@@ -11,7 +11,7 @@ concurrency:
1111on :
1212 push :
1313 tags :
14- - ' v*' # only publish on version tags (e.g. v1.0.0)
14+ - ' v[0-9]*.[0-9]*.[0-9] *' # only publish on version tags (e.g. v1.0.0)
1515
1616jobs :
1717
@@ -20,14 +20,14 @@ jobs:
2020 contents : read
2121 actions : write
2222 uses : ./.github/workflows/lint.yml
23- secrets : inherit
2423
2524 test :
2625 permissions :
2726 contents : read
2827 actions : write
2928 uses : ./.github/workflows/test.yml
30- secrets : inherit
29+ secrets :
30+ CODECOV_TOKEN : ${{ secrets.CODECOV_TOKEN }}
3131
3232 build :
3333 name : Build Package
@@ -39,18 +39,22 @@ jobs:
3939 PACKAGE_NAME : ${{ steps.set-package.outputs.package_name }}
4040 RELEASE_VERSION : ${{ steps.set-package.outputs.release_version }}
4141 steps :
42- - uses : actions/checkout@v6
42+ - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
43+ with :
44+ persist-credentials : true
4345 - name : Set up Python
44- uses : actions/setup-python@v6
46+ uses : actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
4547 id : sp
4648 with :
47- python-version : " 3.12 " # for tomlib
49+ python-version : " ==3.14 " # for tomlib
4850 - name : Install uv
49- uses : astral-sh/setup-uv@v7
51+ uses : astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b
5052 with :
5153 enable-cache : true
54+ restore-cache : false
55+ save-cache : false
5256 - name : Setup Just
53- uses : extractions/setup-just@v3
57+ uses : extractions/setup-just@e33e0265a09d6d736e2ee1e0eb685ef1de4669ff
5458 - name : Install Dependencies
5559 run : |
5660 just setup ${{ steps.sp.outputs.python-path }}
@@ -63,18 +67,18 @@ jobs:
6367 git fetch --force origin refs/tags/$TAG_NAME:refs/tags/$TAG_NAME
6468
6569 # verify signature
66- curl -sL https://github.com/${{ github.actor }} .gpg | gpg --import
70+ curl -sL " https://github.com/${GITHUB_ACTOR} .gpg" | gpg --import
6771 git tag -v "$TAG_NAME"
6872
6973 # verify version
7074 RELEASE_VERSION=$(just validate_version $TAG_NAME)
7175
7276 # export the release version
73- echo "RELEASE_VERSION=${RELEASE_VERSION}" >> $GITHUB_ENV
77+ echo "RELEASE_VERSION=${RELEASE_VERSION}" >> $GITHUB_ENV
7478 - name : Build the binary wheel and a source tarball
7579 run : just build
7680 - name : Store the distribution packages
77- uses : actions/upload-artifact@v6
81+ uses : actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
7882 with :
7983 name : python-package-distributions
8084 path : dist/
@@ -99,12 +103,12 @@ jobs:
99103 id-token : write # IMPORTANT: mandatory for trusted publishing
100104 steps :
101105 - name : Download all the dists
102- uses : actions/download-artifact@v7
106+ uses : actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
103107 with :
104108 name : python-package-distributions
105109 path : dist/
106110 - name : Publish distribution 📦 to PyPI
107- uses : pypa/gh-action-pypi-publish@release/v1.13
111+ uses : pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e
108112
109113 github-release :
110114 name : Publish GitHub Release
@@ -119,35 +123,39 @@ jobs:
119123
120124 steps :
121125 - name : Download all the dists
122- uses : actions/download-artifact@v7
126+ uses : actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
123127 with :
124128 name : python-package-distributions
125129 path : dist/
126130 - name : Sign the dists with Sigstore
127- uses : sigstore/gh-action-sigstore-python@v3.2.0
131+ uses : sigstore/gh-action-sigstore-python@a5caf349bc536fbef3668a10ed7f5cd309a4b53d
128132 with :
129133 inputs : >-
130134 ./dist/*.tar.gz
131135 ./dist/*.whl
132136 - name : Create GitHub Release
133137 env :
134138 GITHUB_TOKEN : ${{ github.token }}
139+ GITHUB_REF_NAME : ${{ github.ref_name }}
140+ GITHUB_REPOSITORY : ${{ github.repository }}
135141 run : >-
136142 gh release create
137- '${{ github.ref_name }}'
138- --repo '${{ github.repository }}'
143+ "$GITHUB_REF_NAME"
144+ --repo "$GITHUB_REPOSITORY"
139145 --generate-notes
140146 --prerelease
141147 - name : Upload artifact signatures to GitHub Release
142148 env :
143149 GITHUB_TOKEN : ${{ github.token }}
150+ GITHUB_REF_NAME : ${{ github.ref_name }}
151+ GITHUB_REPOSITORY : ${{ github.repository }}
144152 # Upload to GitHub Release using the `gh` CLI.
145153 # `dist/` contains the built packages, and the
146154 # sigstore-produced signatures and certificates.
147155 run : >-
148156 gh release upload
149- '${{ github.ref_name }}' dist/**
150- --repo '${{ github.repository }}'
157+ "$GITHUB_REF_NAME" dist/**
158+ --repo "$GITHUB_REPOSITORY"
151159
152160 publish-to-testpypi :
153161 name : Publish to TestPyPI
@@ -164,12 +172,12 @@ jobs:
164172
165173 steps :
166174 - name : Download all the dists
167- uses : actions/download-artifact@v7
175+ uses : actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
168176 with :
169177 name : python-package-distributions
170178 path : dist/
171179 - name : Publish distribution 📦 to TestPyPI
172- uses : pypa/gh-action-pypi-publish@release/v1.13
180+ uses : pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e
173181 with :
174182 repository-url : https://test.pypi.org/legacy/
175183 skip-existing : true
0 commit comments