.github/workflows/publish.yaml from mcaulifn/solcast

.github/workflows/publish.yaml
Summary

Maintainability

Test Coverage

Issues
name: Publish

on:
  release:
    types: [created]
  workflow_dispatch:

permissions:
  contents: read
  id-token: write

jobs:
  build:
    outputs:
      hashes: ${{ steps.hash.outputs.hashes }}
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          fetch-depth: 0
      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
        with:
          python-version: 3.x
      - name: Build
        run: |
          python -m pip install --upgrade pip
          pip install build
          SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct) python -m build
      - name: Generate SBOM
        id: sbom
        uses: anchore/sbom-action@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2
      - name: "Generate hashes"
        id: hash
        run: |
          cd dist && echo "hashes=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
      - name: "Upload dists"
        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
        with:
          name: "dist"
          path: "dist/"
          if-no-files-found: error
          retention-days: 5

  provenance:
    needs: [build]
    permissions:
      actions: read
      contents: write
      id-token: write # Needed to access the workflow's OIDC identity.
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
    with:
      base64-subjects: "${{ needs.build.outputs.hashes }}"
      upload-assets: true

  publish-to-test-pypi:
    name: "Publish to Test PyPI"
    needs: ["build", "provenance"]
    permissions:
      id-token: write # Needed for trusted publishing to PyPI.
    runs-on: "ubuntu-latest"
    environment:
      name: "testpypi"
    steps:
      - name: "Download dists"
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: "dist"
          path: "dist/"
      - name: Publish distribution 📦 to Test PyPI
        uses: pypa/gh-action-pypi-publish@8a08d616893759ef8e1aa1f2785787c0b97e20d6 # v1.10.0
        with:
          repository-url: https://test.pypi.org/legacy/
  publish-to-pypi-and-github:
    name: "Publish to PyPI"
    if: startsWith(github.ref, 'refs/tags/')
    needs: ["build", "provenance", "publish-to-test-pypi"]
    permissions:
      contents: write # Needed for making GitHub releases
      id-token: write # Needed for trusted publishing to PyPI.
    runs-on: "ubuntu-latest"
    environment:
      name: "publish"

    steps:
      - name: "Download dists"
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: "dist"
          path: "dist/"

      - name: "Upload dists to GitHub Release"
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
        run: |
          gh release upload ${{ github.ref_name }} dist/* --repo ${{ github.repository }}
      - name: Publish distribution 📦 to PyPI
        uses: pypa/gh-action-pypi-publish@8a08d616893759ef8e1aa1f2785787c0b97e20d6 # v1.10.0