Skip to content

Commit

Permalink
Backport PR scikit-hep#2473: ci: Add GitHub artifact attestations to …
Browse files Browse the repository at this point in the history
…package distribution
  • Loading branch information
matthewfeickert authored and meeseeksmachine committed May 30, 2024
1 parent 1de3759 commit 305e55a
Showing 1 changed file with 35 additions and 0 deletions.
35 changes: 35 additions & 0 deletions .github/workflows/publish-package.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,11 @@ jobs:
build:
name: Build Python distribution
runs-on: ubuntu-latest
permissions:
id-token: write
attestations: write
contents: read

steps:
- uses: actions/checkout@v4
with:
Expand Down Expand Up @@ -96,6 +101,16 @@ jobs:
- name: List contents of wheel
run: python -m zipfile --list dist/pyhf-*.whl

- name: Generate artifact attestation for sdist and wheel
# If publishing to TestPyPI or PyPI
if: >-
(github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && github.repository == 'scikit-hep/pyhf')
|| (github.event_name == 'workflow_dispatch' && github.event.inputs.publish == 'true' && github.repository == 'scikit-hep/pyhf')
|| (github.event_name == 'release' && github.event.action == 'published' && github.repository == 'scikit-hep/pyhf')
uses: actions/attest-build-provenance@897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0
with:
subject-path: "dist/pyhf-*"

- name: Upload distribution artifact
uses: actions/upload-artifact@v4
with:
Expand Down Expand Up @@ -125,6 +140,26 @@ jobs:
- name: List all files
run: ls -lh dist

- name: Verify sdist artifact attestation
# If publishing to TestPyPI or PyPI
if: >-
(github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && github.repository == 'scikit-hep/pyhf')
|| (github.event_name == 'workflow_dispatch' && github.event.inputs.publish == 'true' && github.repository == 'scikit-hep/pyhf')
|| (github.event_name == 'release' && github.event.action == 'published' && github.repository == 'scikit-hep/pyhf')
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh attestation verify dist/pyhf-*.tar.gz --repo ${{ github.repository }}

- name: Verify wheel artifact attestation
# If publishing to TestPyPI or PyPI
if: >-
(github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && github.repository == 'scikit-hep/pyhf')
|| (github.event_name == 'workflow_dispatch' && github.event.inputs.publish == 'true' && github.repository == 'scikit-hep/pyhf')
|| (github.event_name == 'release' && github.event.action == 'published' && github.repository == 'scikit-hep/pyhf')
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh attestation verify dist/pyhf-*.whl --repo ${{ github.repository }}

- name: Publish distribution 📦 to Test PyPI
# Publish to TestPyPI on tag events of if manually triggered
# Compare to 'true' string as booleans get turned into strings in the console
Expand Down

0 comments on commit 305e55a

Please sign in to comment.