From 55b7683ee97d968402c3767b546d38bd8de914d3 Mon Sep 17 00:00:00 2001 From: jpl-jengelke Date: Thu, 17 Oct 2024 11:30:44 -0700 Subject: [PATCH] NASA-AMMOS/slim#167: Implement trusted publishing. ... --- .github/workflows/python-publish.yml | 62 +++++++++++++++++----------- 1 file changed, 37 insertions(+), 25 deletions(-) diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index be37d8e..abce443 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -1,30 +1,19 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# For more information see: -# https://nasa-ammos.github.io/slim/docs/guides/software-lifecycle/application-starter-kits/python-starter-kit/ -# -# ******** NOTE ******** -# This file publishes to TestPyPi. To enable public PyPi the repository flag -# must be removed from the Twine upload call in the "Publish package" block. -# -name: "Upload Python Package" +# This workflows will upload a Python Package when a release is created +# For more information see: +# https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries + +name: Upload Python Package on: release: - branches: [main] - types: [published] + types: [ published ] jobs: - deploy: - name: Deploy + + build: runs-on: ubuntu-latest - permissions: - actions: write - contents: read - security-events: write steps: - - name: Checkout repository + - name: Checkout code uses: actions/checkout@v4 with: fetch-depth: 0 @@ -40,10 +29,33 @@ jobs: run: | python3 -m build --wheel python3 setup.py sdist --format=zip - - name: Publish package - env: - TWINE_USERNAME: __token__ - TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }} + - name: Verify package run: | twine check dist/* - twine upload --repository testpypi --verbose dist/*.whl dist/*.zip + - name: Store package + uses: actions/upload-artifact@v4 + with: + name: python-package-distribution + path: | + dist/*.whl + dist/*.zip + if-no-files-found: error + + release: + runs-on: ubuntu-latest + needs: build + environment: + name: release + permissions: + id-token: write # mandatory for trusted publishing + steps: + - name: Retrieve package + uses: actions/download-artifact@v4 + with: + name: python-package-distribution + path: dist/ + - name: Publish package (PyPi) + uses: pypa/gh-action-pypi-publish@release/v1 + with: + print-hash: true + repository-url: https://upload.pypi.org/legacy/ # for testing sub https://test.pypi.org/legacy/