Add trusted publishing (OIDC) (#1135) #3581
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: PyPI | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - auto-release | |
| pull_request: | |
| branches: [main] | |
| release: | |
| types: [published] | |
| # Cancels all previous workflow runs for pull requests that have not completed. | |
| concurrency: | |
| # The concurrency group contains the workflow name and the branch name for pull requests | |
| # or the commit hash for any other events. | |
| group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }} | |
| cancel-in-progress: true | |
| jobs: | |
| # The job to build precompiled pypi wheels. | |
| make_sdist: | |
| name: Make SDist | |
| runs-on: ubuntu-latest | |
| permissions: | |
| # write id-token and attestations are required to attest build provenance | |
| id-token: write | |
| attestations: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| submodules: true | |
| persist-credentials: false | |
| - name: Build SDist | |
| run: pipx run build --sdist | |
| - name: Attest GitHub build provenance | |
| uses: actions/attest-build-provenance@v1 | |
| with: | |
| subject-path: dist/*.tar.gz | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: sdist | |
| path: dist/*.tar.gz | |
| run_checks: | |
| name: Build & inspect our package. | |
| # Note: the resulting builds are not actually published. | |
| # This is purely for additional testing and diagnostic purposes. | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - uses: hynek/build-and-inspect-python-package@v2 | |
| build_wheels: | |
| name: Build wheels for ${{ matrix.platform }} | |
| runs-on: ${{ matrix.platform }} | |
| permissions: | |
| # write id-token and attestations are required to attest build provenance | |
| id-token: write | |
| attestations: write | |
| strategy: | |
| matrix: | |
| platform: | |
| - macos-12 | |
| - windows-2022 | |
| - ubuntu-20.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Build wheels | |
| uses: pypa/[email protected] | |
| - name: Attest GitHub build provenance | |
| uses: actions/attest-build-provenance@v1 | |
| with: | |
| subject-path: ./wheelhouse/*.whl | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: wheels-${{ matrix.platform }} | |
| path: ./wheelhouse/*.whl | |
| build_universal_wheel: | |
| name: Build universal wheel for Pyodide | |
| runs-on: ubuntu-latest | |
| permissions: | |
| # write id-token and attestations are required to attest build provenance | |
| id-token: write | |
| attestations: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.11' | |
| - name: Install dependencies | |
| run: pip install numpy versioneer wheel | |
| - name: Build universal wheel | |
| run: | | |
| PYODIDE=1 python setup.py bdist_wheel --universal | |
| - name: Attest GitHub build provenance | |
| uses: actions/attest-build-provenance@v1 | |
| with: | |
| subject-path: dist/*.whl | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: universal_wheel | |
| path: dist/*.whl | |
| check_dist: | |
| name: Check dist | |
| needs: [make_sdist,build_wheels] | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: sdist | |
| path: dist | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| pattern: wheels-* | |
| path: dist | |
| merge-multiple: true | |
| - name: Check SDist | |
| run: | | |
| mkdir -p test-sdist | |
| cd test-sdist | |
| python -m venv venv-sdist | |
| venv-sdist/bin/python -m pip install ../dist/pytensor-*.tar.gz | |
| # check import | |
| venv-sdist/bin/python -c "import pytensor;print(pytensor.__version__)" | |
| # check import cython module | |
| venv-sdist/bin/python -c 'from pytensor.scan import scan_perform; print(scan_perform.get_version())' | |
| - run: pipx run twine check --strict dist/* | |
| upload_pypi: | |
| name: Upload to PyPI on release | |
| # Use the `release` GitHub environment to protect the Trusted Publishing (OIDC) | |
| # workflow by requiring signoff from a maintainer. | |
| environment: release | |
| permissions: | |
| # write id-token is required for trusted publishing (OIDC) | |
| id-token: write | |
| needs: [check_dist] | |
| runs-on: ubuntu-latest | |
| # Don't publish from forks | |
| if: github.repository_owner == 'pymc-devs' && github.event_name == 'release' && github.event.action == 'published' | |
| steps: | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: sdist | |
| path: dist | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| pattern: wheels-* | |
| path: dist | |
| merge-multiple: true | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: universal_wheel | |
| path: dist | |
| - uses: pypa/[email protected] | |
| # Implicitly attests that the packages were uploaded in the context of this workflow. |