flake8-import-order/.github/workflows/publish.yml at 036af4294ea00da6cb019213dbf94b8ebd7d7be7 · PyCQA/flake8-import-order · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
name: Publish to PyPI

on:
  push:
    tags:
      - "*"

permissions:
  contents: read

jobs:
  build:
    name: "Build dists"
    runs-on: "ubuntu-latest"
    environment:
      name: "publish"
    outputs:
      hashes: ${{ steps.hash.outputs.hashes }}

    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
        with:
          egress-policy: audit

      - name: "Checkout repository"
        uses: "actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8"

      - name: "Setup Python"
        uses: "actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548"
        with:
          python-version: "3.x"

      - name: "Install dependencies"
        run: python -m pip install build==0.8.0

      - name: "Build dists"
        run: |
          SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct) \
          python -m build

      - name: "Generate hashes"
        id: hash
        run: |
          cd dist && echo "::set-output name=hashes::$(sha256sum * | base64 -w0)"

      - name: "Upload dists"
        uses: "actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4"
        with:
          name: "dist"
          path: "dist/"
          if-no-files-found: error
          retention-days: 5

  provenance:
    needs: [build]
    permissions:
      actions: read
      contents: write
      id-token: write # Needed to access the workflow's OIDC identity.
    uses: "slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0"
    with:
      base64-subjects: "${{ needs.build.outputs.hashes }}"
      upload-assets: true
      compile-generator: true # Workaround for https://github.com/slsa-framework/slsa-github-generator/issues/1163

  publish:
    name: "Publish"
    if: startsWith(github.ref, 'refs/tags/')
    needs: ["build", "provenance"]
    permissions:
      contents: write
      id-token: write
    runs-on: "ubuntu-latest"

    steps:
    - name: Harden the runner (Audit all outbound calls)
      uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
      with:
        egress-policy: audit

    - name: "Download dists"
      uses: "actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53"
      with:
        name: "dist"
        path: "dist/"

    - name: "Publish dists to PyPI"
      uses: "pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e"