python-tuf/.github/workflows/cd.yml at 017031b761fe08e6e037c89fad7e6c42ab5d1eb0 · theupdateframework/python-tuf · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
name: CD
concurrency: cd

on:
  push:
    tags:
      - v*

permissions:
  contents: write

jobs:
  test:
    uses: ./.github/workflows/_test.yml

  build:
    name: Build
    runs-on: ubuntu-latest
    needs: test
    outputs:
      release_id: ${{ steps.gh-release.outputs.id }}
    steps:
      - name: Checkout release tag
        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
        with:
          ref: ${{ github.event.workflow_run.head_branch }}

      - name: Set up Python
        uses: actions/setup-python@0ebf233433c08fb9061af664d501c3f3ff0e9e20
        with:
          python-version: '3.x'

      - name: Install build dependency
        run: python3 -m pip install --upgrade pip build in-toto[pynacl]

      - name: Build binary wheel and source tarball
        env:
            IN_TOTO_KEY: ${{ secrets.IN_TOTO_KEY }}
            IN_TOTO_KEY_PW: ${{ secrets.IN_TOTO_KEY_PW }}
        run: |
          #######################################################
          # Build and generate signed attestions with in-toto CLI

          # Make signing key available to in-toto commands
          echo -n "$IN_TOTO_KEY" > .in_toto/key

          # Define patterns for files that need not be recorded as materials below
          exclude=('__pycache__' 'build' 'htmlcov' '.?*' '*~' '*.egg-info' '*.pyc')

          # Grab TUF version to construct build artifact names for product recording
          version=$(python3 -c 'import tuf; print(tuf.__version__)')

          # Build sdist and record all files in CWD as materials and the build artifact
          # as product in a signed attestation 'sdist.<signing key id>.link'.
          in-toto-run \
            --step-name sdist \
            --key .in_toto/key \
            --key-type ed25519 \
            --password "$IN_TOTO_KEY_PW" \
            --materials . \
            --products dist/tuf-${version}.tar.gz \
            --exclude ${exclude[@]} \
            --metadata-directory .in_toto \
            --verbose \
            -- python3 -m build --sdist --outdir dist/ .

          # Build wheel and record all files in CWD as materials and the build artifact
          # as product in a signed attestation 'wheel.<signing key id>.link'.
          in-toto-run \
            --step-name wheel \
            --key .in_toto/key \
            --key-type ed25519 \
            --password "$IN_TOTO_KEY_PW" \
            --materials . \
            --products dist/tuf-${version}-py3-none-any.whl \
            --exclude ${exclude[@]} dist/tuf-${version}.tar.gz \
            --metadata-directory .in_toto \
            --verbose \
            -- python3 -m build --wheel --outdir dist/ .

          # Remove signing key file
          rm .in_toto/key

      - id: gh-release
        name: Publish GitHub release candiate
        uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
        with:
          name: ${{ github.ref_name }}-rc
          tag_name: ${{ github.ref }}
          body: "Release waiting for review..."
          files: |
            dist/*
            .in_toto/*.link

      - name: Store build artifacts
        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535
        # NOTE: The GitHub release page contains the release artifacts too, but using
        # GitHub upload/download actions seems robuster: there is no need to compute
        # download URLs and tampering with artifacts between jobs is more limited.
        with:
          name: build-artifacts
          path: dist

  release:
    name: Release
    runs-on: ubuntu-latest
    needs: build
    environment: release
    steps:
      - name: Fetch build artifacts
        uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
        with:
          name: build-artifacts
          path: dist

      - name: Publish binary wheel and source tarball on PyPI
        uses: pypa/gh-action-pypi-publish@717ba43cfbb0387f6ce311b169a825772f54d295
        with:
          user: __token__
          password: ${{ secrets.PYPI_API_TOKEN }}

      - name: Finalize GitHub release
        uses: actions/github-script@9ac08808f993958e9de277fe43a64532a609130e
        with:
          script: |
            await github.rest.repos.updateRelease({
              owner: context.repo.owner,
              repo: context.repo.repo,
              release_id: '${{ needs.build.outputs.release_id }}',
              name: '${{ github.ref_name }}',
              body: 'See [CHANGELOG.md](https://github.com/' +
                     context.repo.owner + '/' + context.repo.repo +
                    '/blob/${{ github.ref_name }}/docs/CHANGELOG.md) for details.'
            })