name: Publish to PyPI on: push: tags: - "*" permissions: contents: read jobs: build: name: "Build dists" runs-on: "ubuntu-latest" environment: name: "publish" outputs: hashes: ${{ steps.hash.outputs.hashes }} steps: - name: "Checkout repository" uses: "actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3" - name: "Setup Python" uses: "actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b" with: python-version: "3.x" - name: "Install dependencies" run: python -m pip install build==0.8.0 - name: "Build dists" run: | SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct) \ python -m build - name: "Generate hashes" id: hash run: | cd dist && echo "::set-output name=hashes::$(sha256sum * | base64 -w0)" - name: "Upload dists" uses: "actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce" with: name: "dist" path: "dist/" if-no-files-found: error retention-days: 5 provenance: needs: [build] permissions: actions: read contents: write id-token: write # Needed to access the workflow's OIDC identity. uses: "slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.6.0" with: base64-subjects: "${{ needs.build.outputs.hashes }}" upload-assets: true compile-generator: true # Workaround for https://github.com/slsa-framework/slsa-github-generator/issues/1163 publish: name: "Publish" if: startsWith(github.ref, 'refs/tags/') needs: ["build", "provenance"] permissions: contents: write id-token: write # Needed for trusted publishing to PyPI. runs-on: "ubuntu-latest" steps: - name: "Download dists" uses: "actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a" with: name: "dist" path: "dist/" - name: "Upload dists to GitHub Release" env: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" run: | gh release upload ${{ github.ref_name }} dist/* --repo ${{ github.repository }} - name: "Publish dists to PyPI" uses: "pypa/gh-action-pypi-publish@a56da0b891b3dc519c7ee3284aff1fad93cc8598"