Skip to content

Use uv to lock CI dependencies #987

Use uv to lock CI dependencies

Use uv to lock CI dependencies #987

Workflow file for this run

name: Build
on:
push:
workflow_dispatch:
inputs:
publish:
description: "Publish to PyPI?"
required: true
default: false
type: boolean
tag:
description: "Tag to use for release"
required: true
permissions: read-all
jobs:
build:
name: Build wheel and sdist
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.event.inputs.tag || github.ref }}
persist-credentials: false
- uses: hynek/build-and-inspect-python-package@14c7e53f5d033cfa99f7af916fa59a6f7f356394 # v2.11.0
upload-to-release:
name: Upload to GitHub Release
if: startsWith(github.ref, 'refs/tags/') || github.event_name == 'workflow_dispatch'
runs-on: ubuntu-latest
needs: [build]
permissions:
contents: write # IMPORTANT: mandatory for making GitHub Releases
steps:
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: Packages
path: dist
- uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # 2.9.0
with:
file: dist/**
tag: ${{ github.event.inputs.tag || github.ref }}
overwrite: false
file_glob: true
publish:
name: Publish to PyPI
if: startsWith(github.ref, 'refs/tags/') || github.event.inputs.publish == 'true'
runs-on: ubuntu-latest
needs: [build]
environment:
name: pypi
url: https://pypi.org/p/citric
permissions:
id-token: write # IMPORTANT: mandatory for trusted publishing
steps:
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: Packages
path: dist
- uses: pypa/gh-action-pypi-publish@67339c736fd9354cd4f8cb0b744f2b82a74b5c70 # v1.12.3
sign:
name: Sign the distribution package
if: startsWith(github.ref, 'refs/tags/') || github.event_name == 'workflow_dispatch'
runs-on: ubuntu-latest
needs: [build]
permissions:
contents: write # IMPORTANT: mandatory for making GitHub Releases
id-token: write # IMPORTANT: mandatory for attestations
attestations: write # IMPORTANT: mandatory for attestations
steps:
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: Packages
path: dist
- uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
id: attest
with:
subject-path: "./dist/citric*"
- uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # 2.9.0
with:
file: ${{ steps.attest.outputs.bundle-path }}
tag: ${{ github.event.inputs.tag || github.ref }}
overwrite: false
asset_name: attestations.intoto.jsonl # codespell:ignore intoto