Skip to content

Commit b4c0850

Browse files
woodruffwdi
andauthored
github/workflows: add release workflow (#47)
* github/workflows: add release workflow Signed-off-by: William Woodruff <william@trailofbits.com> * workflows/release: run on release publish events instead Signed-off-by: William Woodruff <william@trailofbits.com> * workflows/release: add signing Dogfooding! Signed-off-by: William Woodruff <william@trailofbits.com> * Update .github/workflows/release.yml Co-authored-by: Dustin Ingram <di@users.noreply.github.com> Signed-off-by: William Woodruff <william@trailofbits.com> * Update .github/workflows/release.yml Co-authored-by: Dustin Ingram <di@users.noreply.github.com> Signed-off-by: William Woodruff <william@trailofbits.com> * workflows/release: use local sigstore version Signed-off-by: William Woodruff <william@trailofbits.com> * Update .github/workflows/release.yml Co-authored-by: Dustin Ingram <di@users.noreply.github.com> Signed-off-by: William Woodruff <william@trailofbits.com> * workflows/release: set audience=sigstore for the JWT Signed-off-by: William Woodruff <william@trailofbits.com> * workflows/release: be careful about quotes Signed-off-by: William Woodruff <william@trailofbits.com> Co-authored-by: Dustin Ingram <di@users.noreply.github.com>
1 parent 5a091b8 commit b4c0850

File tree

1 file changed

+48
-0
lines changed

1 file changed

+48
-0
lines changed

.github/workflows/release.yml

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
on:
2+
release:
3+
types:
4+
- published
5+
6+
name: release
7+
8+
# Needed to access the workflow's OIDC identity.
9+
permissions:
10+
id-token: write
11+
12+
jobs:
13+
pypi:
14+
name: Build, sign and publish release to PyPI
15+
runs-on: ubuntu-latest
16+
steps:
17+
- uses: actions/checkout@v2
18+
19+
- uses: actions/setup-python@v2
20+
21+
- name: deps
22+
run: python -m pip install -U build
23+
24+
- name: build
25+
run: python -m build
26+
27+
- name: sign
28+
run: |
29+
# use the latest development changes for sigstore, at least
30+
# until things are stabilized further
31+
python -m pip install .
32+
33+
# retrieve the OIDC identity
34+
identity_token=$( \
35+
curl -H \
36+
"Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
37+
"$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sigstore" \
38+
| jq -r .value \
39+
)
40+
41+
# sign all package distributions using the OIDC identity
42+
python -m sigstore sign --identity-token=${identity_token} dist/*
43+
44+
- name: publish
45+
uses: pypa/gh-action-pypi-publish@master
46+
with:
47+
user: __token__
48+
password: ${{ secrets.PYPI_TOKEN }}

0 commit comments

Comments
 (0)