Merge pull request #391 from sandialabs/dependabot/github_actions/git… #354
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Semantic Release | |
| on: | |
| push: | |
| branches: | |
| - master | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: release | |
| jobs: | |
| release: | |
| runs-on: ubuntu-latest | |
| environment: release | |
| permissions: | |
| id-token: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| token: ${{ secrets.GH_TOKEN }} | |
| - name: Python Semantic Release | |
| id: release | |
| uses: python-semantic-release/python-semantic-release@350c48fcb3ffcdfd2e0a235206bc2ecea6b69df0 # v10.5.3 | |
| with: | |
| git_committer_email: "reverse-argparse-semantic-release@sandia.gov" | |
| git_committer_name: "semantic-release" | |
| github_token: ${{ secrets.GH_TOKEN }} | |
| ssh_private_signing_key: ${{ secrets.SEMANTIC_RELEASE_PRIVATE_KEY }} | |
| ssh_public_signing_key: ${{ secrets.SEMANTIC_RELEASE_PUBLIC_KEY }} | |
| - name: Hash Build Artifacts | |
| if: steps.release.outputs.released == 'true' | |
| id: hash | |
| run: | | |
| cd dist | |
| echo "hashes=$(find . -type f -exec sha256sum {} + | sort | base64 | tr -d '\n')" >> "$GITHUB_OUTPUT" | |
| - name: Upload Build Artifacts | |
| if: steps.release.outputs.released == 'true' | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| name: dist | |
| path: dist/ | |
| outputs: | |
| hashes: ${{ steps.hash.outputs.hashes }} | |
| released: ${{ steps.release.outputs.released }} | |
| provenance: | |
| needs: release | |
| if: ${{ needs.release.outputs.released == 'true' }} | |
| permissions: | |
| actions: read | |
| id-token: write | |
| contents: write | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 | |
| with: | |
| base64-subjects: "${{ needs.release.outputs.hashes }}" | |
| publish: | |
| runs-on: ubuntu-latest | |
| needs: [release, provenance] | |
| if: ${{ needs.release.outputs.released == 'true' && needs.provenance.outputs.outcome == 'success' }} | |
| environment: release | |
| permissions: | |
| id-token: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| token: ${{ secrets.GH_TOKEN }} | |
| - name: Download Build Artifacts | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: dist | |
| path: dist | |
| - name: Download Provenance | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: ${{ needs.provenance.outputs.provenance-name }} | |
| path: dist | |
| - name: Publish to GitHub Releases | |
| uses: python-semantic-release/publish-action@310a9983a0ae878b29f3aac778d7c77c1db27378 # v10.5.3 | |
| with: | |
| github_token: ${{ secrets.GH_TOKEN }} | |
| - name: Remove Provenance for PyPI Upload | |
| run: rm -f dist/${{ needs.provenance.outputs.provenance-name }} | |
| - name: Publish to PyPI | |
| uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1 |