Skip to content
Python package

WIP: Add supplychainsecurity #357

Sign in to view logs

WIP: Add supplychainsecurity

WIP: Add supplychainsecurity #357

Workflow file for this run

.github/workflows/python-package.yml at 17d5e49
# This workflow will install Python dependencies, run tests and lint with a variety of Python versions
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python
name: Python package
on:
push:
branches: [ "**" ]
pull_request:
branches: [ "main" ]
jobs:
build:
runs-on: ubuntu-latest^
outputs:
hash: ${{ steps.hash.outputs.hash }}
strategy:
fail-fast: false
matrix:
python-version: ["3.9", "3.10", "3.11", "3.12"]
permissions:
id-token: write # IMPORTANT: mandatory for trusted publishing
steps:
- uses: actions/checkout@v2
with:
submodules: 'recursive'
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
# Cache the installation of Poetry itself, e.g. the next step. This prevents the workflow
# from installing Poetry every time, which can be slow. Note the use of the Poetry version
# number in the cache key, and the "-0" suffix: this allows you to invalidate the cache
# manually if/when you want to upgrade Poetry, or if something goes wrong.
- name: Cache poetry
uses: actions/[email protected]
with:
path: ~/.local
key: poetry-1.8.2-0
- name: Install poetry
uses: snok/install-poetry@v1
with:
version: 1.8.2
virtualenvs-create: true
virtualenvs-in-project: true
- run: poetry --version
# Cache your dependencies (i.e. all the stuff in your `pyproject.toml`). Note the cache
# key: if you're using multiple Python versions, or multiple OSes, you'd need to include
# them in the cache key. I'm not, so it can be simple and just depend on the poetry.lock.
- name: Cache dependencies
id: cache-deps
uses: actions/[email protected]
with:
path: .venv
key: pydeps-${{ hashFiles('**/poetry.lock') }}
- name: Install dependencies
# The `if` statement ensures this only runs on a cache miss.
run: poetry install --no-interaction
if: steps.cache-deps.outputs.cache-hit != 'true'
- name: Lint with flake8
run: |
# stop the build if there are Python syntax errors or undefined names
poetry run flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics
# exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide
poetry run flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics
- name: Test with pytest
run: poetry run pytest
- name: Store the distribution packages
uses: actions/upload-artifact@v4
with:
name: python-package-distributions
path: dist/
publish-to-testpypi:
name: Publish to TestPyPI
needs:
- build
if: (github.ref == 'refs/heads/main') && (github.event_name == 'schedule')
runs-on: ubuntu-latest
environment:
name: testpypi # TODO 20240706: has to be created/configured
url: https://test.pypi.org/p/spherinator
permissions:
id-token: write # IMPORTANT: mandatory for trusted publishing
steps:
- name: Download all the dists
uses: actions/download-artifact@v4
with:
name: python-package-distributions
path: dist/
- name: Publish distribution to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
repository-url: https://test.pypi.org/legacy/
publish-to-pypi:
name: Publish to PyPI
if: startsWith(github.ref, 'refs/tags/') # only publish to PyPI on tag pushes
needs:
- build
runs-on: ubuntu-latest
environment:
name: pypi
url: https://pypi.org/p/spherinator
permissions:
id-token: write # IMPORTANT: mandatory for trusted publishing
steps:
- name: Download all the dists
uses: actions/download-artifact@v4
with:
name: python-package-distributions
path: dist/
- name: Publish distribution to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
provenance:
name: Generate SLSA provenance data
needs: [build]
permissions:
actions: read
id-token: write
contents: write # https://github.com/slsa-framework/slsa-github-generator/issues/2044 :(
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
base64-subjects: '${{ needs.build.outputs.hash }}'
upload-assets: true
github-release:
name: >-
Sign with Sigstore and upload them to GitHub Release
needs:
- build
runs-on: ubuntu-latest
permissions:
contents: write # IMPORTANT: mandatory for making GitHub Releases
id-token: write # IMPORTANT: mandatory for sigstore
steps:
- name: Download all the dists
uses: actions/download-artifact@v4
with:
name: python-package-distributions
path: dist/
- name: Sign the dists with Sigstore
uses: sigstore/[email protected]
with:
inputs: >-
./dist/*.tar.gz
./dist/*.whl
- name: Rename files # to match new file extension https://github.com/sigstore/sigstore-python/blob/main/CHANGELOG.md#changed
run: |
sudo apt install mmv
mmv "./dist/*.sigstore" ./dist/#1.sigstore.json
# - name: Create GitHub Release
# release is created by the UI
- name: Upload artifact signatures to GitHub Release
if: startsWith(github.ref, 'refs/tags/') # only publish to PyPI on tag pushes
env:
GITHUB_TOKEN: ${{ github.token }}
# Upload to GitHub Release using the `gh` CLI.
# `dist/` contains the built packages, and the
# sigstore-produced signatures and certificates.
run: >-
gh release upload
'${{ github.ref_name }}' dist/**
--repo '${{ github.repository }}'