From 1c868cde1525da73305f979d741019bafb98132e Mon Sep 17 00:00:00 2001 From: bashonly Date: Thu, 31 Oct 2024 11:50:07 -0500 Subject: [PATCH] [build] Enable attestations for trusted publishing Authored by: bashonly --- .github/workflows/release-master.yml | 21 +++++++++++++++ .github/workflows/release-nightly.yml | 21 +++++++++++++++ .github/workflows/release.yml | 37 ++++++++++++++++++++++++--- 3 files changed, 75 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release-master.yml b/.github/workflows/release-master.yml index c49319b171..1ed94d7ab8 100644 --- a/.github/workflows/release-master.yml +++ b/.github/workflows/release-master.yml @@ -28,3 +28,24 @@ jobs: actions: write # For cleaning up cache id-token: write # mandatory for trusted publishing secrets: inherit + + publish_pypi: + needs: [release] + if: vars.MASTER_PYPI_PROJECT != '' + runs-on: ubuntu-latest + permissions: + id-token: write # mandatory for trusted publishing + steps: + - uses: actions/download-artifact@v4 + with: + path: dist + name: build-pypi + - name: Verify SHA2-256SUMS + run: | + cd ./dist/ + sha256sum -c SHA2-256SUMS + rm SHA2-256SUMS + - name: Publish to PyPI + uses: pypa/gh-action-pypi-publish@release/v1 + with: + verbose: true diff --git a/.github/workflows/release-nightly.yml b/.github/workflows/release-nightly.yml index b536c50669..a75ce591c6 100644 --- a/.github/workflows/release-nightly.yml +++ b/.github/workflows/release-nightly.yml @@ -41,3 +41,24 @@ jobs: actions: write # For cleaning up cache id-token: write # mandatory for trusted publishing secrets: inherit + + publish_pypi: + needs: [release] + if: vars.NIGHTLY_PYPI_PROJECT != '' + runs-on: ubuntu-latest + permissions: + id-token: write # mandatory for trusted publishing + steps: + - uses: actions/download-artifact@v4 + with: + path: dist + name: build-pypi + - name: Verify SHA2-256SUMS + run: | + cd ./dist/ + sha256sum -c SHA2-256SUMS + rm SHA2-256SUMS + - name: Publish to PyPI + uses: pypa/gh-action-pypi-publish@release/v1 + with: + verbose: true diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8d0bc4026a..f7d018c207 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -2,10 +2,6 @@ name: Release on: workflow_call: inputs: - prerelease: - required: false - default: true - type: boolean source: required: false default: '' @@ -18,6 +14,14 @@ on: required: false default: '' type: string + prerelease: + required: false + default: true + type: boolean + manual_dispatch: + required: false + default: false + type: boolean workflow_dispatch: inputs: source: @@ -47,6 +51,10 @@ on: description: Pre-release default: false type: boolean + manual_dispatch: + description: Manual dispatch (do not toggle) + default: true + type: boolean permissions: contents: read @@ -278,7 +286,28 @@ jobs: make clean-cache python -m build --no-isolation . + - name: Make SHA2-SUMS files + if: ${{ !inputs.manual_dispatch }} + run: | + cd ./dist/ + # make sure SHA sums are also printed to stdout + sha256sum -- * | tee SHA2-256SUMS + # also print as permanent annotations to the summary page + while read -r shasum; do + echo "::notice title=${shasum##* }::sha256: ${shasum% *}" + done < SHA2-256SUMS + + - name: Upload PyPI artifacts + if: ${{ !inputs.manual_dispatch }} + uses: actions/upload-artifact@v4 + with: + name: build-pypi + path: | + dist/* + compression-level: 0 + - name: Publish to PyPI + if: inputs.manual_dispatch uses: pypa/gh-action-pypi-publish@release/v1 with: verbose: true