1
0
mirror of https://github.com/pypa/gh-action-pypi-publish synced 2024-11-30 21:22:28 +08:00

Compare commits

..

9 Commits

Author SHA1 Message Date
Sebastian Weigand
0b16008aa7
Merge aabe83c06d into 15c56dba36 2024-11-07 00:02:45 +01:00
Sviatoslav Sydorenko (Святослав Сидоренко)
15c56dba36
Merge pull request #297 from trail-of-forks/ww/bump-pypi-attestations
requirements: bump pypi-attestations to 0.0.15
2024-11-07 00:00:24 +01:00
William Woodruff
fe8d1484ba
requirements: bump pypi-attestations to 0.0.15
Signed-off-by: William Woodruff <william@trailofbits.com>
2024-11-06 17:53:10 -05:00
Sviatoslav Sydorenko (Святослав Сидоренко)
1f5d4ec244
Merge pull request #295 from trail-of-forks/ww/fix-sdist-collection 2024-11-06 20:01:10 +01:00
William Woodruff
fec2f0c0ce
attestations: collect *.zip sdists as well
Signed-off-by: William Woodruff <william@trailofbits.com>
2024-11-06 13:43:44 -05:00
Sviatoslav Sydorenko (Святослав Сидоренко)
a8b73a6d88
Merge pull request #294 from webknjaz/bugfixes/optional-python 2024-11-06 16:24:24 +01:00
Sviatoslav Sydorenko
9b4dfb0c84
Pre-install Python if there's none
This is not usually the case for GitHub-hosted Runners but it might
happen with self-hosted runners.

Fixes #289.
2024-11-06 16:20:12 +01:00
Sviatoslav Sydorenko (Святослав Сидоренко)
0a87186d5f
Merge pull request #293 from webknjaz/bugfixes/uncheckout-intermediate-action 2024-11-06 15:50:37 +01:00
Sviatoslav Sydorenko
dfcfeca43e
🧪 Use prefetched action to make trampoline
Previously, the action repository was being cloned from the remote
twice, unnecessarily. This patch eliminates this step and
uses the copy that was checked out on job start.

The generated trampoline action is still copied into the allowlisted
working directory so it can be referenced by the relative path
starting with `./`.

It is now output under
`./.github/.tmp/.generated-actions/run-pypi-publish-in-docker-container`
which mutates the end-user's workspace slightly but uses a path that
is unlikely to clash with somebody else's use.

Unfortunately, we cannot use randomized paths because the composite
action syntax does not allow accessing variables in `uses:`.

Fixes #292.
2024-11-06 15:47:43 +01:00
5 changed files with 49 additions and 12 deletions

View File

@ -130,24 +130,44 @@ runs:
PR_REF: ${{ github.event.pull_request.head.ref }}
PR_REPO: ${{ github.event.pull_request.head.repo.full_name }}
PR_REPO_ID: ${{ github.event.pull_request.base.repo.id }}
- name: Check out action repo
uses: actions/checkout@v4
- name: Discover pre-installed Python
id: pre-installed-python
run: |
# 🔎 Discover pre-installed Python
echo "python-path=$(command -v python3 || :)" | tee -a "${GITHUB_OUTPUT}"
shell: bash
- name: Install Python 3
if: steps.pre-installed-python.outputs.python-path == ''
id: new-python
uses: actions/setup-python@v5
with:
path: action-repo
ref: ${{ steps.set-repo-and-ref.outputs.ref }}
repository: ${{ steps.set-repo-and-ref.outputs.repo }}
python-version: 3.x
- name: Create Docker container action
run: |
# Create Docker container action
python create-docker-action.py
${{
steps.pre-installed-python.outputs.python-path == ''
&& steps.new-python.outputs.python-path
|| steps.pre-installed-python.outputs.python-path
}} '${{ github.action_path }}/create-docker-action.py'
env:
REF: ${{ steps.set-repo-and-ref.outputs.ref }}
REPO: ${{ steps.set-repo-and-ref.outputs.repo }}
REPO_ID: ${{ steps.set-repo-and-ref.outputs.repo-id }}
shell: bash
working-directory: action-repo
- name: Run Docker container
uses: ./action-repo/.github/actions/run-docker-container
# The generated trampoline action must exist in the allowlisted
# runner-defined working directory so it can be referenced by the
# relative path starting with `./`.
#
# This mutates the end-user's workspace slightly but uses a path
# that is unlikely to clash with somebody else's use.
#
# We cannot use randomized paths because the composite action
# syntax does not allow accessing variables in `uses:`. This
# means that we end up having to hardcode this path both here and
# in `create-docker-action.py`.
uses: ./.github/.tmp/.generated-actions/run-pypi-publish-in-docker-container
with:
user: ${{ inputs.user }}
password: ${{ inputs.password }}

View File

@ -54,6 +54,7 @@ def debug(msg: str):
def collect_dists(packages_dir: Path) -> list[Path]:
# Collect all sdists and wheels.
dist_paths = [sdist.resolve() for sdist in packages_dir.glob('*.tar.gz')]
dist_paths.extend(sdist.resolve() for sdist in packages_dir.glob('*.zip'))
dist_paths.extend(whl.resolve() for whl in packages_dir.glob('*.whl'))
# Make sure everything that looks like a dist actually is one.

View File

@ -10,10 +10,12 @@ REPO = os.environ['REPO']
REPO_ID = os.environ['REPO_ID']
REPO_ID_GH_ACTION = '178055147'
ACTION_SHELL_CHECKOUT_PATH = pathlib.Path(__file__).parent.resolve()
def set_image(ref: str, repo: str, repo_id: str) -> str:
if repo_id == REPO_ID_GH_ACTION:
return '../../../Dockerfile'
return str(ACTION_SHELL_CHECKOUT_PATH / 'Dockerfile')
docker_ref = ref.replace('/', '-')
return f'docker://ghcr.io/{repo}:{docker_ref}'
@ -70,6 +72,20 @@ action = {
},
}
action_path = pathlib.Path('.github/actions/run-docker-container/action.yml')
# The generated trampoline action must exist in the allowlisted
# runner-defined working directory so it can be referenced by the
# relative path starting with `./`.
#
# This mutates the end-user's workspace slightly but uses a path
# that is unlikely to clash with somebody else's use.
#
# We cannot use randomized paths because the composite action
# syntax does not allow accessing variables in `uses:`. This
# means that we end up having to hardcode this path both here and
# in `action.yml`.
action_path = pathlib.Path(
'.github/.tmp/.generated-actions/'
'run-pypi-publish-in-docker-container/action.yml',
)
action_path.parent.mkdir(parents=True, exist_ok=True)
action_path.write_text(json.dumps(action, ensure_ascii=False), encoding='utf-8')

View File

@ -10,7 +10,7 @@ id ~= 1.0
requests
# NOTE: Used to generate attestations.
pypi-attestations ~= 0.0.13
pypi-attestations ~= 0.0.15
sigstore ~= 3.5.1
# NOTE: Used to detect the PyPI package name from the distribution files

View File

@ -93,7 +93,7 @@ pyjwt==2.8.0
# via sigstore
pyopenssl==24.1.0
# via sigstore
pypi-attestations==0.0.13
pypi-attestations==0.0.15
# via -r runtime.in
python-dateutil==2.9.0.post0
# via betterproto