-sps #41
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Create release | |
| on: | |
| push: | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
| cancel-in-progress: true | |
| env: | |
| FORCE_COLOR: "1" | |
| UV_SYSTEM_PYTHON: "1" # make uv do global installs | |
| jobs: | |
| publish-pypi: | |
| runs-on: ubuntu-latest | |
| name: PyPI Release | |
| permissions: | |
| id-token: write # for actions/attest | |
| attestations: write # for actions/attest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: false | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3" | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v5 | |
| with: | |
| version: latest | |
| enable-cache: false | |
| - name: Install build dependencies (pypa/build, twine) | |
| run: | | |
| uv pip install build "twine>=5.1" | |
| uv pip install pypi-attestations==0.0.21 betterproto==2.0.0b6 | |
| - name: Build distribution | |
| run: python -m build | |
| - name: Check distribution | |
| run: | | |
| twine check dist/* | |
| - name: Create Sigstore attestations for built distributions | |
| uses: actions/attest@v1 | |
| id: attest | |
| with: | |
| subject-path: "dist/*" | |
| predicate-type: "https://docs.pypi.org/attestations/publish/v1" | |
| predicate: "null" | |
| show-summary: "true" | |
| - name: Convert attestations to PEP 740 | |
| run: > | |
| uv run utils/convert_attestations.py | |
| "$BUNDLE_PATH" | |
| "$SIGNER_IDENTITY" | |
| env: | |
| BUNDLE_PATH: "${{ steps.attest.outputs.bundle-path }}" | |
| # workflow_ref example: sphinx-doc/sphinx/.github/workflows/create-release.yml@refs/heads/master | |
| # this forms the "signer identity" for the attestations | |
| SIGNER_IDENTITY: "https://github.com/${{ github.workflow_ref }}" | |
| - name: Inspect PEP 740 attestations | |
| run: pypi-attestations inspect dist/* | |
| - name: Prepare attestation bundles for uploading | |
| run: | | |
| mkdir -p /tmp/attestation-bundles | |
| cp "$BUNDLE_PATH" /tmp/attestation-bundles/ | |
| cp dist/*.publish.attestation /tmp/attestation-bundles/ | |
| env: | |
| BUNDLE_PATH: "${{ steps.attest.outputs.bundle-path }}" | |
| - name: Upload attestation bundles | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: attestation-bundles | |
| path: /tmp/attestation-bundles/ |