Merge pull request #70 from instructlab/dependabot/github_actions/Dav… #156
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# SPDX-License-Identifier: Apache-2.0 | |
name: Build, test, and upload PyPI package | |
on: | |
push: | |
branches: | |
- "main" | |
tags: | |
- "v*" | |
pull_request: | |
branches: | |
- "main" | |
release: | |
types: | |
- published | |
env: | |
LC_ALL: en_US.UTF-8 | |
defaults: | |
run: | |
shell: bash | |
permissions: | |
contents: read | |
jobs: | |
# Create and verify release artifacts | |
# - build source dist (tar ball) and wheel | |
# - validate artifacts with various tools | |
# - upload artifacts to GHA | |
build-package: | |
name: Build and check packages | |
runs-on: ubuntu-latest | |
steps: | |
- name: "Harden Runner" | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | |
- name: "Checkout" | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
# for setuptools-scm | |
fetch-depth: 0 | |
- name: "Build and Inspect" | |
uses: hynek/build-and-inspect-python-package@f01e4d047aadcc0c054c95ec9900da3ec3fc7a0f # v2.10.0 | |
# push to Test PyPI on | |
# - a new GitHub release is published | |
# - a PR is merged into main branch | |
publish-test-pypi: | |
name: Publish packages to test.pypi.org | |
# environment: publish-test-pypi | |
if: ${{ (github.repository_owner == 'instructlab') && ((github.event.action == 'published') || ((github.event_name == 'push') && (github.ref == 'refs/heads/main'))) }} | |
permissions: | |
contents: read | |
# see https://docs.pypi.org/trusted-publishers/ | |
id-token: write | |
runs-on: ubuntu-latest | |
needs: build-package | |
steps: | |
- name: "Harden Runner" | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | |
- name: "Download build artifacts" | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: Packages | |
path: dist | |
- name: "Upload to Test PyPI" | |
uses: pypa/gh-action-pypi-publish@f7600683efdcb7656dec5b29656edb7bc586e597 # v1.10.3 | |
with: | |
repository-url: https://test.pypi.org/legacy/ | |
# push to Production PyPI on | |
# - a new GitHub release is published | |
publish-pypi: | |
name: Publish release to pypi.org | |
# environment: publish-pypi | |
if: ${{ (github.repository_owner == 'instructlab') && (github.event.action == 'published') }} | |
permissions: | |
# see https://docs.pypi.org/trusted-publishers/ | |
id-token: write | |
# allow gh release upload | |
contents: write | |
runs-on: ubuntu-latest | |
needs: build-package | |
steps: | |
- name: "Harden Runner" | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | |
- name: "Download build artifacts" | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: Packages | |
path: dist | |
- name: "Sigstore sign package" | |
uses: sigstore/gh-action-sigstore-python@f514d46b907ebcd5bedc05145c03b69c1edd8b46 # v3.0.0 | |
with: | |
inputs: | | |
./dist/*.tar.gz | |
./dist/*.whl | |
release-signing-artifacts: false | |
- name: "Upload artifacts and signatures to GitHub release" | |
run: | | |
gh release upload '${{ github.ref_name }}' dist/* --repo '${{ github.repository }}' | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
# PyPI does not accept .sigstore artifacts and | |
# gh-action-pypi-publish has no option to ignore them. | |
- name: "Remove sigstore signatures before uploading to PyPI" | |
run: | | |
rm ./dist/*.sigstore.json | |
- name: "Upload to PyPI" | |
uses: pypa/gh-action-pypi-publish@f7600683efdcb7656dec5b29656edb7bc586e597 # v1.10.3 |