Skip to content

Bump setuptools from 75.4.0 to 75.6.0 #2665

Bump setuptools from 75.4.0 to 75.6.0

Bump setuptools from 75.4.0 to 75.6.0 #2665

name: Python package
on:
push:
branches:
- "**"
tags:
- "v*"
pull_request:
branches:
- "main"
permissions:
contents: read
jobs:
upload-event-file:
name: Upload event file
runs-on: ubuntu-latest
steps:
- name: Harden runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
disable-sudo: true
egress-policy: block
- name: Upload
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: event-file
path: ${{ github.event_path }}
build:
name: Build
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
attestations: write
strategy:
fail-fast: false
matrix:
python-version:
- "3.9"
- "3.10"
- "3.11"
- "3.12"
- "3.13"
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
steps:
- name: Harden runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.codecov.io:443
api.github.com:443
cli.codecov.io:443
codecov.io:443
files.pythonhosted.org:443
fulcio.sigstore.dev:443
github.com:443
objects.githubusercontent.com:443
pypi.org:443
raw.githubusercontent.com:443
registry.npmjs.org:443
rekor.sigstore.dev:443
storage.googleapis.com:443
uploader.codecov.io:443
uploads.github.com:443
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
python-version: ${{ matrix.python-version }}
cache: pip
- name: Make venv
run: make venv
- name: Lint
run: make lint
- name: Test
run: make test
- name: Upload test results
if: always()
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: test-results-${{ matrix.python-version }}
path: test-results.xml
- name: Upload coverage report to Codecov
uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0
with:
files: ./coverage.xml
flags: python-${{ matrix.python-version }}
use_oidc: true
- name: Build
run: make build
- name: Generate SBOM
if: ${{ matrix.python-version == '3.11' }}
uses: anchore/sbom-action@fc46e51fd3cb168ffb36c6d1915723c47db58abb # v0.17.7
with:
format: spdx-json
artifact-name: sbom-python.spdx.json
output-file: sbom-python.spdx.json
- name: Generate SBOM attestation
if: ${{ github.event_name != 'pull_request' && github.actor != 'dependabot[bot]' && matrix.python-version == '3.11' }}
uses: actions/attest-sbom@5026d3663739160db546203eeaffa6aa1c51a4d6 # v1.4.1
with:
subject-path: dist/*.whl
sbom-path: sbom-python.spdx.json
- name: Generate artifact attestation
if: ${{ github.event_name != 'pull_request' && github.actor != 'dependabot[bot]' && matrix.python-version == '3.11' }}
uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
with:
subject-path: dist/*.whl
- name: Generate hashes
id: hash
if: ${{ github.event_name != 'pull_request' && startsWith(github.ref, 'refs/tags/') && matrix.python-version == '3.11' }}
run: cd dist && echo "hashes=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
- name: Store the distribution packages
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
if: ${{ github.event_name != 'pull_request' && startsWith(github.ref, 'refs/tags/') && matrix.python-version == '3.11' }}
with:
name: python-package-distributions
path: dist/
provenance-and-draft-release:
name: Generate provenance and create draft release
if: ${{ github.event_name != 'pull_request' && startsWith(github.ref, 'refs/tags/') }}
needs:
- build
- upload-event-file
permissions:
actions: read
id-token: write
contents: write
# Can't pin with hash due to how this workflow works.
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
base64-subjects: ${{ needs.build.outputs.hashes }}
upload-assets: true
draft-release: true
publish-to-test-pypi:
name: Publish to TestPyPI
if: ${{ github.event_name != 'pull_request' && startsWith(github.ref, 'refs/tags/') }}
needs:
- provenance-and-draft-release
runs-on: ubuntu-latest
environment:
name: test-pypi
url: https://test.pypi.org/p/cf-ips-to-hcloud-fw
permissions:
id-token: write
steps:
- name: Harden runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
fulcio.sigstore.dev:443
ghcr.io:443
pkg-containers.githubusercontent.com:443
rekor.sigstore.dev:443
test.pypi.org:443
tuf-repo-cdn.sigstore.dev:443
- name: Download all the distribution packages
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: python-package-distributions
path: dist
- name: Publish distribution to TestPyPI
uses: pypa/gh-action-pypi-publish@15c56dba361d8335944d31a2ecd17d700fc7bcbc # v1.12.2
with:
repository-url: https://test.pypi.org/legacy/
publish-to-pypi:
name: Publish to PyPI
if: ${{ github.event_name != 'pull_request' && startsWith(github.ref, 'refs/tags/') }}
needs:
- provenance-and-draft-release
- publish-to-test-pypi
runs-on: ubuntu-latest
environment:
name: pypi
url: https://pypi.org/p/cf-ips-to-hcloud-fw
permissions:
id-token: write
steps:
- name: Harden runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
fulcio.sigstore.dev:443
ghcr.io:443
pkg-containers.githubusercontent.com:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
upload.pypi.org:443
- name: Download all the distribution packages
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: python-package-distributions
path: dist
- name: Publish distribution to PyPI
uses: pypa/gh-action-pypi-publish@15c56dba361d8335944d31a2ecd17d700fc7bcbc # v1.12.2
upload-dist-to-github-release:
name: Upload distribution packages to GitHub Release
if: ${{ github.event_name != 'pull_request' && startsWith(github.ref, 'refs/tags/') }}
needs:
- publish-to-pypi
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Harden runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
uploads.github.com:443
- name: Download all the distribution packages
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: python-package-distributions
path: dist
- name: Upload distribution packages to GitHub Release
env:
GITHUB_TOKEN: ${{ github.token }}
run: >-
gh release upload
'${{ github.ref_name }}' dist/**
--repo '${{ github.repository }}'