gh-action-sigstore-python@f7ad0af51a5648d09a20d00370f0a91c3bdf8f84 # v3.0.1
135+ with :
136+ inputs : |
137+ ./dist/*.tar.gz
138+ ./dist/*.whl
139+ release-signing-artifacts : false
140+
141+ - name : " Upload artifacts and signatures to GitHub release"
142+ run : |
143+ gh release upload '${{ github.ref_name }}' dist/* --repo '${{ github.repository }}'
144+ env :
145+ GH_TOKEN : ${{ secrets.GITHUB_TOKEN }}
146+
147+ # PyPI does not accept .sigstore artifacts and
148+ # gh-action-pypi-publish has no option to ignore them.
149+ - name : " Remove sigstore signatures before uploading to PyPI"
150+ run : |
151+ rm ./dist/*.sigstore.json
152+
153+ name : " Upload to PyPI"
154+ uses : pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
0 commit comments