|
| 1 | +name: Publish |
| 2 | +on: |
| 3 | + push: |
| 4 | + tags: |
| 5 | + - '*' |
| 6 | + # When a new version of Python is released, the workflow can be run manually to |
| 7 | + # publish new wheels for the existing tag. |
| 8 | + workflow_dispatch: |
| 9 | + inputs: |
| 10 | + tag: |
| 11 | + description: 'git tag to check out and upload to' |
| 12 | + required: true |
| 13 | + python: |
| 14 | + description: 'Python version, like "cp311"' |
| 15 | + required: true |
| 16 | +jobs: |
| 17 | + sdist: |
| 18 | + runs-on: ubuntu-latest |
| 19 | + steps: |
| 20 | + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c |
| 21 | + with: |
| 22 | + ref: ${{ inputs.tag }} |
| 23 | + - uses: actions/setup-python@5ccb29d8773c3f3f653e1705f474dfaa8a06a912 |
| 24 | + with: |
| 25 | + python-version: '3.x' |
| 26 | + cache: 'pip' |
| 27 | + cache-dependency-path: 'requirements/*.txt' |
| 28 | + - run: pip install -r requirements/build.txt |
| 29 | + # Use the commit date instead of the current date during the build. |
| 30 | + - run: echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV |
| 31 | + - run: python -m build --sdist |
| 32 | + - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce |
| 33 | + with: |
| 34 | + path: ./dist |
| 35 | + # The sdist is not needed on new Python version builds. However, this job must |
| 36 | + # present in the run for the hash job, so only the upload is skipped. |
| 37 | + if: github.event_name == 'push' |
| 38 | + wheels: |
| 39 | + name: wheels / ${{ matrix.os }} |
| 40 | + runs-on: ${{ matrix.os }} |
| 41 | + strategy: |
| 42 | + fail-fast: false |
| 43 | + matrix: |
| 44 | + os: [ubuntu-latest, windows-latest, macos-latest] |
| 45 | + steps: |
| 46 | + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c |
| 47 | + - run: echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV |
| 48 | + - name: Set up QEMU |
| 49 | + if: runner.os == 'Linux' |
| 50 | + uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 |
| 51 | + with: |
| 52 | + platforms: arm64 |
| 53 | + - uses: joerick/cibuildwheel@27fc88e6385a995e61a87ee4b903bed263e6a6e2 |
| 54 | + env: |
| 55 | + # For workflow_dispatch, only build the new Python version. |
| 56 | + CIBW_BUILD: "${{ inputs.python && format('{0}-*', inputs.python) || null }}" |
| 57 | + CIBW_SKIP: 'pp*' |
| 58 | + CIBW_ARCHS_LINUX: auto aarch64 |
| 59 | + CIBW_ARCHS_MACOS: auto universal2 |
| 60 | + CIBW_BUILD_FRONTEND: build |
| 61 | + CIBW_ENVIRONMENT_PASS_LINUX: SOURCE_DATE_EPOCH |
| 62 | + - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce |
| 63 | + with: |
| 64 | + path: ./wheelhouse |
| 65 | + hash: |
| 66 | + # Generate hashes for the sdist and wheels, used later for provenance. |
| 67 | + needs: ['sdist', 'wheels'] |
| 68 | + runs-on: ubuntu-latest |
| 69 | + outputs: |
| 70 | + hash: ${{ steps.hash.outputs.hash }} |
| 71 | + steps: |
| 72 | + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a |
| 73 | + - name: generate hash |
| 74 | + id: hash |
| 75 | + run: cd artifact && echo "hash=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT |
| 76 | + provenance: |
| 77 | + needs: ['hash'] |
| 78 | + permissions: |
| 79 | + actions: read |
| 80 | + id-token: write |
| 81 | + contents: write |
| 82 | + # Can't pin with hash due to how this workflow works. |
| 83 | + uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] |
| 84 | + with: |
| 85 | + base64-subjects: ${{ needs.hash.outputs.hash }} |
| 86 | + # When building more wheels, use the Python version as the provenance file name. |
| 87 | + provenance-name: ${{ inputs.python && format('{0}.intoto.jsonl', inputs.python) || null }} |
| 88 | + create-release: |
| 89 | + # Upload the sdist, wheels, and provenance to a GitHub release. They remain |
| 90 | + # available as build artifacts for a while as well. |
| 91 | + needs: ['provenance'] |
| 92 | + runs-on: ubuntu-latest |
| 93 | + permissions: |
| 94 | + contents: write |
| 95 | + steps: |
| 96 | + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a |
| 97 | + # When building a new tag, create a new draft release. |
| 98 | + - if: github.event_name == 'push' |
| 99 | + name: create release |
| 100 | + run: > |
| 101 | + gh release create --draft --repo ${{ github.repository }} |
| 102 | + ${{ inputs.tag || github.ref_name }} |
| 103 | + *.intoto.jsonl/* artifact/* |
| 104 | + env: |
| 105 | + GH_TOKEN: ${{ github.token }} |
| 106 | + # When running manually, update the existing release with more files. |
| 107 | + - if: github.event_name == 'workflow_dispatch' |
| 108 | + name: update release |
| 109 | + run: > |
| 110 | + gh release upload --repo ${{ github.repository }} |
| 111 | + ${{ inputs.tag || github.ref_name }} |
| 112 | + *.intoto.jsonl/* artifact/* |
| 113 | + env: |
| 114 | + GH_TOKEN: ${{ github.token }} |
| 115 | + publish-pypi: |
| 116 | + needs: ['provenance'] |
| 117 | + # Wait for approval before attempting to upload to PyPI. This allows reviewing the |
| 118 | + # files in the draft release. |
| 119 | + environment: 'publish' |
| 120 | + runs-on: ubuntu-latest |
| 121 | + steps: |
| 122 | + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a |
| 123 | + # Try uploading to Test PyPI first, in case something fails. |
| 124 | + - uses: pypa/gh-action-pypi-publish@c7f29f7adef1a245bd91520e94867e5c6eedddcc |
| 125 | + with: |
| 126 | + password: ${{ secrets.TEST_PYPI_TOKEN }} |
| 127 | + repository_url: https://test.pypi.org/legacy/ |
| 128 | + packages_dir: artifact/ |
| 129 | + skip_existing: true |
| 130 | + - uses: pypa/gh-action-pypi-publish@c7f29f7adef1a245bd91520e94867e5c6eedddcc |
| 131 | + with: |
| 132 | + password: ${{ secrets.PYPI_TOKEN }} |
| 133 | + packages_dir: artifact/ |
| 134 | + skip_existing: true |
0 commit comments