From b5ec7c7174342fcf78830f007ef2c1f28cbc70af Mon Sep 17 00:00:00 2001 From: Henry Schreiner Date: Tue, 25 Jun 2024 21:12:58 -0400 Subject: [PATCH] ci: release with trusted publisher and attestations (#5196) * ci: release with trusted publisher and attestations Signed-off-by: Henry Schreiner * Update pip.yml --------- Signed-off-by: Henry Schreiner --- .github/workflows/pip.yml | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/.github/workflows/pip.yml b/.github/workflows/pip.yml index 9aad8df88..6d453eabe 100644 --- a/.github/workflows/pip.yml +++ b/.github/workflows/pip.yml @@ -58,7 +58,7 @@ jobs: - name: Prepare env run: | - python -m pip install -r tests/requirements.txt build twine + python -m pip install -r tests/requirements.txt build twine!=5.1.0 - name: Python Packaging tests run: pytest tests/extra_python_package/ @@ -91,23 +91,27 @@ jobs: runs-on: ubuntu-latest if: github.event_name == 'release' && github.event.action == 'published' needs: [packaging] + environment: pypi + permissions: + id-token: write + attestations: write + contents: read steps: - - uses: actions/setup-python@v5 - with: - python-version: "3.x" - # Downloads all to directories matching the artifact names - uses: actions/download-artifact@v4 + - name: Generate artifact attestation for sdist and wheel + uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2 + with: + subject-path: "*/pybind11*" + - name: Publish standard package uses: pypa/gh-action-pypi-publish@release/v1 with: - password: ${{ secrets.pypi_password }} packages-dir: standard/ - name: Publish global package uses: pypa/gh-action-pypi-publish@release/v1 with: - password: ${{ secrets.pypi_password_global }} packages-dir: global/