Skip to content
Publish Release

update release called job permissions #2

Sign in to view logs

update release called job permissions

update release called job permissions #2

Workflow file for this run

.github/workflows/release.yml at b55699a
name: Publish Release
permissions: read-all
on:
push:
tags:
- 'v*' # only publish on version tags (e.g. v1.0.0)
jobs:
lint:

Check failure on line 13 in .github/workflows/release.yml

View workflow run for this annotation

GitHub Actions / Publish Release

Invalid workflow file 

The workflow is not valid. .github/workflows/release.yml (Line: 13, Col: 3): Error calling workflow 'bckohan/django-enum/.github/workflows/lint.yml@b55699a17cf2703698df7fc8d614ef171e364826'. The workflow is requesting 'attestations: read, checks: read, contents: read, deployments: read, discussions: read, issues: read, packages: read, pages: read, pull-requests: read, repository-projects: read, statuses: read, security-events: read, id-token: read', but is only allowed 'attestations: none, checks: none, contents: none, de[...]
permissions:
actions: write
uses: ./.github/workflows/lint.yml
secrets: inherit
test:
permissions:
actions: write
uses: ./.github/workflows/test.yml
secrets: inherit
build:
name: Build Package
runs-on: ubuntu-latest
permissions:
actions: write
outputs:
PACKAGE_NAME: ${{ steps.set-package.outputs.package_name }}
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: ">=3.11" # for tomlib
- name: Verify Tag Signature
run: |
TAG_NAME=${GITHUB_REF#refs/tags/}
echo "Verifying tag $TAG_NAME..."
git tag -v "$TAG_NAME"
- name: Install pypa/build
run:
python3 -m pip install build --user
- name: Build a binary wheel and a source tarball
run: python3 -m build
- name: Store the distribution packages
uses: actions/upload-artifact@v4
with:
name: python-package-distributions
path: dist/
- name: Set Package Name
id: set-package
run:
PACKAGE_NAME=$(python -c "import tomllib; print(tomllib.load(open('pyproject.toml', 'rb'))['project']['name'])")
echo "PACKAGE_NAME=${PACKAGE_NAME}" >> $GITHUB_ENV
publish-to-pypi:
name: Publish to PyPI
needs:
- lint
- test
- build
- publish-to-testpypi
runs-on: ubuntu-latest
environment:
name: pypi
url: https://pypi.org/p/${{ needs.build.outputs.PACKAGE_NAME }}
permissions:
id-token: write # IMPORTANT: mandatory for trusted publishing
steps:
- name: Download all the dists
uses: actions/download-artifact@v4
with:
name: python-package-distributions
path: dist/
- name: Publish distribution 📦 to PyPI
uses: pypa/gh-action-pypi-publish@release/v1.12
github-release:
name: Publish GitHub Release
runs-on: ubuntu-latest
needs:
- lint
- test
- build
permissions:
contents: write # IMPORTANT: mandatory for making GitHub Releases
id-token: write # IMPORTANT: mandatory for sigstore
steps:
- name: Download all the dists
uses: actions/download-artifact@v4
with:
name: python-package-distributions
path: dist/
- name: Sign the dists with Sigstore
uses: sigstore/[email protected]
with:
inputs: >-
./dist/*.tar.gz
./dist/*.whl
- name: Create GitHub Release
env:
GITHUB_TOKEN: ${{ github.token }}
run: >-
gh release create
'${{ github.ref_name }}'
--repo '${{ github.repository }}'
--generate-notes
- name: Upload artifact signatures to GitHub Release
env:
GITHUB_TOKEN: ${{ github.token }}
# Upload to GitHub Release using the `gh` CLI.
# `dist/` contains the built packages, and the
# sigstore-produced signatures and certificates.
run: >-
gh release upload
'${{ github.ref_name }}' dist/**
--repo '${{ github.repository }}'
publish-to-testpypi:
name: Publish to TestPyPI
needs:
- build
runs-on: ubuntu-latest
environment:
name: testpypi
url: https://test.pypi.org/project/${{ needs.build.outputs.PACKAGE_NAME }}
permissions:
id-token: write # IMPORTANT: mandatory for trusted publishing
steps:
- name: Download all the dists
uses: actions/download-artifact@v4
with:
name: python-package-distributions
path: dist/
- name: Publish distribution 📦 to TestPyPI
uses: pypa/gh-action-pypi-publish@release/v1.12
with:
repository-url: https://test.pypi.org/legacy/
skip-existing: true