1e31aef6aSopenharmony_ciname: Publish
2e31aef6aSopenharmony_cion:
3e31aef6aSopenharmony_ci  push:
4e31aef6aSopenharmony_ci    tags:
5e31aef6aSopenharmony_ci      - '*'
6e31aef6aSopenharmony_cijobs:
7e31aef6aSopenharmony_ci  build:
8e31aef6aSopenharmony_ci    runs-on: ubuntu-latest
9e31aef6aSopenharmony_ci    outputs:
10e31aef6aSopenharmony_ci      hash: ${{ steps.hash.outputs.hash }}
11e31aef6aSopenharmony_ci    steps:
12e31aef6aSopenharmony_ci      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
13e31aef6aSopenharmony_ci      - uses: actions/setup-python@5ccb29d8773c3f3f653e1705f474dfaa8a06a912
14e31aef6aSopenharmony_ci        with:
15e31aef6aSopenharmony_ci          python-version: '3.x'
16e31aef6aSopenharmony_ci          cache: 'pip'
17e31aef6aSopenharmony_ci          cache-dependency-path: 'requirements/*.txt'
18e31aef6aSopenharmony_ci      - run: pip install -r requirements/build.txt
19e31aef6aSopenharmony_ci      # Use the commit date instead of the current date during the build.
20e31aef6aSopenharmony_ci      - run: echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV
21e31aef6aSopenharmony_ci      - run: python -m build
22e31aef6aSopenharmony_ci      # Generate hashes used for provenance.
23e31aef6aSopenharmony_ci      - name: generate hash
24e31aef6aSopenharmony_ci        id: hash
25e31aef6aSopenharmony_ci        run: cd dist && echo "hash=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
26e31aef6aSopenharmony_ci      - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce
27e31aef6aSopenharmony_ci        with:
28e31aef6aSopenharmony_ci          path: ./dist
29e31aef6aSopenharmony_ci  provenance:
30e31aef6aSopenharmony_ci    needs: ['build']
31e31aef6aSopenharmony_ci    permissions:
32e31aef6aSopenharmony_ci      actions: read
33e31aef6aSopenharmony_ci      id-token: write
34e31aef6aSopenharmony_ci      contents: write
35e31aef6aSopenharmony_ci    # Can't pin with hash due to how this workflow works.
36e31aef6aSopenharmony_ci    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0
37e31aef6aSopenharmony_ci    with:
38e31aef6aSopenharmony_ci      base64-subjects: ${{ needs.build.outputs.hash }}
39e31aef6aSopenharmony_ci  create-release:
40e31aef6aSopenharmony_ci    # Upload the sdist, wheels, and provenance to a GitHub release. They remain
41e31aef6aSopenharmony_ci    # available as build artifacts for a while as well.
42e31aef6aSopenharmony_ci    needs: ['provenance']
43e31aef6aSopenharmony_ci    runs-on: ubuntu-latest
44e31aef6aSopenharmony_ci    permissions:
45e31aef6aSopenharmony_ci      contents: write
46e31aef6aSopenharmony_ci    steps:
47e31aef6aSopenharmony_ci      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a
48e31aef6aSopenharmony_ci      - name: create release
49e31aef6aSopenharmony_ci        run: >
50e31aef6aSopenharmony_ci          gh release create --draft --repo ${{ github.repository }}
51e31aef6aSopenharmony_ci          ${{ github.ref_name }}
52e31aef6aSopenharmony_ci          *.intoto.jsonl/* artifact/*
53e31aef6aSopenharmony_ci        env:
54e31aef6aSopenharmony_ci          GH_TOKEN: ${{ github.token }}
55e31aef6aSopenharmony_ci  publish-pypi:
56e31aef6aSopenharmony_ci    needs: ['provenance']
57e31aef6aSopenharmony_ci    # Wait for approval before attempting to upload to PyPI. This allows reviewing the
58e31aef6aSopenharmony_ci    # files in the draft release.
59e31aef6aSopenharmony_ci    environment: 'publish'
60e31aef6aSopenharmony_ci    runs-on: ubuntu-latest
61e31aef6aSopenharmony_ci    permissions:
62e31aef6aSopenharmony_ci      id-token: write
63e31aef6aSopenharmony_ci    steps:
64e31aef6aSopenharmony_ci      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a
65e31aef6aSopenharmony_ci      - uses: pypa/gh-action-pypi-publish@2f6f737ca5f74c637829c0f5c3acd0e29ea5e8bf
66e31aef6aSopenharmony_ci        with:
67e31aef6aSopenharmony_ci          packages-dir: artifact/
68