diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a25e11ec..33d03991 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -62,6 +62,7 @@ jobs: permissions: contents: read issues: write + id-token: write # required for provenance steps: - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 with: @@ -76,10 +77,9 @@ jobs: continue-on-error: true - name: Publish to npm with provenance env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - run: | - cd dist/js - npm publish --provenance --access public --tag latest + NPM_TOKEN: ${{ secrets.NPM_TOKEN }} + NPM_CONFIG_PROVENANCE: true + run: npx -p publib@latest publib-npm - name: Extract Version id: extract-version if: ${{ failure() }} @@ -175,7 +175,9 @@ jobs: env: TWINE_USERNAME: ${{ secrets.TWINE_USERNAME }} TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }} - run: twine upload dist/* + run: | + pip install twine + twine upload dist/python/*.whl dist/python/*.tar.gz - name: Extract Version id: extract-version if: ${{ failure() }} @@ -315,6 +317,7 @@ jobs: labels: failed-release title: Publishing v${{ steps.extract-version.outputs.VERSION }} to GitHub Releases failed body: See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 - name: Generate PURL and SBOM run: | ./scripts/compliance/gen-purls.sh @@ -328,7 +331,7 @@ jobs: SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }} KONDUKTO_REPO: ${{ vars.KONDUKTO_REPO }} KONDUKTO_BRANCH_PREFIX: ${{ vars.KONDUKTO_BRANCH_PREFIX }} - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 + - name: Generate SSDLC report run: | AUTHOR="${{ github.actor }}"