From ad3ed755487f479ffb9724c998b0aedee0768548 Mon Sep 17 00:00:00 2001 From: Rob Aleck Date: Thu, 12 Sep 2024 18:56:00 +0000 Subject: [PATCH 1/4] add oidc claim debugging --- .github/workflows/deploy_to_pypi.yml | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/.github/workflows/deploy_to_pypi.yml b/.github/workflows/deploy_to_pypi.yml index dd4cbd6..4ec4d90 100644 --- a/.github/workflows/deploy_to_pypi.yml +++ b/.github/workflows/deploy_to_pypi.yml @@ -26,6 +26,16 @@ jobs: environment: name: ${{ inputs.target-environment }} steps: + - name: Checkout actions-oidc-debugger + uses: actions/checkout@v3 + with: + repository: github/actions-oidc-debugger + ref: main + token: ${{ secrets.your-checkout-token }} + path: ./.github/actions/actions-oidc-debugger + - name: Debug OIDC Claims + uses: ./.github/actions/actions-oidc-debugger + - name: get workspacedir # see https://github.com/actions/runner/issues/2058#issuecomment-1308554566 shell: bash @@ -40,11 +50,6 @@ jobs: - name: show files run: | find ${{ env.GITHUB_WORKSPACE }}/dist -type f - # - name: extract version from pyproject.toml - # run: | - # version=$(grep 'version =' pyproject.toml | awk '{print $3}' | sed 's/"//g') - # echo "VERSION=$version" >> $GITHUB_ENV - # echo "extracted version '{{ $env.VERSION }}' from pyproject.toml" - name: Publish package distributions to ${{ inputs.target-environment }} uses: pypa/gh-action-pypi-publish@release/v1 with: From 65feb79c035a8ca361508e444a9a19c9376fe491 Mon Sep 17 00:00:00 2001 From: Rob Aleck Date: Thu, 12 Sep 2024 19:02:39 +0000 Subject: [PATCH 2/4] add github token --- .github/workflows/deploy_to_pypi.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy_to_pypi.yml b/.github/workflows/deploy_to_pypi.yml index 4ec4d90..9c90465 100644 --- a/.github/workflows/deploy_to_pypi.yml +++ b/.github/workflows/deploy_to_pypi.yml @@ -31,7 +31,7 @@ jobs: with: repository: github/actions-oidc-debugger ref: main - token: ${{ secrets.your-checkout-token }} + token: ${{ github.token }} path: ./.github/actions/actions-oidc-debugger - name: Debug OIDC Claims uses: ./.github/actions/actions-oidc-debugger From f88fd12cf4f186062657d840d5ba1b1e338bb2be Mon Sep 17 00:00:00 2001 From: Rob Aleck Date: Thu, 12 Sep 2024 19:05:36 +0000 Subject: [PATCH 3/4] fix not deploying to test --- .github/workflows/deploy_workflow_wrapper.yml | 22 ++++++++++++------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/.github/workflows/deploy_workflow_wrapper.yml b/.github/workflows/deploy_workflow_wrapper.yml index 94a2769..1cfab11 100644 --- a/.github/workflows/deploy_workflow_wrapper.yml +++ b/.github/workflows/deploy_workflow_wrapper.yml @@ -1,6 +1,6 @@ name: build artifact and publish to PyPi + on: - # whenever version is bumped, or allow manual runs workflow_dispatch: inputs: deploy_to_test: @@ -8,6 +8,7 @@ on: description: 'Deploy to PyPi test' required: false default: false + workflow_run: workflows: ["bump version"] types: @@ -16,23 +17,28 @@ on: jobs: build_artifacts: uses: ./.github/workflows/deploy_build_artifact.yaml - # output: - # artifact-url: - # artifact-id: - # package-version: - # artifact-name: deploy_to_pypi_test: needs: [build_artifacts] - if: ${{ github.event.inputs.deploy_to_test == true }} + if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.deploy_to_test == 'true' }} uses: ./.github/workflows/deploy_to_pypi.yml with: package-version: ${{ needs.build_artifacts.outputs.package-version }} target-environment: 'pypi-test' artifact-name: ${{ needs.build_artifacts.outputs.artifact-name }} - deploy_to_pypi_prod: + deploy_to_pypi_prod_after_test: + needs: [build_artifacts, deploy_to_pypi_test] + if: ${{ github.event.inputs.deploy_to_test == 'true' }} + uses: ./.github/workflows/deploy_to_pypi.yml + with: + package-version: ${{ needs.build_artifacts.outputs.package-version }} + target-environment: 'pypi-prod' + artifact-name: ${{ needs.build_artifacts.outputs.artifact-name }} + + deploy_to_pypi_prod_direct: needs: [build_artifacts] + if: ${{ github.event.inputs.deploy_to_test != 'true' }} uses: ./.github/workflows/deploy_to_pypi.yml with: package-version: ${{ needs.build_artifacts.outputs.package-version }} From 2c2c5829fcfb6bf63e4c66bb512cde4e81efdc46 Mon Sep 17 00:00:00 2001 From: Rob Aleck Date: Thu, 12 Sep 2024 19:32:16 +0000 Subject: [PATCH 4/4] add audience to debug --- .github/workflows/deploy_to_pypi.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/deploy_to_pypi.yml b/.github/workflows/deploy_to_pypi.yml index 9c90465..50fa66e 100644 --- a/.github/workflows/deploy_to_pypi.yml +++ b/.github/workflows/deploy_to_pypi.yml @@ -35,7 +35,9 @@ jobs: path: ./.github/actions/actions-oidc-debugger - name: Debug OIDC Claims uses: ./.github/actions/actions-oidc-debugger - + with: + audience: '${{ github.server_url }}/${{ github.repository_owner }}' + - name: get workspacedir # see https://github.com/actions/runner/issues/2058#issuecomment-1308554566 shell: bash