build(deps): bump actions/upload-artifact from 3.pre.node20 to 4.3.4 in the actions group #5969
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: publish distributions | |
| on: | |
| push: | |
| branches: | |
| - main | |
| tags: | |
| - v* | |
| pull_request: | |
| branches: | |
| - main | |
| - release/v* | |
| release: | |
| types: [published] | |
| # Run weekly at 1:23 UTC | |
| schedule: | |
| - cron: '23 1 * * 0' | |
| workflow_dispatch: | |
| inputs: | |
| publish: | |
| type: boolean | |
| description: 'Publish to TestPyPI' | |
| default: false | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| jobs: | |
| build: | |
| name: Build Python distribution | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| attestations: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Python 3.12 | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.12' | |
| - name: Install python-build and twine | |
| run: | | |
| python -m pip install uv | |
| uv pip install --system --upgrade pip | |
| uv pip install --system build twine | |
| python -m pip list | |
| - name: Build a sdist and wheel | |
| if: github.event_name != 'schedule' | |
| run: | | |
| python -m build --installer uv . | |
| - name: Build a sdist and wheel and check for warnings | |
| if: github.event_name == 'schedule' | |
| run: | | |
| PYTHONWARNINGS=error,default::DeprecationWarning python -m build --installer uv . | |
| - name: Verify untagged commits have dev versions | |
| if: "!startsWith(github.ref, 'refs/tags/')" | |
| run: | | |
| latest_tag=$(git describe --tags) | |
| latest_tag_revlist_SHA=$(git rev-list -n 1 ${latest_tag}) | |
| main_SHA="$(git rev-parse --verify origin/main)" | |
| wheel_name=$(find dist/ -iname "*.whl" -printf "%f\n") | |
| if [[ "${latest_tag_revlist_SHA}" != "${main_SHA}" ]]; then # don't check main push events coming from tags | |
| if [[ "${wheel_name}" == *"pyhf-0.1.dev"* || "${wheel_name}" != *"dev"* ]]; then | |
| echo "python-build incorrectly named built distribution: ${wheel_name}" | |
| echo "python-build is lacking the history and tags required to determine version number" | |
| echo "intentionally erroring with 'return 1' now" | |
| return 1 | |
| fi | |
| else | |
| echo "Push event to origin/main was triggered by push of tag ${latest_tag}" | |
| fi | |
| echo "python-build named built distribution: ${wheel_name}" | |
| - name: Verify tagged commits don't have dev versions | |
| if: startsWith(github.ref, 'refs/tags') | |
| run: | | |
| wheel_name=$(find dist/ -iname "*.whl" -printf "%f\n") | |
| if [[ "${wheel_name}" == *"dev"* ]]; then | |
| echo "python-build incorrectly named built distribution: ${wheel_name}" | |
| echo "this is incorrrectly being treated as a dev release" | |
| echo "intentionally erroring with 'return 1' now" | |
| return 1 | |
| fi | |
| echo "python-build named built distribution: ${wheel_name}" | |
| - name: Verify the distribution | |
| run: twine check --strict dist/* | |
| - name: List contents of sdist | |
| run: python -m tarfile --list dist/pyhf-*.tar.gz | |
| - name: List contents of wheel | |
| run: python -m zipfile --list dist/pyhf-*.whl | |
| - name: Generate artifact attestation for sdist and wheel | |
| # If publishing to TestPyPI or PyPI | |
| if: >- | |
| (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && github.repository == 'scikit-hep/pyhf') | |
| || (github.event_name == 'workflow_dispatch' && github.event.inputs.publish == 'true' && github.repository == 'scikit-hep/pyhf') | |
| || (github.event_name == 'release' && github.event.action == 'published' && github.repository == 'scikit-hep/pyhf') | |
| uses: actions/attest-build-provenance@bdd51370e0416ac948727f861e03c2f05d32d78e # v1.3.2 | |
| with: | |
| subject-path: "dist/pyhf-*" | |
| - name: Upload distribution artifact | |
| uses: actions/upload-artifact@v4.3.4 | |
| with: | |
| name: dist-artifact | |
| path: dist | |
| publish: | |
| name: Publish Python distribution to (Test)PyPI | |
| if: github.event_name != 'pull_request' | |
| needs: build | |
| runs-on: ubuntu-latest | |
| # Mandatory for publishing with a trusted publisher | |
| # c.f. https://docs.pypi.org/trusted-publishers/using-a-publisher/ | |
| permissions: | |
| id-token: write | |
| # Restrict to the environment set for the trusted publisher | |
| environment: | |
| name: publish-package | |
| steps: | |
| - name: Download distribution artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: dist-artifact | |
| path: dist | |
| - name: List all files | |
| run: ls -lh dist | |
| - name: Verify sdist artifact attestation | |
| # If publishing to TestPyPI or PyPI | |
| if: >- | |
| (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && github.repository == 'scikit-hep/pyhf') | |
| || (github.event_name == 'workflow_dispatch' && github.event.inputs.publish == 'true' && github.repository == 'scikit-hep/pyhf') | |
| || (github.event_name == 'release' && github.event.action == 'published' && github.repository == 'scikit-hep/pyhf') | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: gh attestation verify dist/pyhf-*.tar.gz --repo ${{ github.repository }} | |
| - name: Verify wheel artifact attestation | |
| # If publishing to TestPyPI or PyPI | |
| if: >- | |
| (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && github.repository == 'scikit-hep/pyhf') | |
| || (github.event_name == 'workflow_dispatch' && github.event.inputs.publish == 'true' && github.repository == 'scikit-hep/pyhf') | |
| || (github.event_name == 'release' && github.event.action == 'published' && github.repository == 'scikit-hep/pyhf') | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: gh attestation verify dist/pyhf-*.whl --repo ${{ github.repository }} | |
| - name: Publish distribution 📦 to Test PyPI | |
| # Publish to TestPyPI on tag events of if manually triggered | |
| # Compare to 'true' string as booleans get turned into strings in the console | |
| if: >- | |
| (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && github.repository == 'scikit-hep/pyhf') | |
| || (github.event_name == 'workflow_dispatch' && github.event.inputs.publish == 'true' && github.repository == 'scikit-hep/pyhf') | |
| uses: pypa/gh-action-pypi-publish@v1.9.0 | |
| with: | |
| repository-url: https://test.pypi.org/legacy/ | |
| print-hash: true | |
| - name: Publish distribution 📦 to PyPI | |
| if: github.event_name == 'release' && github.event.action == 'published' && github.repository == 'scikit-hep/pyhf' | |
| uses: pypa/gh-action-pypi-publish@v1.9.0 | |
| with: | |
| print-hash: true |