Try PyPI OIDC

softboiler · Jun 27, 2024 · ea9d8db · ea9d8db
1 parent 6542467
commit ea9d8db
Show file tree

Hide file tree

Showing 5 changed files with 67 additions and 20 deletions.
diff --git a/.github/workflows/changerelease.yml b/.github/workflows/changerelease.yml
@@ -1,5 +1,4 @@
-# Sync GitHub release notes with the changelog
-name: "changerelease"
+name: "Sync GitHub release notes with the changelog"
 on:
   workflow_dispatch:
   push:

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,5 +1,4 @@
-# Run static analysis, tests, and sync
-name: "ci"
+name: "Run static analysis, tests, and sync"
 concurrency:
   group: "${{ github.workflow }}-${{ github.ref }}"
   cancel-in-progress: True
@@ -163,7 +162,7 @@ jobs:
     runs-on: "${{ matrix.runner }}"
     steps:
       # ! https://askubuntu.com/questions/900285/libegl-so-1-is-not-a-symbolic-link
-      - if: "startsWith(matrix.runner, 'ubuntu')"
+      - if: startsWith(matrix.runner, 'ubuntu')
         name: "Install PySide6 system dependencies"
         run: "sudo apt update && sudo apt install libegl1-mesa-dev"
       - uses: "actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332" # v4.1.7

diff --git a/.github/workflows/contrib.yml b/.github/workflows/contrib.yml
@@ -1,5 +1,4 @@
-# Simulate local contributor workflow sync process
-name: "contrib"
+name: "Local contributor workflow"
 on:
   workflow_dispatch:
   pull_request:

diff --git a/.github/workflows/high.yml b/.github/workflows/high.yml
@@ -1,5 +1,4 @@
-# Test the upper-bound dependencies of the project
-name: "high"
+name: "Test upper-bound project dependencies"
 on:
   workflow_dispatch:
   schedule:
@@ -119,7 +118,7 @@ jobs:
     runs-on: "${{ matrix.runner }}"
     steps:
       # ! https://askubuntu.com/questions/900285/libegl-so-1-is-not-a-symbolic-link
-      - if: "startsWith(matrix.runner, 'ubuntu')"
+      - if: startsWith(matrix.runner, 'ubuntu')
         name: "Install PySide6 system dependencies"
         run: "sudo apt update && sudo apt install libegl1-mesa-dev"
       - uses: "actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332" # v4.1.7

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,25 +1,22 @@
-# Publish a Python package to PyPI
-name: "release"
+name: "Release to PyPI"
 on:
   workflow_dispatch:
+  push:
+    branches: ["main"]
 defaults:
   run:
     shell: "pwsh"
 env:
   UV_CACHE_DIR: ".cache/uv-cache"
   UV_SYSTEM_PYTHON: "true"
 jobs:
-  release:
+  build:
     strategy:
       matrix:
         runner: ["ubuntu-22.04"]
         python: ["3.11"]
     runs-on: "${{ matrix.runner }}"
     steps:
-      - uses: "dropseed/changerelease@3b121c9e98fa055f59a32b023cb4fd2325f4d9dc" # v1.6.0
-        with:
-          github_token: "${{ secrets.GITHUB_TOKEN }}"
-          tag_prefix: ""
       - uses: "actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332" # v4.1.7
         with:
           submodules: True
@@ -31,7 +28,61 @@ jobs:
         with:
           python-version: "${{ matrix.python }}"
       - run: "scripts/Sync-Py.ps1"
-      - run: ". scripts/Initialize-Shell.ps1; flit publish"
+      - run: ". scripts/Initialize-Shell.ps1; flit build"
+      - uses: "actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808" # v4.3.3
+        with:
+          name: "python-package-distributions"
+          path: "dist/"
+  publish-to-pypi:
+    if: startsWith(github.ref, 'refs/tags/')
+    name: "Publish Python 🐍 distribution 📦 to PyPI"
+    needs: "build"
+    permissions:
+      id-token: "write"
+    strategy:
+      matrix:
+        runner: ["ubuntu-22.04"]
+        python: ["3.11"]
+    runs-on: "${{ matrix.runner }}"
+    environment:
+      name: "release"
+      url: "https://pypi.org/p/boilercv"
+    steps:
+      - uses: "actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e" # v4.1.7
+        with:
+          name: "python-package-distributions"
+          path: "dist/"
+      - uses: "pypa/gh-action-pypi-publish@release/v1"
+  github-release:
+    needs: "publish-to-pypi"
+    permissions:
+      contents: "write"
+      id-token: "write"
+    strategy:
+      matrix:
+        runner: ["ubuntu-22.04"]
+        python: ["3.11"]
+    runs-on: "${{ matrix.runner }}"
+    steps:
+      - uses: "actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e" # v4.1.7
+        with:
+          name: "python-package-distributions"
+          path: "dist/"
+      - uses: "sigstore/gh-action-sigstore-python@v2.1.1"
+        with:
+          inputs: >-
+            ./dist/*.tar.gz
+            ./dist/*.whl
+      - run: >-
+          gh release create
+          '${{ github.ref_name }}'
+          --repo '${{ github.repository }}'
+          --notes ""
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+      - run: >-
+          gh release upload
+          '${{ github.ref_name }}' dist/**
+          --repo '${{ github.repository }}'
         env:
-          FLIT_USERNAME: "__token__"
-          FLIT_PASSWORD: "${{ secrets.PYPI_TOKEN }}"
+          GITHUB_TOKEN: ${{ github.token }}