Skip to content

CI: do attestation manually #1610

CI: do attestation manually

CI: do attestation manually #1610

Workflow file for this run

name: ci
on:
pull_request:
push:
branches-ignore:
- 'dependabot/**'
tags:
- '**'
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
lint:
uses: mhils/workflows/.github/workflows/python-tox.yml@v10
with:
cmd: tox -e lint
test:
strategy:
fail-fast: false
matrix:
include:
- os: windows-latest
py: 3.12.0
args: --cov-fail-under=100
- os: macos-latest
py: 3.12.0
args: --cov-fail-under=100
- os: ubuntu-latest
py: 3.12.0
args: --cov-fail-under=100
- os: ubuntu-latest
py: 3.11.5
- os: ubuntu-latest
py: 3.10.13
- os: ubuntu-latest
py: 3.9.18
- os: ubuntu-latest
py: 3.8.18
uses: mhils/workflows/.github/workflows/python-tox.yml@v10
with:
cmd: tox -e py -- -vvv ${{ matrix.args }}
os: ${{ matrix.os }}
python-version: ${{ matrix.py }}
build:
uses: mhils/workflows/.github/workflows/python-build.yml@v10
permissions:
contents: read
id-token: write
attestations: write
attest:
needs: build
if: github.event_name != 'pull_request'
permissions:
contents: read
id-token: write
attestations: write
runs-on: ubuntu-latest
steps:
- uses: actions/download-artifact@v4
with:
name: wheels
path: dist/
- uses: actions/attest-build-provenance@v1
with:
subject-path: 'dist/*'
check:
if: always()
needs:
- lint
- test
- build
- attest
uses: mhils/workflows/.github/workflows/alls-green.yml@v10
with:
jobs: ${{ toJSON(needs) }}
allowed-skips: '["attest"]'
deploy:
uses: mhils/workflows/.github/workflows/python-deploy.yml@v10
with:
artifact-name: wheels
needs: check
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
secrets:
password: ${{ secrets.TWINE_PASSWORD }}