forked from sphinx-doc/sphinx
-
Notifications
You must be signed in to change notification settings - Fork 0
148 lines (129 loc) · 4.68 KB
/
create-release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
name: Create release
on:
push:
tags:
- "v*.*.*"
workflow_dispatch:
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
env:
FORCE_COLOR: "1"
UV_SYSTEM_PYTHON: "1" # make uv do global installs
jobs:
publish-pypi:
runs-on: ubuntu-latest
name: PyPI Release
environment: release
if: github.repository_owner == 'sphinx-doc'
permissions:
attestations: write # for actions/attest
id-token: write # for PyPI trusted publishing
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3"
- name: Install uv
uses: astral-sh/setup-uv@v5
with:
version: latest
enable-cache: false
- name: Install build dependencies (pypa/build, twine)
run: |
uv pip install build "twine>=5.1"
- name: Build distribution
run: python -m build
- name: Check distribution
run: |
twine check dist/*
- name: Create Sigstore attestations for built distributions
uses: actions/attest@v1
id: attest
with:
subject-path: "dist/*"
predicate-type: "https://docs.pypi.org/attestations/publish/v1"
predicate: "null"
show-summary: "true"
- name: Convert attestations to PEP 740
run: >
uv run utils/convert_attestations.py
"$BUNDLE_PATH"
"$SIGNER_IDENTITY"
env:
BUNDLE_PATH: "${{ steps.attest.outputs.bundle-path }}"
# workflow_ref example: sphinx-doc/sphinx/.github/workflows/create-release.yml@refs/heads/master
# this forms the "signer identity" for the attestations
SIGNER_IDENTITY: "https://github.com/${{ github.workflow_ref }}"
- name: Inspect PEP 740 attestations
run: |
python -m pypi_attestations inspect dist/*.publish.attestation
- name: Prepare attestation bundles for uploading
run: |
mkdir -p /tmp/attestation-bundles
cp "$BUNDLE_PATH" /tmp/attestation-bundles/
cp dist/*.publish.attestation /tmp/attestation-bundles/
env:
BUNDLE_PATH: "${{ steps.attest.outputs.bundle-path }}"
- name: Upload attestation bundles
uses: actions/upload-artifact@v4
with:
name: attestation-bundles
path: /tmp/attestation-bundles/
- name: Mint PyPI API token
id: mint-token
uses: actions/github-script@v7
with:
# language=JavaScript
script: |
// retrieve the ambient OIDC token
const oidc_request_token = process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN;
const oidc_request_url = process.env.ACTIONS_ID_TOKEN_REQUEST_URL;
const oidc_resp = await fetch(`${oidc_request_url}&audience=pypi`, {
headers: {Authorization: `bearer ${oidc_request_token}`},
});
const oidc_token = (await oidc_resp.json()).value;
// exchange the OIDC token for an API token
const mint_resp = await fetch('https://pypi.org/_/oidc/github/mint-token', {
method: 'post',
body: `{"token": "${oidc_token}"}` ,
headers: {'Content-Type': 'application/json'},
});
const api_token = (await mint_resp.json()).token;
// mask the newly minted API token, so that we don't accidentally leak it
core.setSecret(api_token)
core.setOutput('api-token', api_token)
- name: Upload to PyPI
env:
TWINE_NON_INTERACTIVE: "true"
TWINE_USERNAME: "__token__"
TWINE_PASSWORD: "${{ steps.mint-token.outputs.api-token }}"
run: |
twine upload dist/* --attestations
github-release:
runs-on: ubuntu-latest
name: GitHub release
environment: release
if: github.repository_owner == 'sphinx-doc'
permissions:
contents: write # for softprops/action-gh-release to create GitHub release
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Get release version
id: get_version
uses: actions/github-script@v7
with:
script: core.setOutput('version', context.ref.replace("refs/tags/v", ""))
- name: Create GitHub release
uses: softprops/action-gh-release@v2
if: startsWith(github.ref, 'refs/tags/')
with:
name: "Sphinx ${{ steps.get_version.outputs.version }}"
body: "Changelog: https://www.sphinx-doc.org/en/master/changes.html"