917C Enable trusted publishing (#6) #18
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish library | |
| on: | |
| push: | |
| branches: | |
| - main | |
| tags: | |
| # Don't try to be smart about PEP 440 compliance, | |
| # see https://www.python.org/dev/peps/pep-0440/#appendix-b-parsing-version-strings-with-regular-expressions | |
| - v* | |
| jobs: | |
| build-package: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| # write attestations and id-token are necessary for attest-build-provenance-github | |
| attestations: write | |
| id-token: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - uses: hynek/build-and-inspect-python-package@v2 | |
| with: | |
| # Prove that the packages were built in the context of this workflow. | |
| attest-build-provenance-github: true | |
| publish: | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') | |
| # Use the `release` GitHub environment to protect the Trusted Publishing (OIDC) | |
| # workflow by requiring signoff from a maintainer. | |
| environment: release | |
| needs: build-package | |
| permissions: | |
| # write id-token is necessary for trusted publishing (OIDC) | |
| id-token: write | |
| steps: | |
| - name: Download Distribution Artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| # The build-and-inspect-python-package action invokes upload-artifact. | |
| # These are the correct arguments from that action. | |
| name: Packages | |
| path: dist | |
| - name: Publish Package to PyPI | |
| uses: pypa/gh-action-pypi-publish@release/v1 | |
| # Implicitly attests that the packages were uploaded in the context of this workflow. |