ci: Publish GitHub attestations only for PyPI builds (#157) #224
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: publish distributions | |
| on: | |
| push: | |
| branches: | |
| - main | |
| tags: | |
| - v* | |
| pull_request: | |
| branches: | |
| - main | |
| - release/v* | |
| release: | |
| types: [published] | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| jobs: | |
| build: | |
| name: Build Python distribution | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| attestations: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.x' | |
| - name: Install build and twine | |
| run: | | |
| python -m pip install uv | |
| uv pip install --system --upgrade pip wheel | |
| uv pip install --system build twine | |
| uv pip list --system | |
| - name: Build a sdist and a wheel | |
| run: | | |
| python -m build . | |
| - name: Verify the distribution | |
| run: twine check dist/* | |
| - name: List contents of sdist | |
| run: python -m tarfile --list dist/recast_atlas-*.tar.gz | |
| - name: List contents of wheel | |
| run: python -m zipfile --list dist/recast_atlas-*.whl | |
| - name: Generate artifact attestation for sdist and wheel | |
| # If publishing to PyPI | |
| if: github.event_name == 'release' && github.event.action == 'published' && github.repository == 'recast-hep/recast-atlas' | |
| uses: actions/attest-build-provenance@534b352d658f90498fd148d231fdbf88f3886a3a # v1.3.1 | |
| with: | |
| subject-path: "dist/recast_atlas-*" | |
| - name: Upload distribution artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: dist-artifact | |
| path: dist | |
| publish: | |
| name: Publish Python distribution to (Test)PyPI | |
| if: github.event_name != 'pull_request' | |
| needs: build | |
| runs-on: ubuntu-latest | |
| # Mandatory for publishing with a trusted publisher | |
| # c.f. https://docs.pypi.org/trusted-publishers/using-a-publisher/ | |
| permissions: | |
| id-token: write | |
| # Restrict to the environment set for the trusted publisher | |
| environment: | |
| name: publish-package | |
| steps: | |
| - name: Download distribution artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: dist-artifact | |
| path: dist | |
| - name: List all files | |
| run: ls -lh dist | |
| - name: Publish distribution 📦 to Test PyPI | |
| # publish to TestPyPI on tag events | |
| if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && github.repository == 'recast-hep/recast-atlas' | |
| uses: pypa/gh-action-pypi-publish@v1.8.14 | |
| with: | |
| repository-url: https://test.pypi.org/legacy/ | |
| print-hash: true | |
| - name: Publish distribution 📦 to PyPI | |
| if: github.event_name == 'release' && github.event.action == 'published' && github.repository == 'recast-hep/recast-atlas' | |
| uses: pypa/gh-action-pypi-publish@v1.8.14 | |
| with: | |
| print-hash: true |