Skip to content

Remove excessive permissions in GA #332

Remove excessive permissions in GA

Remove excessive permissions in GA #332

Workflow file for this run

# This file is part of tad-dftd3.
# SPDX-Identifier: Apache-2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: Build
on:
push:
branches:
- main
tags:
- "v*"
pull_request:
branches:
- main
workflow_dispatch:
jobs:
wheel:
permissions:
contents: read
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
with:
persist-credentials: false
- name: Build wheel (bdist)
run: pipx run build --wheel
- name: Upload wheel as artifact
uses: actions/upload-artifact@v3
with:
path: dist/*.whl
sdist:
permissions:
contents: read
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
with:
persist-credentials: false
- name: Build source distribution (sdist)
run: pipx run build --sdist
- name: Upload source distribution as artifact
uses: actions/upload-artifact@v3
with:
path: dist/*.tar.gz
upload_test_pypi:
needs: [sdist, wheel]
runs-on: ubuntu-latest
environment: release
permissions:
contents: read
id-token: write
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
steps:
- name: Download build artifacts
uses: actions/download-artifact@v3
with:
name: artifact
path: dist
- name: Publish to Test PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
repository-url: https://test.pypi.org/legacy/
upload_pypi:
needs: [sdist, wheel, upload_test_pypi]
runs-on: ubuntu-latest
environment: release
permissions:
contents: read
id-token: write
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
steps:
- name: Download build artifacts
uses: actions/download-artifact@v3
with:
name: artifact
path: dist
- name: Publish to PyPI
uses: pypa/gh-action-pypi-publish@release/v1