Skip to content

Merge pull request #70 from instructlab/dependabot/github_actions/Dav… #156

Merge pull request #70 from instructlab/dependabot/github_actions/Dav…

Merge pull request #70 from instructlab/dependabot/github_actions/Dav… #156

Workflow file for this run

# SPDX-License-Identifier: Apache-2.0
name: Build, test, and upload PyPI package
on:
push:
branches:
- "main"
tags:
- "v*"
pull_request:
branches:
- "main"
release:
types:
- published
env:
LC_ALL: en_US.UTF-8
defaults:
run:
shell: bash
permissions:
contents: read
jobs:
# Create and verify release artifacts
# - build source dist (tar ball) and wheel
# - validate artifacts with various tools
# - upload artifacts to GHA
build-package:
name: Build and check packages
runs-on: ubuntu-latest
steps:
- name: "Harden Runner"
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: "Checkout"
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
# for setuptools-scm
fetch-depth: 0
- name: "Build and Inspect"
uses: hynek/build-and-inspect-python-package@f01e4d047aadcc0c054c95ec9900da3ec3fc7a0f # v2.10.0
# push to Test PyPI on
# - a new GitHub release is published
# - a PR is merged into main branch
publish-test-pypi:
name: Publish packages to test.pypi.org
# environment: publish-test-pypi
if: ${{ (github.repository_owner == 'instructlab') && ((github.event.action == 'published') || ((github.event_name == 'push') && (github.ref == 'refs/heads/main'))) }}
permissions:
contents: read
# see https://docs.pypi.org/trusted-publishers/
id-token: write
runs-on: ubuntu-latest
needs: build-package
steps:
- name: "Harden Runner"
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: "Download build artifacts"
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: Packages
path: dist
- name: "Upload to Test PyPI"
uses: pypa/gh-action-pypi-publish@f7600683efdcb7656dec5b29656edb7bc586e597 # v1.10.3
with:
repository-url: https://test.pypi.org/legacy/
# push to Production PyPI on
# - a new GitHub release is published
publish-pypi:
name: Publish release to pypi.org
# environment: publish-pypi
if: ${{ (github.repository_owner == 'instructlab') && (github.event.action == 'published') }}
permissions:
# see https://docs.pypi.org/trusted-publishers/
id-token: write
# allow gh release upload
contents: write
runs-on: ubuntu-latest
needs: build-package
steps:
- name: "Harden Runner"
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: "Download build artifacts"
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: Packages
path: dist
- name: "Sigstore sign package"
uses: sigstore/gh-action-sigstore-python@f514d46b907ebcd5bedc05145c03b69c1edd8b46 # v3.0.0
with:
inputs: |
./dist/*.tar.gz
./dist/*.whl
release-signing-artifacts: false
- name: "Upload artifacts and signatures to GitHub release"
run: |
gh release upload '${{ github.ref_name }}' dist/* --repo '${{ github.repository }}'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# PyPI does not accept .sigstore artifacts and
# gh-action-pypi-publish has no option to ignore them.
- name: "Remove sigstore signatures before uploading to PyPI"
run: |
rm ./dist/*.sigstore.json
- name: "Upload to PyPI"
uses: pypa/gh-action-pypi-publish@f7600683efdcb7656dec5b29656edb7bc586e597 # v1.10.3