summaryrefslogtreecommitdiff
path: root/.github/workflows/publish.yml
blob: 4e196a258987d62dd560d8986a3c774cf9f40e4d (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85

name: Publish to PyPI

on:
  push:
    tags:
      - "*"

permissions:
  contents: read

jobs:
  build:
    name: "Build dists"
    runs-on: "ubuntu-latest"
    environment:
      name: "publish"
    outputs:
      hashes: ${{ steps.hash.outputs.hashes }}

    steps:
      - name: "Checkout repository"
        uses: "actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3"

      - name: "Setup Python"
        uses: "actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b"
        with:
          python-version: "3.x"

      - name: "Install dependencies"
        run: python -m pip install build==0.8.0

      - name: "Build dists"
        run: |
          SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct) \
          python -m build

      - name: "Generate hashes"
        id: hash
        run: |
          cd dist && echo "::set-output name=hashes::$(sha256sum * | base64 -w0)"

      - name: "Upload dists"
        uses: "actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce"
        with:
          name: "dist"
          path: "dist/"
          if-no-files-found: error
          retention-days: 5

  provenance:
    needs: [build]
    permissions:
      actions: read
      contents: write
      id-token: write # Needed to access the workflow's OIDC identity.
    uses: "slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.6.0"
    with:
      base64-subjects: "${{ needs.build.outputs.hashes }}"
      upload-assets: true
      compile-generator: true # Workaround for https://github.com/slsa-framework/slsa-github-generator/issues/1163

  publish:
    name: "Publish"
    if: startsWith(github.ref, 'refs/tags/')
    needs: ["build", "provenance"]
    permissions:
      contents: write
      id-token: write # Needed for trusted publishing to PyPI.
    runs-on: "ubuntu-latest"

    steps:
    - name: "Download dists"
      uses: "actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a"
      with:
        name: "dist"
        path: "dist/"

    - name: "Upload dists to GitHub Release"
      env:
        GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
      run: |
        gh release upload ${{ github.ref_name }} dist/* --repo ${{ github.repository }}

    - name: "Publish dists to PyPI"
      uses: "pypa/gh-action-pypi-publish@a56da0b891b3dc519c7ee3284aff1fad93cc8598"
View Lorry Controller Status