.github/workflows/dist-workflow.yml
# Part of the OZI Project, under the Apache License v2.0 with LLVM Exceptions.
# See LICENSE.txt for license information.
# SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
name: OZI
on:
push:
branches:
- "v?[0-9].[0-9]*"
- "v?[1-9]+[0-9].[0-9]*"
- "release/*"
permissions:
contents: read
jobs:
checkpoint-cp310-ubuntu-latest:
name: checkpoint (Python 3.10 on ubuntu-latest)
runs-on: ubuntu-latest
strategy:
fail-fast: false
permissions:
id-token: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
files.pythonhosted.org:443
github.com:443
api.github.com:443
oziproject.dev:443
pypi.org:443
registry.npmjs.org:443
objects.githubusercontent.com:443
fulcio.sigstore.dev:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
oauth2.sigstore.dev:443
- uses: OZI-Project/checkpoint@fff79a1993b9a0822e7b594dcbdb164a7cff4292 # 1.0.2
with:
python-version: "3.10"
parallel: false
checkpoint-cp311-ubuntu-latest:
name: checkpoint (Python 3.11 on ubuntu-latest)
runs-on: ubuntu-latest
strategy:
fail-fast: false
permissions:
id-token: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
files.pythonhosted.org:443
github.com:443
api.github.com:443
oziproject.dev:443
pypi.org:443
registry.npmjs.org:443
objects.githubusercontent.com:443
fulcio.sigstore.dev:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
oauth2.sigstore.dev:443
- uses: OZI-Project/checkpoint@fff79a1993b9a0822e7b594dcbdb164a7cff4292 # 1.0.2
with:
python-version: "3.11"
parallel: false
checkpoint-cp312-ubuntu-latest:
name: checkpoint (Python 3.12 on ubuntu-latest)
runs-on: ubuntu-latest
strategy:
fail-fast: false
permissions:
id-token: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
files.pythonhosted.org:443
github.com:443
api.github.com:443
oziproject.dev:443
pypi.org:443
registry.npmjs.org:443
objects.githubusercontent.com:443
fulcio.sigstore.dev:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
oauth2.sigstore.dev:443
- uses: OZI-Project/checkpoint@fff79a1993b9a0822e7b594dcbdb164a7cff4292 # 1.0.2
with:
python-version: "3.12"
parallel: false
checkpoint-cp313-ubuntu-latest:
name: checkpoint (Python 3.13 on ubuntu-latest)
runs-on: ubuntu-latest
strategy:
fail-fast: false
permissions:
id-token: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
files.pythonhosted.org:443
github.com:443
api.github.com:443
oziproject.dev:443
pypi.org:443
registry.npmjs.org:443
objects.githubusercontent.com:443
fulcio.sigstore.dev:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
- uses: OZI-Project/checkpoint@fff79a1993b9a0822e7b594dcbdb164a7cff4292
with:
python-version: "3.13"
checkpoint:
runs-on: ubuntu-latest
needs: [checkpoint-cp310-ubuntu-latest, checkpoint-cp311-ubuntu-latest, checkpoint-cp312-ubuntu-latest]
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
disable-sudo: true
egress-policy: block
draft:
needs: checkpoint
runs-on: ubuntu-latest
concurrency: draft
strategy:
fail-fast: true
permissions:
contents: write
id-token: write
outputs:
drafted: ${{ steps.draft.outputs.drafted }}
tag: ${{ steps.draft.outputs.tag }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
pypi.org:443
api.deps.dev:443
files.pythonhosted.org:443
downloads.python.org:443
- uses: OZI-Project/draft@abc015e6e3bc08e765025befc25f2bd355ddb79d
id: draft
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
release:
needs: [draft, checkpoint]
runs-on: ubuntu-latest
concurrency: release
strategy:
matrix:
py:
- 'security2'
- 'security1'
- 'bugfix'
- 'prerelease'
fail-fast: true
max-parallel: 1
outputs:
hashes: ${{ steps.release.outputs.hashes }}
permissions:
contents: write
id-token: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
files.pythonhosted.org:443
fulcio.sigstore.dev:443
oziproject.dev:443
www.oziproject.dev:443
github.com:443
pypi.org:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
objects.githubusercontent.com:443
quay.io:443
cdn03.quay.io:443
downloads.python.org:443
oauth2.sigstore.dev:443
- uses: OZI-Project/release@74350f112641257ed33f06f83c3e6fc7ae92059b # 1.0.4
id: release
with:
tag: ${{ needs.draft.outputs.tag }}
python-dist: ${{ matrix.py }}
github-token: ${{ secrets.GITHUB_TOKEN }}
generate-provenance:
needs: [draft, release, checkpoint]
name: Generate build provenance
permissions:
actions: read # To read the workflow path.
id-token: write # To sign the provenance.
contents: write # To add assets to a release.
# Currently this action needs to be referred by tag. More details at:
# https://github.com/slsa-framework/slsa-github-generator#verification-of-provenance
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
with:
provenance-name: provenance-${{ github.event.repository.name }}-${{ needs.draft.outputs.tag }}.intoto.jsonl
base64-subjects: "${{ needs.release.outputs.hashes }}"
upload-tag-name: "${{ needs.draft.outputs.tag }}"
upload-assets: true
publish:
runs-on: ubuntu-latest
needs: [draft, release, generate-provenance]
permissions:
actions: read
contents: write
id-token: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
upload.pypi.org:443
uploads.github.com:443
- uses: OZI-Project/publish@50e1883d3f02c37133eb0b38d726dff6b63554a0
with:
github-token: ${{ secrets.GITHUB_TOKEN }}