From 3d3a005da6050f1423dcd0307b11ff5723871d5b Mon Sep 17 00:00:00 2001 From: Quentin POLLET Date: Sun, 27 Oct 2024 21:17:50 +0100 Subject: [PATCH] Attest build provenance --- .github/workflows/release.yml | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b881fb16..1bbb9c7b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,6 +10,9 @@ jobs: release: name: Release runs-on: ubuntu-latest + permissions: + id-token: write + attestations: write steps: - name: Check out the repository uses: actions/checkout@v4.1.1 @@ -45,7 +48,7 @@ jobs: bash -o pipefail -c "poetry version | awk '{ print \$2 }'" - name: Bump version for developmental release - if: "! steps.check-version.outputs.tag" + if: !steps.check-version.outputs.tag run: | poetry version patch && version=$(poetry version | awk '{ print $2 }') && @@ -55,6 +58,12 @@ jobs: run: | poetry build --ansi + - name: Attest build provenance + if: steps.check-version.outputs.tag + uses: actions/attest-build-provenance@v1 + with: + subject-path: dist/* + - name: Publish package on PyPI if: steps.check-version.outputs.tag uses: pypa/gh-action-pypi-publish@v1.10.3 @@ -63,12 +72,12 @@ jobs: password: ${{ secrets.PYPI_TOKEN }} - name: Publish package on TestPyPI - if: "! steps.check-version.outputs.tag" + if: !steps.check-version.outputs.tag uses: pypa/gh-action-pypi-publish@v1.10.3 with: user: __token__ password: ${{ secrets.TEST_PYPI_TOKEN }} - repository_url: https://test.pypi.org/legacy/ + repository-url: https://test.pypi.org/legacy/ - name: Publish release notes uses: release-drafter/release-drafter@v5.25.0