-
Notifications
You must be signed in to change notification settings - Fork 31
112 lines (100 loc) · 3.75 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
# Copyright 2024 The Sigstore Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: Release
on:
release:
types:
- published
permissions: {}
jobs:
build_wheel:
name: Build the wheel
if: github.repository == 'sigstore/model-transparency' # Don't do this in forks
runs-on: ubuntu-latest # Use matrix when we have OS specific pieces
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up Hatch
uses: pypa/hatch@257e27e51a6a5616ed08a39a408a21c35c9931bc
- name: Build artifacts
run: hatch build
- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
path: dist/
name: dist.zip
if-no-files-found: error
retention-days: 1
publish_release_to_pypi:
name: Publish release to PyPI
needs: [build_wheel]
runs-on: ubuntu-latest
environment:
name: pypi
url: https://pypi.org/project/model-signing/
permissions:
id-token: write
steps:
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: dist.zip
path: dist/
- uses: pypa/gh-action-pypi-publish@67339c736fd9354cd4f8cb0b744f2b82a74b5c70 # v1.12.3
build_and_push_container:
name: Build and Push Docker Image
needs: [publish_release_to_pypi]
runs-on: ubuntu-latest
permissions:
id-token: write
attestations: write
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Build Image
id: build_image
uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13
with:
containerfiles: |
./Containerfile
image: ghcr.io/sigstore/model-transparency-cli
tags: "latest ${{ github.event.release.tag_name }}"
archs: amd64
oci: false
- id: docker_meta
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
with:
images: ${{ steps.build_image.outputs.image }}
tags: type=sha,format=long,type=ref,event=branch
- name: Login to GitHub Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
id: registry_login
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Push To GHCR
uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2.8
id: push
with:
image: ${{ steps.build_image.outputs.image }}
tags: ${{ steps.build_image.outputs.tags }}
registry: ghcr.io
- name: Generate artifact attestation
uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
with:
subject-name: ghcr.io/sigstore/model-transparency-cli
subject-digest: ${{ steps.push.outputs.digest }}
push-to-registry: true
# TODO: Create and publish release notes
# TODO: Generate SLSA provenance for the wheels
# TODO: Sign artifacts with sigstore and publish to release page
# TODO: Build container cli for other platforms