Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: Use GitHub attestations #1132

Merged
merged 8 commits into from
May 22, 2024
Merged

ci: Use GitHub attestations #1132

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
c89aace
ci: Use GitHub attestations
edgarrmondragon May 4, 2024
17a50c2
Replace old step
edgarrmondragon May 4, 2024
be9b19d
Upload artifacts to release
edgarrmondragon May 4, 2024
516f096
Change the asset name
edgarrmondragon May 10, 2024
ffcd93d
Merge branch 'main' into use-github-attestations
edgarrmondragon May 10, 2024
36244e4
Merge branch 'main' into use-github-attestations
edgarrmondragon May 11, 2024
27951b3
Merge branch 'main' into use-github-attestations
edgarrmondragon May 22, 2024
14a2403
Merge branch 'main' into use-github-attestations
edgarrmondragon May 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 28 additions & 8 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,26 @@ jobs:
ref: ${{ github.event.inputs.tag || github.ref }}
- uses: hynek/build-and-inspect-python-package@eb6b0c7cc5e1f38eec42c970925e1b3420faa015

upload-to-release:
name: Upload to GitHub Release
if: startsWith(github.ref, 'refs/tags/') || github.event_name == 'workflow_dispatch'
runs-on: ubuntu-latest
needs: [build]
permissions:
contents: write # IMPORTANT: mandatory for making GitHub Releases

steps:
- uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e
with:
name: Packages
path: dist
- uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd
with:
file: dist/**
tag: ${{ github.event.inputs.tag || github.ref }}
overwrite: false
file_glob: true

publish:
name: Publish to PyPI
if: startsWith(github.ref, 'refs/tags/') || github.event.inputs.publish == 'true'
Expand All @@ -51,22 +71,22 @@ jobs:
runs-on: ubuntu-latest
needs: [build]
permissions:
contents: write # IMPORTANT: mandatory for making GitHub Releases
id-token: write # IMPORTANT: mandatory for sigstore
contents: write # IMPORTANT: mandatory for making GitHub Releases
id-token: write # IMPORTANT: mandatory for attestations
attestations: write # IMPORTANT: mandatory for attestations
edgarrmondragon marked this conversation as resolved.
Show resolved Hide resolved

steps:
- uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e
with:
name: Packages
path: dist
- uses: sigstore/gh-action-sigstore-python@61f6a500bbfdd9a2a339cf033e5421951fbc1cd2
- uses: actions/attest-build-provenance@eab7f69317b589ac05272d67712fdd10ab3d4d1d
id: attest
with:
inputs: >-
./dist/*.tar.gz
./dist/*.whl
subject-path: "./dist/citric*"
- uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd
with:
file: dist/**
file: ${{ steps.attest.outputs.bundle-path }}
tag: ${{ github.event.inputs.tag || github.ref }}
overwrite: false
file_glob: true
asset_name: attestations.intoto.jsonl
edgarrmondragon marked this conversation as resolved.
Show resolved Hide resolved
3 changes: 3 additions & 0 deletions .pre-commit-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,9 @@ repos:
rev: v2.2.6
hooks:
- id: codespell
# TODO: Use inline ignores, e.g. # codespell:ignore intoto
# https://github.com/codespell-project/codespell/issues/3387
args: [-L, intoto]
additional_dependencies:
- tomli

Expand Down