workflows/release: sign after publishing

...to avoid trying to upload signing artifacts to PyPI. Signed-off-by: William Woodruff <[email protected]>
pypa · Oct 17, 2022 · a565db0 · a565db0
1 parent ca03f9f
commit a565db0
Showing 1 changed file with 6 additions and 6 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -28,14 +28,14 @@ jobs:
     - name: build
       run: python -m build
 
-    - name: sign
-      uses: sigstore/[email protected]
-      with:
-        inputs: ./dist/*.tar.gz ./dist/*.whl
-        release-signing-artifacts: true
-
     - name: publish
       uses: pypa/[email protected]
       with:
         user: __token__
         password: ${{ secrets.PYPI_TOKEN }}
+
+    - name: sign
+      uses: sigstore/[email protected]
+      with:
+        inputs: ./dist/*.tar.gz ./dist/*.whl
+        release-signing-artifacts: true