urllib3

1
name: Publish to PyPI
2

3
on:
4
  push:
5
    branches:
6
      # We don't publish to Test PyPI on pushes to 1.26.x yet because there is
7
      # no mechanism to get a dynamic version number in the branch yet.
8
      # - "1.26.x"
9
      - "main"
10
    tags:
11
      - "*"
12

13
permissions:
14
  contents: read
15

16
jobs:
17
  build:
18
    name: "Build distribution 📦"
19
    runs-on: "ubuntu-latest"
20
    outputs:
21
      hashes: ${{ steps.hash.outputs.hashes }}
22

23
    steps:
24
      - name: "Checkout repository"
25
        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
26
        with:
27
          fetch-depth: 0 # Needed to fetch the version from git
28

29
      - name: "Setup Python"
30
        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
31
        with:
32
          python-version: "3.x"
33

34
      - name: "Install dependencies"
35
        run: python -m pip install build==0.8.0
36

37
      - name: "Build dists"
38
        run: |
39
          SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct) \
40
          python -m build
41

42
      - name: "Generate hashes"
43
        id: hash
44
        run: |
45
          cd dist && echo "hashes=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
46

47
      - name: "Upload dists"
48
        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
49
        with:
50
          name: "dist"
51
          path: "dist/"
52
          if-no-files-found: error
53
          retention-days: 5
54

55
  provenance:
56
    needs: [build]
57
    permissions:
58
      actions: read
59
      contents: write
60
      id-token: write # Needed to access the workflow's OIDC identity.
61
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
62
    with:
63
      base64-subjects: "${{ needs.build.outputs.hashes }}"
64
      upload-assets: true
65

66
  publish-to-pypi-and-github:
67
    name: "Publish to PyPI"
68
    if: startsWith(github.ref, 'refs/tags/')
69
    needs: ["build", "provenance"]
70
    permissions:
71
      contents: write # Needed for making GitHub releases
72
      id-token: write # Needed for trusted publishing to PyPI.
73
    runs-on: "ubuntu-latest"
74
    environment:
75
      name: "publish"
76

77
    steps:
78
    - name: "Download dists"
79
      uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
80
      with:
81
        name: "dist"
82
        path: "dist/"
83

84
    - name: "Upload dists to GitHub Release"
85
      env:
86
        GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
87
      run: |
88
        gh release upload ${{ github.ref_name }} dist/* --repo ${{ github.repository }}
89

90
    - name: "Publish dists to PyPI"
91
      uses: pypa/gh-action-pypi-publish@ec4db0b4ddc65acdf4bff5fa45ac92d78b56bdf0 # v1.9.0
92

93
  publish-to-test-pypi:
94
    name: "Publish to Test PyPI"
95
    needs: ["build", "provenance"]
96
    permissions:
97
      id-token: write # Needed for trusted publishing to PyPI.
98
    runs-on: "ubuntu-latest"
99
    environment:
100
      name: "testpypi"
101

102
    steps:
103
    - name: "Download dists"
104
      uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
105
      with:
106
        name: "dist"
107
        path: "dist/"
108

109
    - name: "Publish dists to Test PyPI"
110
      uses: pypa/gh-action-pypi-publish@ec4db0b4ddc65acdf4bff5fa45ac92d78b56bdf0 # v1.9.0
111
      with:
112
        repository-url: https://test.pypi.org/legacy/
113