Bump pypa/gh-action-pypi-publish from 1.11.0 to 1.12.2 #207
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Publish archives to PyPI and TestPyPI using GitHub Actions. | |
# | |
# NOTE: Pin actions to a specific commit to avoid having the authentication | |
# token stolen if the Action is compromised. See the comments and links here: | |
# https://github.com/pypa/gh-action-pypi-publish/issues/27 | |
# | |
name: pypi | |
# Only run for pushes to the main branch and releases. | |
on: | |
pull_request: | |
push: | |
branches: | |
- main | |
release: | |
types: | |
- published | |
# Use bash by default in all jobs | |
defaults: | |
run: | |
shell: bash | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
steps: | |
# Checks-out your repository under $GITHUB_WORKSPACE | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
# Need to fetch more than the last commit so that setuptools_scm can | |
# create the correct version string. If the number of commits since | |
# the last release is greater than this, the version will still be | |
# wrong. Increase if necessary. | |
fetch-depth: 100 | |
# The GitHub token is preserved by default but this job doesn't need | |
# to be able to push to GitHub. | |
persist-credentials: false | |
# Need the tags so that setuptools-scm can form a valid version number | |
- name: Fetch git tags | |
run: git fetch origin 'refs/tags/*:refs/tags/*' | |
- name: Setup Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: "3.11" | |
- name: Install requirements | |
run: python -m pip install -r env/requirements-build.txt | |
- name: List installed packages | |
run: python -m pip freeze | |
- name: Build source and wheel distributions | |
run: | | |
make build | |
echo "" | |
echo "Generated files:" | |
ls -lh dist/ | |
- name: Check the archives | |
run: twine check dist/* | |
# Store the archives as a build artifact so we can deploy them later | |
- name: Upload archives as artifacts | |
# Only if not a pull request | |
if: success() && github.event_name != 'pull_request' | |
uses: actions/upload-artifact@v4 | |
with: | |
name: pypi-${{ github.sha }} | |
path: dist | |
publish: | |
runs-on: ubuntu-latest | |
needs: build | |
# Only publish from the origin repository, not forks | |
if: github.repository_owner == 'fatiando' && github.event_name != 'pull_request' | |
environment: pypi | |
permissions: | |
# This permission allows trusted publishing to PyPI (without an API token) | |
id-token: write | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
# The GitHub token is preserved by default but this job doesn't need | |
# to be able to push to GitHub. | |
persist-credentials: false | |
# Fetch the built archives from the "build" job | |
- name: Download built archives artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: pypi-${{ github.sha }} | |
path: dist | |
- name: Publish to Test PyPI | |
# Only publish to TestPyPI when a PR is merged (pushed to main) | |
if: success() && github.event_name == 'push' | |
uses: pypa/[email protected] | |
with: | |
repository_url: https://test.pypi.org/legacy/ | |
# Allow existing releases on test PyPI without errors. | |
# NOT TO BE USED in PyPI! | |
skip_existing: true | |
- name: Publish to PyPI | |
# Only publish to PyPI when a release triggers the build | |
if: success() && github.event_name == 'release' | |
uses: pypa/[email protected] |