add write permission for attestation #101
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build & Release | |
on: | |
release: | |
types: [ published ] | |
pull_request: | |
push: | |
env: | |
PY_COLORS: "1" | |
jobs: | |
build_wheels: | |
name: Build wheels on ${{ matrix.os }} | |
runs-on: ${{ matrix.os }} | |
strategy: | |
matrix: | |
os: [ubuntu-latest, macos-13, macos-latest, windows-latest] | |
fail-fast: false | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 # fetch tags for setuptools-scm | |
# Used to host cibuildwhee | |
- uses: actions/setup-python@v5 | |
with: | |
python-version: "3.10" | |
- name: Install cibuildwheel | |
run: python -m pip install cibuildwheel | |
- name: Build wheels | |
run: python -m cibuildwheel --output-dir wheelhouse | |
- uses: actions/upload-artifact@v4 | |
with: | |
name: cibw-wheels-${{ matrix.os }}-${{ strategy.job-index }} | |
path: ./wheelhouse/*.whl | |
build_sdist: | |
name: Build source distribution | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 # fetch tags for setuptools-scm | |
- uses: actions/setup-python@v5 | |
with: | |
python-version: "3.10" | |
- name: Install build | |
run: python -m pip install build | |
- name: Build sdist | |
run: python -m build --sdist | |
- uses: actions/upload-artifact@v4 | |
with: | |
name: cibw-sdist | |
path: dist/*.tar.gz | |
upload_pypi: | |
name: Create release | |
needs: [ build_wheels, build_sdist ] | |
runs-on: ubuntu-latest | |
environment: | |
name: pypi | |
url: https://pypi.org/p/autosar_e2e | |
permissions: | |
id-token: write # IMPORTANT: this permission is mandatory for trusted publishing | |
contents: write # for action-gh-release | |
attestations: write # for attest-build-provenance | |
# upload to PyPI on new tag | |
if: startsWith(github.ref, 'refs/tags') | |
steps: | |
- uses: actions/download-artifact@v4 | |
with: | |
pattern: cibw-* | |
path: dist | |
merge-multiple: true | |
- name: Generate artifact attestation | |
uses: actions/attest-build-provenance@v1 | |
with: | |
subject-path: 'dist/*' | |
- name: Publish package distributions to PyPI | |
uses: pypa/gh-action-pypi-publish@release/v1 |