Add a release workflow (#150)

* workflows: add a release workflow Signed-off-by: William Woodruff <william@trailofbits.com> * workflows/release: add artifact uploading Signed-off-by: William Woodruff <william@trailofbits.com> * workflows/release: fix and document permissions Signed-off-by: William Woodruff <william@trailofbits.com>
di · Jul 19, 2022 · 504e4f2 · 504e4f2
1 parent 2693481
commit 504e4f2
Showing 1 changed file with 51 additions and 0 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,51 @@
+on:
+  release:
+    types:
+      - published
+
+name: release
+
+permissions:
+  # Needed to access the workflow's OIDC identity.
+  id-token: write
+
+  # Needed to upload release assets.
+  contents: write
+
+jobs:
+  pypi:
+    name: upload release to PyPI
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+
+    - uses: actions/setup-python@v4
+      with:
+        python-version: ">= 3.7"
+
+    - name: deps
+      run: python -m pip install -U setuptools build wheel
+
+    - name: build
+      run: python -m build
+
+    - name: publish
+      uses: pypa/gh-action-pypi-publish@master
+      with:
+        user: __token__
+        password: ${{ secrets.PYPI_TOKEN }}
+
+    - name: sign
+      uses: trailofbits/gh-action-sigstore-python@v0.0.2
+      with:
+        inputs: ./dist/*.tar.gz ./dist/*.whl
+
+    - name: upload artifacts to github
+      # Confusingly, this action also supports updating releases, not
+      # just creating them. This is what we want here, since we've manually
+      # created the release that triggered the action.
+      uses: softprops/action-gh-release@v1
+      with:
+        # dist/ contains the built packages, which smoketest-artifacts/
+        # contains the signatures and certificates.
+        files: dist/*