• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1name: Publish
2on:
3  push:
4    tags:
5      - '*'
6jobs:
7  build:
8    runs-on: ubuntu-latest
9    outputs:
10      hash: ${{ steps.hash.outputs.hash }}
11    steps:
12      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
13      - uses: actions/setup-python@5ccb29d8773c3f3f653e1705f474dfaa8a06a912
14        with:
15          python-version: '3.x'
16          cache: 'pip'
17          cache-dependency-path: 'requirements/*.txt'
18      - run: pip install -r requirements/build.txt
19      # Use the commit date instead of the current date during the build.
20      - run: echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV
21      - run: python -m build
22      # Generate hashes used for provenance.
23      - name: generate hash
24        id: hash
25        run: cd dist && echo "hash=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
26      - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce
27        with:
28          path: ./dist
29  provenance:
30    needs: ['build']
31    permissions:
32      actions: read
33      id-token: write
34      contents: write
35    # Can't pin with hash due to how this workflow works.
36    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0
37    with:
38      base64-subjects: ${{ needs.build.outputs.hash }}
39  create-release:
40    # Upload the sdist, wheels, and provenance to a GitHub release. They remain
41    # available as build artifacts for a while as well.
42    needs: ['provenance']
43    runs-on: ubuntu-latest
44    permissions:
45      contents: write
46    steps:
47      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a
48      - name: create release
49        run: >
50          gh release create --draft --repo ${{ github.repository }}
51          ${{ github.ref_name }}
52          *.intoto.jsonl/* artifact/*
53        env:
54          GH_TOKEN: ${{ github.token }}
55  publish-pypi:
56    needs: ['provenance']
57    # Wait for approval before attempting to upload to PyPI. This allows reviewing the
58    # files in the draft release.
59    environment: 'publish'
60    runs-on: ubuntu-latest
61    permissions:
62      id-token: write
63    steps:
64      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a
65      - uses: pypa/gh-action-pypi-publish@2f6f737ca5f74c637829c0f5c3acd0e29ea5e8bf
66        with:
67          packages-dir: artifact/
68