Skip to content

Commit

Permalink
ci: release with trusted publisher and attestations (#5196)
Browse files Browse the repository at this point in the history
* ci: release with trusted publisher and attestations

Signed-off-by: Henry Schreiner <henryschreineriii@gmail.com>

* Update pip.yml

---------

Signed-off-by: Henry Schreiner <henryschreineriii@gmail.com>
  • Loading branch information
henryiii authored Jun 26, 2024
1 parent 26281c7 commit b5ec7c7
Showing 1 changed file with 11 additions and 7 deletions.
18 changes: 11 additions & 7 deletions .github/workflows/pip.yml
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ jobs:

- name: Prepare env
run: |
python -m pip install -r tests/requirements.txt build twine
python -m pip install -r tests/requirements.txt build twine!=5.1.0
- name: Python Packaging tests
run: pytest tests/extra_python_package/
Expand Down Expand Up @@ -91,23 +91,27 @@ jobs:
runs-on: ubuntu-latest
if: github.event_name == 'release' && github.event.action == 'published'
needs: [packaging]
environment: pypi
permissions:
id-token: write
attestations: write
contents: read

steps:
- uses: actions/setup-python@v5
with:
python-version: "3.x"

# Downloads all to directories matching the artifact names
- uses: actions/download-artifact@v4

- name: Generate artifact attestation for sdist and wheel
uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
with:
subject-path: "*/pybind11*"

- name: Publish standard package
uses: pypa/gh-action-pypi-publish@release/v1
with:
password: ${{ secrets.pypi_password }}
packages-dir: standard/

- name: Publish global package
uses: pypa/gh-action-pypi-publish@release/v1
with:
password: ${{ secrets.pypi_password_global }}
packages-dir: global/

0 comments on commit b5ec7c7

Please sign in to comment.