Bump sigstore/gh-action-sigstore-python from 2.1.0 to 2.1.1 (#680) #141
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Publish | |
on: | |
release: | |
types: [published] | |
push: # Run a dry-run on pushes to the main branch. | |
branches: | |
- main | |
paths: | |
- .github/** | |
- pyproject.toml | |
- scripts/build.sh | |
permissions: {} # No permissions by default. Permissions are added per-job. | |
env: | |
# Artifact name to use for the release. The build matrix builds and tests | |
# multiple Python versions. But the release only comes from this single | |
# version. | |
DIST_ARTIFACT: dist-ubuntu-latest-3.8 | |
jobs: | |
build: | |
name: Build | |
uses: ./.github/workflows/build.yml | |
check: | |
name: Check version and tag match | |
needs: [build] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check if tag version matches project version | |
if: github.event.release | |
env: | |
BUILD_VERSION: ${{ needs.build.outputs.version }} | |
run: | | |
echo "TAG: $GITHUB_REF_NAME" | |
echo "VERSION: $BUILD_VERSION" | |
if [[ "$GITHUB_REF_NAME" != "$BUILD_VERSION" ]]; then exit 1; fi | |
hash: | |
name: Generate SHA256 hashes | |
needs: [build, check] | |
runs-on: ubuntu-latest | |
outputs: | |
hashes: ${{ steps.hash.outputs.hashes }} | |
steps: | |
- name: Download dist artifacts | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
name: ${{ env.DIST_ARTIFACT }} | |
path: dist | |
- name: Hash dist files | |
id: hash | |
env: | |
PYWEMO_VERSION: ${{ needs.build.outputs.version }} | |
working-directory: dist | |
run: | | |
sha256sum * | tee "pywemo-${PYWEMO_VERSION}.sha256sum.txt" | |
echo "hashes=$(sha256sum * | base64 -w0)" | tee -a "$GITHUB_OUTPUT" | |
- name: Archive hashes | |
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
with: | |
if-no-files-found: error | |
name: hashes | |
path: dist/pywemo-${{ needs.build.outputs.version }}.sha256sum.txt | |
slsa: | |
name: Generate SLSA provenance | |
needs: [build, hash] | |
permissions: | |
# Needed to upload assets to the Github release. | |
# TODO: Find a way to remove 'contents: write': | |
# https://github.com/slsa-framework/slsa-github-generator/issues/2044 | |
# https://github.com/slsa-framework/slsa-github-generator/issues/2076 | |
contents: write | |
# Needed to detect the GitHub Actions environment. | |
actions: read | |
# Needed to create the provenance via GitHub OIDC. | |
id-token: write | |
# Best practices for workflows suggest actions/workflows should be pinned | |
# by their git commit SHA digest. | |
# TODO: Pin this workflow with a git commit SHA digest. | |
# https://github.com/slsa-framework/slsa-verifier/issues/12 | |
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 | |
with: | |
# SHA-256 hashes of the Python distributions. | |
base64-subjects: ${{ needs.hash.outputs.hashes }} | |
# Provenance file name. | |
provenance-name: pywemo-${{ needs.build.outputs.version }}.intoto.jsonl | |
sigstore: | |
name: Generate Sigstore signatures | |
needs: [build, hash] | |
runs-on: ubuntu-latest | |
permissions: | |
# For Sigstore provenance. | |
id-token: write | |
steps: | |
- name: Download build artifacts | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
- name: Sign the release | |
uses: sigstore/gh-action-sigstore-python@61f6a500bbfdd9a2a339cf033e5421951fbc1cd2 # v2.1.1 | |
with: | |
inputs: ./${{env.DIST_ARTIFACT}}/* ./hashes/* | |
upload-signing-artifacts: true | |
assets: | |
name: Create release assets | |
needs: [build, hash, sigstore, slsa] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Download build artifacts | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
- name: Populate release assets | |
env: | |
PROVENANCE_NAME: ${{ needs.slsa.outputs.provenance-name }} | |
run: | | |
mkdir -p ./release | |
cp \ | |
./${DIST_ARTIFACT}/* \ | |
./hashes/* \ | |
"./${PROVENANCE_NAME}/${PROVENANCE_NAME}" \ | |
./signing-artifacts-sigstore/*/*.sigstore \ | |
./release/ | |
- name: Add SHA256SUM environment variable | |
run: | | |
EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) | |
echo "SHA256SUM<<$EOF" >> "$GITHUB_ENV" | |
cat ./hashes/*.sha256sum.txt >> "$GITHUB_ENV" | |
echo "$EOF" >> "$GITHUB_ENV" | |
- name: Checkout code | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
path: pywemo_checkout | |
- name: Update release text | |
env: | |
BODY: ${{ github.event.release && github.event.release.body || '' }} | |
TEMPLATE_FILE: ./pywemo_checkout/.github/RELEASE_NOTES_TEMPLATE.md | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v6 | |
with: | |
script: | | |
const fsp = require('fs').promises; | |
let body = await fsp.readFile( | |
process.env.TEMPLATE_FILE, { encoding: 'utf8' }); | |
for (const [key, value] of Object.entries(process.env)) { | |
body = body.replaceAll(`\${${key}}`, value); | |
} | |
await fsp.writeFile( | |
'${{github.workspace}}/release/release-notes.md', body); | |
- uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
with: | |
if-no-files-found: error | |
name: release | |
path: release/* | |
github-release: | |
name: Publish to GitHub Release | |
needs: [assets] | |
runs-on: ubuntu-latest | |
if: github.event.release | |
environment: release | |
permissions: | |
# Needed to run "gh release upload" and "rest.repos.updateRelease". | |
contents: write | |
steps: | |
- name: Download release artifacts | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
name: release | |
path: release | |
- name: Upload release assets | |
env: | |
GH_TOKEN: ${{ github.token }} | |
run: | | |
mv ./release/release-notes.md "${{github.workspace}}/" | |
gh release upload "${GITHUB_REF_NAME}" \ | |
--repo "${GITHUB_REPOSITORY}" \ | |
./release/* | |
- name: Update release text | |
env: | |
RELEASE_ID: ${{ github.event.release.id }} | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v6 | |
with: | |
script: | | |
const fsp = require('fs').promises; | |
const body = await fsp.readFile( | |
'${{github.workspace}}/release-notes.md', { encoding: 'utf8' }); | |
await github.rest.repos.updateRelease({ | |
...context.repo, | |
release_id: process.env.RELEASE_ID, | |
body: body, | |
}); | |
pypi-release: | |
name: Publish to PyPI | |
needs: [github-release] | |
runs-on: ubuntu-latest | |
if: github.event.release | |
environment: release | |
permissions: | |
# Needed for PyPI trusted publishing. | |
id-token: write | |
steps: | |
- name: Download build artifacts | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
name: ${{ env.DIST_ARTIFACT }} | |
path: dist | |
- name: Publish package distributions to PyPI | |
uses: pypa/gh-action-pypi-publish@2f6f737ca5f74c637829c0f5c3acd0e29ea5e8bf # v1.8.11 |