chore: Update SECURITY.md #818
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build | |
| on: | |
| push: | |
| workflow_dispatch: | |
| inputs: | |
| publish: | |
| description: "Publish to PyPI?" | |
| required: true | |
| default: false | |
| type: boolean | |
| tag: | |
| description: "Tag to use for release" | |
| required: true | |
| permissions: read-all | |
| jobs: | |
| build: | |
| name: Build wheel and sdist | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ github.event.inputs.tag || github.ref }} | |
| - uses: hynek/build-and-inspect-python-package@73aea398b9c8de9ea9e4464c6b13cb8b1f3d6294 # v2.9.0 | |
| upload-to-release: | |
| name: Upload to GitHub Release | |
| if: startsWith(github.ref, 'refs/tags/') || github.event_name == 'workflow_dispatch' | |
| runs-on: ubuntu-latest | |
| needs: [build] | |
| permissions: | |
| contents: write # IMPORTANT: mandatory for making GitHub Releases | |
| steps: | |
| - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| name: Packages | |
| path: dist | |
| - uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # 2.9.0 | |
| with: | |
| file: dist/** | |
| tag: ${{ github.event.inputs.tag || github.ref }} | |
| overwrite: false | |
| file_glob: true | |
| publish: | |
| name: Publish to PyPI | |
| if: startsWith(github.ref, 'refs/tags/') || github.event.inputs.publish == 'true' | |
| runs-on: ubuntu-latest | |
| needs: [build] | |
| environment: | |
| name: pypi | |
| url: https://pypi.org/p/citric | |
| permissions: | |
| id-token: write # IMPORTANT: mandatory for trusted publishing | |
| steps: | |
| - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| name: Packages | |
| path: dist | |
| - uses: pypa/gh-action-pypi-publish@f7600683efdcb7656dec5b29656edb7bc586e597 # v1.10.3 | |
| # Move this up when PyPI supports signing | |
| sign: | |
| name: Sign the distribution package | |
| if: startsWith(github.ref, 'refs/tags/') || github.event_name == 'workflow_dispatch' | |
| runs-on: ubuntu-latest | |
| needs: [build] | |
| permissions: | |
| contents: write # IMPORTANT: mandatory for making GitHub Releases | |
| id-token: write # IMPORTANT: mandatory for attestations | |
| attestations: write # IMPORTANT: mandatory for attestations | |
| steps: | |
| - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| name: Packages | |
| path: dist | |
| - uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3 | |
| id: attest | |
| with: | |
| subject-path: "./dist/citric*" | |
| - uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # 2.9.0 | |
| with: | |
| file: ${{ steps.attest.outputs.bundle-path }} | |
| tag: ${{ github.event.inputs.tag || github.ref }} | |
| overwrite: false | |
| asset_name: attestations.intoto.jsonl |