Skip to content

v3.0.0rc2

v3.0.0rc2 #58

Workflow file for this run

name: Release
on:
release:
types:
- published
permissions: # added using https://github.com/step-security/secure-workflows
contents: read
jobs:
build:
name: Build and sign artifacts
runs-on: ubuntu-latest
permissions:
id-token: write
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
steps:
- uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
- uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
with:
python-version: "3.x"
cache: "pip"
cache-dependency-path: pyproject.toml
- name: deps
run: python -m pip install -U build
- name: build
run: python -m build
- name: sign
run: |
mkdir -p smoketest-artifacts
# we smoke-test sigstore by installing each of the distributions
# we've built in a fresh environment and using each to sign and
# verify for itself, using the ambient OIDC identity
for dist in dist/*; do
dist_base="$(basename "${dist}")"
python -m venv smoketest-env
./smoketest-env/bin/python -m pip install "${dist}"
# NOTE: signing artifacts currently go in a separate directory,
# to avoid confusing the package uploader (which otherwise tries
# to upload them to PyPI and fails). Future versions of twine
# and the gh-action-pypi-publish action should support these artifacts.
./smoketest-env/bin/python -m \
sigstore sign "${dist}" \
--output-signature smoketest-artifacts/"${dist_base}.sig" \
--output-certificate smoketest-artifacts/"${dist_base}.crt" \
--bundle smoketest-artifacts/"${dist_base}.sigstore"
# Verify using `.sig` `.crt` pair;
./smoketest-env/bin/python -m \
sigstore verify identity "${dist}" \
--signature "smoketest-artifacts/${dist_base}.sig" \
--cert "smoketest-artifacts/${dist_base}.crt" \
--cert-oidc-issuer https://token.actions.githubusercontent.com \
--cert-identity ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/.github/workflows/release.yml@${GITHUB_REF}
# Verify using `.sigstore` bundle;
./smoketest-env/bin/python -m \
sigstore verify identity "${dist}" \
--bundle "smoketest-artifacts/${dist_base}.sigstore" \
--cert-oidc-issuer https://token.actions.githubusercontent.com \
--cert-identity ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/.github/workflows/release.yml@${GITHUB_REF}
rm -rf smoketest-env
done
- name: Generate hashes for provenance
shell: bash
id: hash
run: |
# sha256sum generates sha256 hash for all artifacts.
# base64 -w0 encodes to base64 and outputs on a single line.
# sha256sum artifact1 artifact2 ... | base64 -w0
echo "hashes=$(sha256sum ./dist/* | base64 -w0)" >> $GITHUB_OUTPUT
- name: Upload built packages
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: built-packages
path: ./dist/
if-no-files-found: warn
- name: Upload smoketest-artifacts
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: smoketest-artifacts
path: smoketest-artifacts/
if-no-files-found: warn
generate-provenance:
needs: [build]
name: Generate build provenance
permissions:
actions: read # To read the workflow path.
id-token: write # To sign the provenance.
contents: write # To add assets to a release.
# Currently this action needs to be referred by tag. More details at:
# https://github.com/slsa-framework/slsa-github-generator#verification-of-provenance
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
provenance-name: provenance-sigstore-${{ github.event.release.tag_name }}.intoto.jsonl
base64-subjects: "${{ needs.build.outputs.hashes }}"
upload-assets: true
release-pypi:
needs: [build, generate-provenance]
runs-on: ubuntu-latest
permissions:
# Used to authenticate to PyPI via OIDC.
id-token: write
steps:
- name: Download artifacts directories # goes to current working directory
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
- name: publish
uses: pypa/gh-action-pypi-publish@81e9d935c883d0b210363ab89cf05f3894778450 # v1.8.14
with:
packages_dir: built-packages/
release-github:
needs: [build, generate-provenance]
runs-on: ubuntu-latest
permissions:
# Needed to upload release assets.
contents: write
steps:
- name: Download artifacts directories # goes to current working directory
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
- name: Upload artifacts to github
# Confusingly, this action also supports updating releases, not
# just creating them. This is what we want here, since we've manually
# created the release that triggered the action.
uses: softprops/action-gh-release@9d7c94cfd0a1f3ed45544c887983e9fa900f0564 # v0.1.15
with:
# smoketest-artifacts/ contains the signatures and certificates.
files: |
built-packages/*
smoketest-artifacts/*
# Trigger workflow to generate pinned requirements.txt.
pin-requirements:
permissions:
# Needed to create branch and pull request.
pull-requests: write
contents: write
# Workflow depends on uploaded release assets.
needs: [release-github]
# Only trigger workflow on full releases.
if: ${{ !github.event.release.prerelease }}
uses: ./.github/workflows/pin-requirements.yml
with:
tag: ${{ github.ref_name }}