Skip to content

Commit 33e3857

Browse files
joanisejoanise
committed
ci: fix the publishing workflow
 - use trusted publishing (now required, from CI anyway) - pin marketplace actions by sha1 - document the release process
1 parent 92d2ab6 commit 33e3857

File tree

1 file changed

+7
-7
lines changed

1 file changed

+7
-7
lines changed

.github/workflows/pythonpublish.yml

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,9 @@
11
# This workflows will upload a Python Package using Twine when a release is created
22
# For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries
3+
# To create a release:
4+
# - make sure readalongs/_version.py has the new version number
5+
# - create an annotated tag, e.g., run: git tag -a v1.2.3 -m"v1.2.3"
6+
# - push the tag, which will trigger this workflow to publish on PyPI and GitHub
37

48
name: Upload Python Package
59
on:
@@ -47,34 +51,30 @@ jobs:
4751
run: python -m build --sdist --wheel
4852

4953
- name: Sign the dists with Sigstore
50-
uses: sigstore/gh-action-sigstore-python@v3.0.0
54+
uses: sigstore/gh-action-sigstore-python@a5caf349bc536fbef3668a10ed7f5cd309a4b53d # v3.2.0
5155
with:
5256
inputs: >-
5357
./dist/*.tar.gz
5458
./dist/*.whl
5559
5660
- name: Update CHANGELOG
5761
id: changelog
58-
uses: requarks/changelog-action@v1
62+
uses: requarks/changelog-action@b78a3354a01f4a1affb484b9264b506a815c46b1 # v1.10.3
5963
with:
6064
token: ${{ github.token }}
6165
tag: ${{ github.ref_name }}
6266

6367
- name: Create a GitHub release
64-
uses: ncipollo/release-action@v1
68+
uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # @v1.21.0
6569
with:
6670
tag: ${{ github.ref_name }}
6771
name: ${{ github.ref_name }}
6872
body: ${{ steps.changelog.outputs.changes }}
6973
token: ${{ github.token }}
7074

71-
- name: Remove the sigstore files, not supported by pypa publish
72-
run: rm -f ./dist/*.sigstore.json
73-
7475
- name: Publish distribution 📦 to PyPI
7576
uses: pypa/gh-action-pypi-publish@release/v1
7677
with:
77-
password: ${{ secrets.PYPI_API_TOKEN }}
7878
verbose: true
7979
attestations: true
8080

0 commit comments

Comments
 (0)