From 2ef005c7b7573ca005e7684053bc4fe920c17fb1 Mon Sep 17 00:00:00 2001 From: Tobias Raabe Date: Sat, 4 May 2024 13:17:18 +0200 Subject: [PATCH] Use trusted publishing. --- .github/workflows/publish-to-pypi.yml | 91 +++++++++++++++++++++------ CHANGES.md | 1 + 2 files changed, 74 insertions(+), 18 deletions(-) diff --git a/.github/workflows/publish-to-pypi.yml b/.github/workflows/publish-to-pypi.yml index dce4729..acefbb3 100644 --- a/.github/workflows/publish-to-pypi.yml +++ b/.github/workflows/publish-to-pypi.yml @@ -1,36 +1,91 @@ -name: PyPI +name: Publish Python 🐍 distribution 📦 to PyPI on: push jobs: - build-n-publish: - name: Build and publish Python 🐍 distributions 📦 to PyPI + build: + name: Build distribution 📦 runs-on: ubuntu-latest + steps: - uses: actions/checkout@v4 - - - name: Set up Python 3.8 + - name: Set up Python uses: actions/setup-python@v5 with: - python-version: 3.8 - + python-version: "3.x" - name: Install pypa/build run: >- - python -m + python3 -m pip install build --user - - name: Build a binary wheel and a source tarball - run: >- - python -m - build - --sdist - --wheel - --outdir dist/ + run: python3 -m build + - name: Store the distribution packages + uses: actions/upload-artifact@v4 + with: + name: python-package-distributions + path: dist/ + publish-to-pypi: + name: Publish Python 🐍 distribution 📦 to PyPI + if: startsWith(github.ref, 'refs/tags/') # only publish to PyPI on tag pushes + needs: + - build + runs-on: ubuntu-latest + environment: + name: pypi + url: https://pypi.org/p/pytask-julia + permissions: + id-token: write # IMPORTANT: mandatory for trusted publishing + + steps: + - name: Download all the dists + uses: actions/download-artifact@v4 + with: + name: python-package-distributions + path: dist/ - name: Publish distribution 📦 to PyPI - if: startsWith(github.ref, 'refs/tags') - uses: pypa/gh-action-pypi-publish@master + uses: pypa/gh-action-pypi-publish@release/v1 + + github-release: + name: >- + Sign the Python 🐍 distribution 📦 with Sigstore + and upload them to GitHub Release + needs: + - publish-to-pypi + runs-on: ubuntu-latest + + permissions: + contents: write # IMPORTANT: mandatory for making GitHub Releases + id-token: write # IMPORTANT: mandatory for sigstore + + steps: + - name: Download all the dists + uses: actions/download-artifact@v4 + with: + name: python-package-distributions + path: dist/ + - name: Sign the dists with Sigstore + uses: sigstore/gh-action-sigstore-python@v2.1.1 with: - password: ${{ secrets.PYPI_API_TOKEN }} + inputs: >- + ./dist/*.tar.gz + ./dist/*.whl + - name: Create GitHub Release + env: + GITHUB_TOKEN: ${{ github.token }} + run: >- + gh release create + '${{ github.ref_name }}' + --repo '${{ github.repository }}' + --notes "" + - name: Upload artifact signatures to GitHub Release + env: + GITHUB_TOKEN: ${{ github.token }} + # Upload to GitHub Release using the `gh` CLI. `dist/` contains the built + # packages, and the sigstore-produced signatures and certificates. + run: >- + gh release upload + '${{ github.ref_name }}' dist/** + --repo '${{ github.repository }}' diff --git a/CHANGES.md b/CHANGES.md index 0716836..b9ed330 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -7,6 +7,7 @@ releases are available on [PyPI](https://pypi.org/project/pytask-julia) and ## 0.x.x - 2024-xx-xx +- {pull}`32` uses trusted publishing for PyPI. - {pull}`31` uses pixi to provision Julia if possible. ## 0.4.0 - 2023-10-08