-
-
Notifications
You must be signed in to change notification settings - Fork 157
135 lines (135 loc) · 5.1 KB
/
publish.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
name: Publish
on:
push:
tags:
- '*'
# When a new version of Python is released, the workflow can be run manually to
# publish new wheels for the existing tag.
workflow_dispatch:
inputs:
tag:
description: 'git tag to check out and upload to'
required: true
python:
description: 'Python version, like "cp311"'
required: true
jobs:
sdist:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
with:
ref: ${{ inputs.tag }}
- uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0
with:
python-version: '3.x'
cache: 'pip'
cache-dependency-path: 'requirements/*.txt'
- run: pip install -r requirements/build.txt
# Use the commit date instead of the current date during the build.
- run: echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV
- run: python -m build --sdist
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce
with:
path: ./dist
# The sdist is not needed on new Python version builds. However, this job must
# present in the run for the hash job, so only the upload is skipped.
if: github.event_name == 'push'
wheels:
name: wheels / ${{ matrix.os }}
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, windows-latest, macos-latest]
steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
- run: echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV
- name: Set up QEMU
if: runner.os == 'Linux'
uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18
with:
platforms: arm64
- uses: joerick/cibuildwheel@fff9ec32ed25a9c576750c91e06b410ed0c15db7
env:
# For workflow_dispatch, only build the new Python version.
CIBW_BUILD: "${{ inputs.python && format('{0}-*', inputs.python) || null }}"
CIBW_SKIP: 'pp*'
CIBW_ARCHS_LINUX: auto aarch64
CIBW_ARCHS_MACOS: auto universal2
CIBW_BUILD_FRONTEND: build
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce
with:
path: ./wheelhouse
hash:
# Generate hashes for the sdist and wheels, used later for provenance.
needs: ['sdist', 'wheels']
runs-on: ubuntu-latest
outputs:
hash: ${{ steps.hash.outputs.hash }}
steps:
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a
- name: generate hash
id: hash
run: cd artifact && echo "hash=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
provenance:
needs: ['hash']
permissions:
actions: read
id-token: write
contents: write
# Can't pin with hash due to how this workflow works.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.6.0
with:
base64-subjects: ${{ needs.hash.outputs.hash }}
# When building more wheels, use the Python version as the provenance file name.
provenance-name: ${{ inputs.python && format('{0}.intoto.jsonl', inputs.python) || null }}
create-release:
# Upload the sdist, wheels, and provenance to a GitHub release. They remain
# available as build artifacts for a while as well.
needs: ['provenance']
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a
# When building a new tag, create a new draft release.
- if: github.event_name == 'push'
name: create release
run: >
gh release create --draft --repo ${{ github.repository }}
${{ inputs.tag || github.ref_name }}
*.intoto.jsonl/* artifact/*
env:
GH_TOKEN: ${{ github.token }}
# When running manually, update the existing release with more files.
- if: github.event_name == 'workflow_dispatch'
name: update release
run: >
gh release upload --repo ${{ github.repository }}
${{ inputs.tag || github.ref_name }}
*.intoto.jsonl/* artifact/*
env:
GH_TOKEN: ${{ github.token }}
publish-pypi:
needs: ['provenance']
# Wait for approval before attempting to upload to PyPI. This allows reviewing the
# files in the draft release.
environment:
name: publish
url: https://pypi.org/project/MarkupSafe
runs-on: ubuntu-latest
permissions:
id-token: write
steps:
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a
# Try uploading to Test PyPI first, in case something fails.
- uses: pypa/gh-action-pypi-publish@a56da0b891b3dc519c7ee3284aff1fad93cc8598
with:
repository-url: https://test.pypi.org/legacy/
packages-dir: artifact/
skip-existing: true
- uses: pypa/gh-action-pypi-publish@a56da0b891b3dc519c7ee3284aff1fad93cc8598
with:
packages-dir: artifact/
skip-existing: true