Skip to content

Commit a917f89

Browse files
authored
DEVOPS-2168 - Securing GHA Publish to pypi (#1433)
2 parents 6542b1d + 1c62fe6 commit a917f89

File tree

1 file changed

+36
-29
lines changed

1 file changed

+36
-29
lines changed

.github/workflows/publish.yaml

Lines changed: 36 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -4,39 +4,46 @@ name: Publish Python Package
44

55
on:
66
release:
7-
types: [created, updated]
7+
types: [created]
88

99
jobs:
10-
deploy:
11-
10+
build:
11+
runs-on: ubuntu-latest
12+
steps:
13+
- uses: actions/checkout@v3
14+
15+
- uses: actions/setup-python@v3
16+
with:
17+
python-version: '3.x'
18+
19+
- name: Install dependencies
20+
run: |
21+
python -m pip install --upgrade pip
22+
pip install setuptools wheel
23+
24+
- name: Build
25+
run: |
26+
python setup.py sdist bdist_wheel
27+
28+
- uses: actions/upload-artifact@v3
29+
with:
30+
path: ./dist
31+
32+
pypi-publish:
33+
needs: ['build']
34+
environment:
35+
name: publish
36+
url: 'https://pypi.org/project/labelbox/'
1237
runs-on: ubuntu-latest
13-
1438
permissions:
1539
# IMPORTANT: this permission is mandatory for trusted publishing
1640
id-token: write
17-
1841
steps:
19-
- uses: actions/checkout@v2
20-
21-
- name: Set up Python
22-
uses: actions/setup-python@v2
23-
with:
24-
python-version: '3.x'
25-
26-
- name: Install dependencies
27-
run: |
28-
python -m pip install --upgrade pip
29-
pip install setuptools wheel twine
30-
31-
- name: Build
32-
run: |
33-
python setup.py sdist bdist_wheel
34-
35-
# - name: Publish
36-
# env:
37-
# TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }}
38-
# TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
39-
# run: |
40-
# twine upload dist/*
41-
- name: Publish package distributions to PyPI
42-
uses: pypa/gh-action-pypi-publish@release/v1
42+
- uses: actions/download-artifact@v3
43+
44+
- name: Publish package distributions to PyPI
45+
uses: pypa/gh-action-pypi-publish@release/v1
46+
with:
47+
packages-dir: artifact/
48+
49+
# Note that the build and pypi-publish jobs are split so that the additional permissions are only granted to the pypi-publish job.

0 commit comments

Comments
 (0)