Merge pull request #246 from sandialabs/pre-commit-ci-update-config #202
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Semantic Release | |
| on: | |
| push: | |
| branches: | |
| - master | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: release | |
| jobs: | |
| release: | |
| runs-on: ubuntu-latest | |
| environment: release | |
| permissions: | |
| id-token: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| fetch-depth: 0 | |
| token: ${{ secrets.GH_TOKEN }} | |
| - name: Python Semantic Release | |
| id: release | |
| uses: python-semantic-release/python-semantic-release@02f2a5c74dbb6aa2989f10fc4af12cd8e6bf025f # v10.5.2 | |
| with: | |
| git_committer_email: "[email protected]" | |
| git_committer_name: "semantic-release" | |
| github_token: ${{ secrets.GH_TOKEN }} | |
| ssh_private_signing_key: ${{ secrets.SEMANTIC_RELEASE_PRIVATE_KEY }} | |
| ssh_public_signing_key: ${{ secrets.SEMANTIC_RELEASE_PUBLIC_KEY }} | |
| - name: Hash Build Artifacts | |
| if: steps.release.outputs.released == 'true' | |
| id: hash | |
| run: | | |
| cd dist | |
| echo "hashes=$(find . -type f -exec sha256sum {} + | sort | base64 | tr -d '\n')" >> "$GITHUB_OUTPUT" | |
| - name: Upload Build Artifacts | |
| if: steps.release.outputs.released == 'true' | |
| uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 | |
| with: | |
| name: dist | |
| path: dist/ | |
| outputs: | |
| hashes: ${{ steps.hash.outputs.hashes }} | |
| released: ${{ steps.release.outputs.released }} | |
| provenance: | |
| needs: release | |
| if: ${{ needs.release.outputs.released == 'true' }} | |
| permissions: | |
| actions: read | |
| id-token: write | |
| contents: write | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
| with: | |
| base64-subjects: "${{ needs.release.outputs.hashes }}" | |
| publish: | |
| runs-on: ubuntu-latest | |
| needs: [release, provenance] | |
| if: ${{ needs.release.outputs.released == 'true' && needs.provenance.outputs.outcome == 'success' }} | |
| environment: release | |
| permissions: | |
| id-token: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| fetch-depth: 0 | |
| token: ${{ secrets.GH_TOKEN }} | |
| - name: Download Build Artifacts | |
| uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 | |
| with: | |
| name: dist | |
| path: dist | |
| - name: Download Provenance | |
| uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 | |
| with: | |
| name: ${{ needs.provenance.outputs.provenance-name }} | |
| path: dist | |
| - name: Publish to GitHub Releases | |
| uses: python-semantic-release/publish-action@948bb8fccc5e8072f2c52464b45c76a8bb3878e6 # v10.5.2 | |
| with: | |
| github_token: ${{ secrets.GH_TOKEN }} | |
| - name: Remove Provenance for PyPI Upload | |
| run: rm -f dist/${{ needs.provenance.outputs.provenance-name }} | |
| - name: Publish to PyPI | |
| uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1 |