Skip to content

Publish to PyPI

Publish to PyPI #775

Workflow file for this run

name: Publish to PyPI
on:
workflow_dispatch:
inputs:
run_id:
description: The run of wheel-builder to use for finding artifacts.
required: true
environment:
description: Which PyPI environment to upload to
required: true
type: choice
options: ["testpypi", "pypi"]
workflow_run:
workflows: ["Wheel Builder"]
types: [completed]
env:
PUBLISH_REQUIREMENTS_PATH: .github/requirements/publish-requirements.txt
permissions:
contents: read
jobs:
publish:
runs-on: ubuntu-latest
# We're not actually verifying that the triggering push event was for a
# tag, because github doesn't expose enough information to do so.
# wheel-builder.yml currently only has push events for tags.
if: github.event_name == 'workflow_dispatch' || (github.event.workflow_run.event == 'push' && github.event.workflow_run.conclusion == 'success')
permissions:
id-token: "write"
attestations: "write"
steps:
- run: echo "$EVENT_CONTEXT"
env:
EVENT_CONTEXT: ${{ toJson(github.event) }}
- uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
with:
python-version: "3.11"
- name: Get publish-requirements.txt from repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
sparse-checkout: |
${{ env.PUBLISH_REQUIREMENTS_PATH }}
sparse-checkout-cone-mode: false
persist-credentials: false
- name: Install Python dependencies
run: pip install --require-hashes -r ${{ env.PUBLISH_REQUIREMENTS_PATH }}
- uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6
with:
path: dist/
run_id: ${{ github.event.inputs.run_id || github.event.workflow_run.id }}
- run: |
echo "OIDC_AUDIENCE=pypi" >> $GITHUB_ENV
echo "PYPI_DOMAIN=pypi.org" >> $GITHUB_ENV
echo "TWINE_REPOSITORY=pypi" >> $GITHUB_ENV
echo "TWINE_USERNAME=__token__" >> $GITHUB_ENV
if: github.event_name == 'workflow_run' || (github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'pypi')
- run: |
echo "OIDC_AUDIENCE=testpypi" >> $GITHUB_ENV
echo "PYPI_DOMAIN=test.pypi.org" >> $GITHUB_ENV
echo "TWINE_REPOSITORY=testpypi" >> $GITHUB_ENV
echo "TWINE_USERNAME=__token__" >> $GITHUB_ENV
if: github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'testpypi'
- run: |
import os
import requests
response = requests.get(
os.environ["ACTIONS_ID_TOKEN_REQUEST_URL"],
params={"audience": os.environ["OIDC_AUDIENCE"]},
headers={"Authorization": f"bearer {os.environ['ACTIONS_ID_TOKEN_REQUEST_TOKEN']}"}
)
response.raise_for_status()
token = response.json()["value"]
response = requests.post(f"https://{os.environ['PYPI_DOMAIN']}/_/oidc/mint-token", json={"token": token})
response.raise_for_status()
pypi_token = response.json()["token"]
with open(os.environ["GITHUB_ENV"], "a") as f:
print(f"::add-mask::{pypi_token}")
f.write(f"TWINE_PASSWORD={pypi_token}\n")
shell: python
- run: find dist/ -type f -name 'cryptography*' -print0 | xargs -0 twine upload --skip-existing
# Do not perform attestation for things for TestPyPI. This is because
# there's nothing that would prevent a malicious PyPI from serving a
# signed TestPyPI asset in place of a release intended for PyPI.
- uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
with:
subject-path: 'dist/**/cryptography*'
if: env.TWINE_REPOSITORY == 'pypi'