From ee4fc113bfc2ec5a70ef449a3ef8e672b80c9746 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Tue, 10 Dec 2024 23:13:15 -0500 Subject: [PATCH 1/3] CI: update upload-artifact, download-artifact, gh-action-pypi-publish --- .github/workflows/release.yml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 88954a9..f8b4f83 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -30,7 +30,7 @@ jobs: run: python -m build - name: Save built packages as artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: packages-${{ runner.os }}-${{ steps.setup.outputs.python-version }} path: dist/ @@ -46,12 +46,14 @@ jobs: id-token: write steps: - name: Download packages - uses: actions/download-artifact@v3 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 + with: + pattern: packages-* + path: dist + merge-multiple: true - - name: Consolidate packages for upload - run: | - mkdir dist - cp packages-*/* dist/ + - name: Print out packages + run: ls dist - name: Publish package distributions to PyPI - uses: pypa/gh-action-pypi-publish@b7f401de30cb6434a1e19f805ff006643653240e # v1.8.10 + uses: pypa/gh-action-pypi-publish@15c56dba361d8335944d31a2ecd17d700fc7bcbc # v1.12.2 From 2bfda1cfdead91e79deea2644edea41f5ea3d461 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Tue, 10 Dec 2024 23:14:21 -0500 Subject: [PATCH 2/3] CI: add attestation --- .github/workflows/release.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f8b4f83..293337a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -55,5 +55,10 @@ jobs: - name: Print out packages run: ls dist + - name: Generate artifact attestation for sdist and wheel + uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4 + with: + subject-path: dist/cycler-* + - name: Publish package distributions to PyPI uses: pypa/gh-action-pypi-publish@15c56dba361d8335944d31a2ecd17d700fc7bcbc # v1.12.2 From 6e74aa9ddb7e3c4237ba7af7814afd706a2e7050 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Mon, 16 Dec 2024 13:16:18 -0500 Subject: [PATCH 3/3] CI: update again --- .github/workflows/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 293337a..024c8d9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -56,9 +56,9 @@ jobs: run: ls dist - name: Generate artifact attestation for sdist and wheel - uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4 + uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 with: subject-path: dist/cycler-* - name: Publish package distributions to PyPI - uses: pypa/gh-action-pypi-publish@15c56dba361d8335944d31a2ecd17d700fc7bcbc # v1.12.2 + uses: pypa/gh-action-pypi-publish@67339c736fd9354cd4f8cb0b744f2b82a74b5c70 # v1.12.3