chore: Add permissions to workflows (#166) #1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish Python Package | ||
| on: | ||
| release: | ||
| types: | ||
| - published | ||
| jobs: | ||
| call-test-lint: | ||
| uses: ./.github/workflows/test-lint.yml | ||
| with: | ||
| ref: ${{ github.event.release.target_commitish }} | ||
| build: | ||
| name: Build distribution 📦 | ||
| permissions: | ||
| contents: read | ||
| needs: | ||
| - call-test-lint | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| persist-credentials: false | ||
| - name: Set up Python | ||
| uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: '3.10' | ||
| - name: Install dependencies | ||
| run: | | ||
| python -m pip install --upgrade pip | ||
| pip install hatch twine | ||
| - name: Validate version | ||
| run: | | ||
| version=$(hatch version) | ||
| if [[ $version =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then | ||
| echo "Valid version format" | ||
| exit 0 | ||
| else | ||
| echo "Invalid version format" | ||
| exit 1 | ||
| fi | ||
| - name: Build | ||
| run: | | ||
| hatch build | ||
| - name: Store the distribution packages | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: python-package-distributions | ||
| path: dist/ | ||
| deploy: | ||
| name: Upload release to PyPI | ||
| permissions: | ||
| contents: read | ||
| needs: | ||
| - build | ||
| runs-on: ubuntu-latest | ||
| # environment is used by PyPI Trusted Publisher and is strongly encouraged | ||
| # https://docs.pypi.org/trusted-publishers/adding-a-publisher/ | ||
| environment: | ||
| name: pypi | ||
| url: https://pypi.org/p/strands-agents | ||
| permissions: | ||
| # IMPORTANT: this permission is mandatory for Trusted Publishing | ||
| id-token: write | ||
| steps: | ||
| - name: Download all the dists | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| name: python-package-distributions | ||
| path: dist/ | ||
| - name: Publish distribution 📦 to PyPI | ||
| uses: pypa/gh-action-pypi-publish@release/v1 | ||