-
-
Notifications
You must be signed in to change notification settings - Fork 156
150 lines (150 loc) · 5.58 KB
/
publish.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
name: Publish
on:
push:
tags:
- '*'
# When a new version of Python is released, the workflow can be run manually to
# publish new wheels for the existing tag.
workflow_dispatch:
inputs:
tag:
description: git tag to check out and upload to
required: true
python:
description: Python version, like "cp311"
required: true
jobs:
sdist:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
ref: ${{ inputs.tag }}
- uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
with:
python-version: '3.x'
cache: pip
cache-dependency-path: requirements/*.txt
- run: pip install -r requirements/build.txt
# Use the commit date instead of the current date during the build.
- run: echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV
- run: python -m build --sdist
- uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: build-sdist
path: ./dist
# The sdist is not needed on new Python version builds. However, this job must
# be present in the run for the hash job, so only the upload is skipped.
if: github.event_name == 'push'
wheels:
name: wheels / ${{ matrix.os }}
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, windows-latest, macos-latest]
steps:
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- run: echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV
- name: Set up QEMU
if: runner.os == 'Linux'
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
with:
platforms: arm64
- uses: pypa/cibuildwheel@f1859528322d7b29d4493ee241a167807661dfb4 # v2.21.2
env:
# For workflow_dispatch, only build the new Python version.
CIBW_BUILD: ${{ inputs.python && format('{0}-*', inputs.python) || null }}
CIBW_SKIP: pp*
CIBW_ARCHS_LINUX: auto aarch64
CIBW_ARCHS_MACOS: auto universal2
CIBW_BUILD_FRONTEND: build
CIBW_FREE_THREADED_SUPPORT: 1
- uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: build-wheels-${{ matrix.os }}
path: ./wheelhouse
hash:
# Generate hashes for the sdist and wheels, used later for provenance.
needs: [sdist, wheels]
runs-on: ubuntu-latest
outputs:
hash: ${{ steps.hash.outputs.hash }}
steps:
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
path: dist
pattern: build-*
merge-multiple: true
- name: generate hash
id: hash
run: cd dist && echo "hash=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
provenance:
needs: [hash]
permissions:
actions: read
id-token: write
contents: write
# Can't pin with hash due to how this workflow works.
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
base64-subjects: ${{ needs.hash.outputs.hash }}
# When building more wheels, use the Python version as the provenance file name.
provenance-name: ${{ inputs.python && format('{0}.intoto.jsonl', inputs.python) || null }}
create-release:
# Upload the sdist, wheels, and provenance to a GitHub release. They remain
# available as build artifacts for a while as well.
needs: [provenance]
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
path: dist
pattern: build-*
merge-multiple: true
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
pattern: '*.intoto.jsonl'
# When building a new tag, create a new draft release.
- if: github.event_name == 'push'
name: create release
run: >
gh release create --draft --repo ${{ github.repository }}
${{ inputs.tag || github.ref_name }}
*.intoto.jsonl/* dist/*
env:
GH_TOKEN: ${{ github.token }}
# When running manually, update the existing release with more files.
- if: github.event_name == 'workflow_dispatch'
name: update release
run: >
gh release upload --repo ${{ github.repository }}
${{ inputs.tag || github.ref_name }}
*.intoto.jsonl/* dist/*
env:
GH_TOKEN: ${{ github.token }}
publish-pypi:
needs: [provenance]
# Wait for approval before attempting to upload to PyPI. This allows reviewing the
# files in the draft release.
environment:
name: publish
url: https://pypi.org/project/MarkupSafe/${{ github.ref_name }}
runs-on: ubuntu-latest
permissions:
id-token: write
steps:
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
path: dist
pattern: build-*
merge-multiple: true
- uses: pypa/gh-action-pypi-publish@f7600683efdcb7656dec5b29656edb7bc586e597 # v1.10.3
with:
repository-url: https://test.pypi.org/legacy/
skip-existing: true
- uses: pypa/gh-action-pypi-publish@f7600683efdcb7656dec5b29656edb7bc586e597 # v1.10.3
with:
skip-existing: true