Skip to content

Commit c3e6fa0

Browse files
cjbellcjbell
committed
chore: update pypi publishing to use trusted
1 parent 511a634 commit c3e6fa0

File tree

1 file changed

+101
-17
lines changed

1 file changed

+101
-17
lines changed

.github/workflows/publish.yml

Lines changed: 101 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -4,31 +4,115 @@ on:
44
types: [created]
55

66
jobs:
7-
build-n-publish:
8-
name: Build and publish
9-
runs-on: ubuntu-22.04
7+
build:
8+
name: Build distribution 📦
9+
runs-on: ubuntu-latest
1010

1111
steps:
12-
- uses: actions/checkout@master
13-
- name: Set up Python 3.9
14-
uses: actions/setup-python@v1
12+
- uses: actions/checkout@v4
13+
- name: Set up Python
14+
uses: actions/setup-python@v5
1515
with:
16-
python-version: 3.9
16+
python-version: "3.x"
1717
- name: Install pypa/build
1818
run: >-
19-
python -m
19+
python3 -m
2020
pip install
2121
build
2222
--user
2323
- name: Build a binary wheel and a source tarball
24-
run: >-
25-
python -m
26-
build
27-
--sdist
28-
--wheel
29-
--outdir dist/
30-
.
24+
run: python3 -m build
25+
- name: Store the distribution packages
26+
uses: actions/upload-artifact@v4
27+
with:
28+
name: python-package-distributions
29+
path: dist/
30+
31+
publish-to-pypi:
32+
name: >-
33+
Publish Python 🐍 distribution 📦 to PyPI
34+
if: startsWith(github.ref, 'refs/tags/') # only publish to PyPI on tag pushes
35+
needs:
36+
- build
37+
runs-on: ubuntu-latest
38+
environment:
39+
name: pypi
40+
url: https://pypi.org/p/knockapi
41+
permissions:
42+
id-token: write # IMPORTANT: mandatory for trusted publishing
43+
44+
steps:
45+
- name: Download all the dists
46+
uses: actions/download-artifact@v4
47+
with:
48+
name: python-package-distributions
49+
path: dist/
3150
- name: Publish distribution 📦 to PyPI
32-
uses: pypa/gh-action-pypi-publish@master
51+
uses: pypa/gh-action-pypi-publish@release/v1
52+
53+
github-release:
54+
name: >-
55+
Sign the Python 🐍 distribution 📦 with Sigstore
56+
and upload them to GitHub Release
57+
needs:
58+
- publish-to-pypi
59+
runs-on: ubuntu-latest
60+
61+
permissions:
62+
contents: write # IMPORTANT: mandatory for making GitHub Releases
63+
id-token: write # IMPORTANT: mandatory for sigstore
64+
65+
steps:
66+
- name: Download all the dists
67+
uses: actions/download-artifact@v4
68+
with:
69+
name: python-package-distributions
70+
path: dist/
71+
- name: Sign the dists with Sigstore
72+
uses: sigstore/[email protected]
73+
with:
74+
inputs: >-
75+
./dist/*.tar.gz
76+
./dist/*.whl
77+
- name: Create GitHub Release
78+
env:
79+
GITHUB_TOKEN: ${{ github.token }}
80+
run: >-
81+
gh release create
82+
'${{ github.ref_name }}'
83+
--repo '${{ github.repository }}'
84+
--notes ""
85+
- name: Upload artifact signatures to GitHub Release
86+
env:
87+
GITHUB_TOKEN: ${{ github.token }}
88+
# Upload to GitHub Release using the `gh` CLI.
89+
# `dist/` contains the built packages, and the
90+
# sigstore-produced signatures and certificates.
91+
run: >-
92+
gh release upload
93+
'${{ github.ref_name }}' dist/**
94+
--repo '${{ github.repository }}'
95+
96+
publish-to-testpypi:
97+
name: Publish Python 🐍 distribution 📦 to TestPyPI
98+
needs:
99+
- build
100+
runs-on: ubuntu-latest
101+
102+
environment:
103+
name: testpypi
104+
url: https://test.pypi.org/p/knockapi
105+
106+
permissions:
107+
id-token: write # IMPORTANT: mandatory for trusted publishing
108+
109+
steps:
110+
- name: Download all the dists
111+
uses: actions/download-artifact@v4
112+
with:
113+
name: python-package-distributions
114+
path: dist/
115+
- name: Publish distribution 📦 to TestPyPI
116+
uses: pypa/gh-action-pypi-publish@release/v1
33117
with:
34-
password: ${{ secrets.PYPI_API_TOKEN }}
118+
repository-url: https://test.pypi.org/legacy/

0 commit comments

Comments
 (0)