ci: release with trusted publisher and attestations (#5196)

* ci: release with trusted publisher and attestations

Signed-off-by: Henry Schreiner <henryschreineriii@gmail.com>

* Update pip.yml

---------

Signed-off-by: Henry Schreiner <henryschreineriii@gmail.com>
This commit is contained in:
Henry Schreiner 2024-06-25 21:12:58 -04:00 committed by GitHub
parent 26281c7986
commit b5ec7c7174
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -58,7 +58,7 @@ jobs:
- name: Prepare env
run: |
python -m pip install -r tests/requirements.txt build twine
python -m pip install -r tests/requirements.txt build twine!=5.1.0
- name: Python Packaging tests
run: pytest tests/extra_python_package/
@ -91,23 +91,27 @@ jobs:
runs-on: ubuntu-latest
if: github.event_name == 'release' && github.event.action == 'published'
needs: [packaging]
environment: pypi
permissions:
id-token: write
attestations: write
contents: read
steps:
- uses: actions/setup-python@v5
with:
python-version: "3.x"
# Downloads all to directories matching the artifact names
- uses: actions/download-artifact@v4
- name: Generate artifact attestation for sdist and wheel
uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
with:
subject-path: "*/pybind11*"
- name: Publish standard package
uses: pypa/gh-action-pypi-publish@release/v1
with:
password: ${{ secrets.pypi_password }}
packages-dir: standard/
- name: Publish global package
uses: pypa/gh-action-pypi-publish@release/v1
with:
password: ${{ secrets.pypi_password_global }}
packages-dir: global/