Commit graph

336 commits

Author SHA1 Message Date
Brendon Smith
f81cd95ad9
Tag Docker images with Git SHA
PR https://github.com/pypa/gh-action-pypi-publish/pull/230 updated the
action to pull Docker images from GHCR instead of building Docker images
each time the workflow runs. As part of this PR, a new GitHub Actions
workflow was added that builds Docker images and pushes them to GitHub
Container Registry (GHCR).

Actions can be referenced in various ways. The Docker build workflow
covers most of the action references, but does not push Docker images
tagged with the Git commit ID (Git SHA).

This commit will add Docker tags for referencing the action with a Git
SHA. GitHub Actions only supports references by the full 40 character
SHA. If users try to reference the action by a short SHA like `1234567`,
they will get an error like, "Unable to resolve action
`pypa/gh-action-pypi-publish@1234567`, the provided ref `1234567` is the
shortened version of a commit SHA, which is not supported. Please use
the full commit SHA `1234567890123456789012345678901234567890` instead."

https://github.com/pypa/gh-action-pypi-publish/pull/230
https://github.com/pypa/gh-action-pypi-publish/issues/290
https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry
https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/using-pre-written-building-blocks-in-your-workflow#using-shas
2024-11-11 18:58:36 -05:00
Sviatoslav Sydorenko (Святослав Сидоренко)
15c56dba36
Merge pull request #297 from trail-of-forks/ww/bump-pypi-attestations
Some checks failed
🏗️ / smoke-test (push) Has been cancelled
🏗️ / build-and-push (push) Has been cancelled
requirements: bump pypi-attestations to 0.0.15
2024-11-07 00:00:24 +01:00
William Woodruff
fe8d1484ba
requirements: bump pypi-attestations to 0.0.15
Signed-off-by: William Woodruff <william@trailofbits.com>
2024-11-06 17:53:10 -05:00
Sviatoslav Sydorenko (Святослав Сидоренко)
1f5d4ec244
Merge pull request #295 from trail-of-forks/ww/fix-sdist-collection
Some checks are pending
🏗️ / smoke-test (push) Waiting to run
🏗️ / build-and-push (push) Blocked by required conditions
2024-11-06 20:01:10 +01:00
William Woodruff
fec2f0c0ce
attestations: collect *.zip sdists as well
Signed-off-by: William Woodruff <william@trailofbits.com>
2024-11-06 13:43:44 -05:00
Sviatoslav Sydorenko (Святослав Сидоренко)
a8b73a6d88
Merge pull request #294 from webknjaz/bugfixes/optional-python 2024-11-06 16:24:24 +01:00
Sviatoslav Sydorenko
9b4dfb0c84
Pre-install Python if there's none
This is not usually the case for GitHub-hosted Runners but it might
happen with self-hosted runners.

Fixes #289.
2024-11-06 16:20:12 +01:00
Sviatoslav Sydorenko (Святослав Сидоренко)
0a87186d5f
Merge pull request #293 from webknjaz/bugfixes/uncheckout-intermediate-action 2024-11-06 15:50:37 +01:00
Sviatoslav Sydorenko
dfcfeca43e
🧪 Use prefetched action to make trampoline
Previously, the action repository was being cloned from the remote
twice, unnecessarily. This patch eliminates this step and
uses the copy that was checked out on job start.

The generated trampoline action is still copied into the allowlisted
working directory so it can be referenced by the relative path
starting with `./`.

It is now output under
`./.github/.tmp/.generated-actions/run-pypi-publish-in-docker-container`
which mutates the end-user's workspace slightly but uses a path that
is unlikely to clash with somebody else's use.

Unfortunately, we cannot use randomized paths because the composite
action syntax does not allow accessing variables in `uses:`.

Fixes #292.
2024-11-06 15:47:43 +01:00
Sviatoslav Sydorenko
0d02f372c3
📝💅 Update the CI/CD badge in README
Some checks are pending
🏗️ / smoke-test (push) Waiting to run
🏗️ / build-and-push (push) Blocked by required conditions
This is a follow-up for #230, which renamed the workflow filename.
2024-11-05 22:29:18 +01:00
Sviatoslav Sydorenko (Святослав Сидоренко)
61da13deb5
Merge pull request #230 from br3ndonland/ghcr
Some checks are pending
🏗️ / smoke-test (push) Waiting to run
🏗️ / build-and-push (push) Blocked by required conditions
Build Docker image and push to GHCR
2024-11-05 20:58:36 +01:00
Brendon Smith
36965cb24a
Run smoke tests before Docker builds
https://github.com/pypa/gh-action-pypi-publish/pull/230#discussion_r1787027821
2024-11-04 16:35:15 -05:00
Brendon Smith
da554410b0
Move smoke test to reusable workflow 2024-11-04 16:35:14 -05:00
Brendon Smith
80b1d50e0d
Make workflow_dispatch Docker tag input required
https://github.com/pypa/gh-action-pypi-publish/pull/230#discussion_r1759496153
2024-11-04 16:35:14 -05:00
pre-commit-ci[bot]
1b9f21a741
[pre-commit.ci] auto fixes from pre-commit.com hooks
for more information, see https://pre-commit.ci
2024-11-04 16:35:14 -05:00
Brendon Smith
cfb9d93a26
Add Docker tags for major and minor versions 2024-11-04 16:35:14 -05:00
Brendon Smith
153ccde9bc
Verify fail-fast in unsupported environments 2024-11-04 16:35:14 -05:00
Brendon Smith
d03addb8e6
Drop args from create-docker-action.py
Co-authored-by: Sviatoslav Sydorenko (Святослав Сидоренко) <wk.cvs.github@sydorenko.org.ua>
2024-11-04 16:35:14 -05:00
Brendon Smith
bacb62682c
Fail-fast in unsupported environments
https://github.com/pypa/gh-action-pypi-publish/pull/230#discussion_r1632406604

Co-authored-by: Sviatoslav Sydorenko (Святослав Сидоренко) <wk.cvs.github@sydorenko.org.ua>
2024-11-04 16:35:14 -05:00
Brendon Smith
7ea8313fc2
Check repo ID instead of repo owner ID 2024-11-04 16:35:14 -05:00
Brendon Smith
f51682fb52
Check repo owner ID instead of repo name 2024-11-04 16:35:14 -05:00
Brendon Smith
a360fcb184
Dump action as JSON 2024-11-04 16:35:14 -05:00
Brendon Smith
a869dd36b2
Checkout github.head_ref and repo for PRs
https://github.com/actions/checkout/issues/27#issuecomment-535897113
https://github.com/actions/checkout/issues/1108
2024-11-04 16:35:14 -05:00
Brendon Smith
5ded5310e7
Add workflow_dispatch trigger for Docker builds 2024-11-04 16:35:13 -05:00
Brendon Smith
cf5ce177da
Use YAML block strip syntax (>-) where possible 2024-11-04 16:35:13 -05:00
Brendon Smith
f1f014b445
Reset pre-commit files: regex 2024-11-04 16:35:13 -05:00
Brendon Smith
aed6c4b1b0
Generate Docker container action with Python 2024-11-04 16:35:13 -05:00
Brendon Smith
0d8d5059c8
Separate docker login and docker push
https://github.com/pypa/gh-action-pypi-publish/pull/230#discussion_r1578694138
2024-11-04 16:35:13 -05:00
Brendon Smith
e453f8c630
Fix pre-commit errors 2024-11-04 16:35:13 -05:00
Brendon Smith
783267be69
Build Docker image and push to GHCR
Up to this point, the project has been set up as a Docker action
referencing the Dockerfile. The downside to using the Dockerfile for the
action is that the Docker image must be built every time the action is
used.

This commit will set up the project to build the Docker image and push
it to GitHub Container Registry (GHCR). This change will speed up user
workflows every time the action is used because the workflows will
simply pull the Docker image from GHCR instead of building again.

Changes:

- Add required metadata to Dockerfile
- Build container image with GitHub Actions
- Push container image to GHCR

Docker actions support pulling in pre-built Docker images. The downside
is that there's no way to specify the correct Docker tag because the
GitHub Actions `image` and `uses:` keys don't accept any context.
For example, if a user's workflow has
`uses: pypa/gh-action-pypi-publish@release/v1.8`, then the action should
pull in a Docker image built from the `release/v1.8` branch, something
like `ghcr.io/pypa/gh-action-pypi-publish:release-v1.8` (Docker tags
can't have `/`). The workaround is to switch the top-level `action.yml`
to a composite action that then calls the Docker action, substituting
the correct image name and tag.
2024-11-04 16:35:13 -05:00
Sviatoslav Sydorenko
fb13cb3069
📝 Reflect the PR #277 changes in README
Some checks failed
🧪 / smoke-test (push) Has been cancelled
This makes minimum modifications to indicate that `attestations` is
not on by default.
2024-10-30 02:20:55 +01:00
Sviatoslav Sydorenko
72ead1a85a
Merge PRs #276 and #277 into release/v1 2024-10-30 02:04:39 +01:00
William Woodruff
0126dcac8e
action: enable attestations by default
Signed-off-by: William Woodruff <william@trailofbits.com>
2024-10-28 14:31:58 -04:00
William Woodruff
335e8b00ae
bump sigstore==3.5.1
Signed-off-by: William Woodruff <william@trailofbits.com>
2024-10-28 14:29:41 -04:00
William Woodruff
1545e96dcb
requirements: bump sigstore, pypi-attestations
Signed-off-by: William Woodruff <william@trailofbits.com>
2024-10-22 12:40:04 -04:00
Sviatoslav Sydorenko (Святослав Сидоренко)
f7600683ef
Merge pull request #271 from mosfet80/patch-3
Some checks failed
🧪 / smoke-test (push) Has been cancelled
Update `actions/checkout` to v3 in self-tests
2024-09-29 11:06:37 +02:00
mosfet80
6edc294485
Fix node.js v16 deprecation self-smoke-test-action.yml
actions/checkout@v3 use node.js versio 16. But version 16 is deprecated.
version 4 fixes the problem.
2024-09-29 09:04:41 +02:00
Sviatoslav Sydorenko (Святослав Сидоренко)
85a5a80b22
Merge pull request #270 from trail-of-forks/fix-magic-link-summary
Some checks are pending
🧪 / smoke-test (push) Waiting to run
2024-09-29 01:45:28 +02:00
Sviatoslav Sydorenko (Святослав Сидоренко)
954318b48e
Merge pull request #267 from mosfet80/patch-2 2024-09-29 01:38:05 +02:00
Sviatoslav Sydorenko (Святослав Сидоренко)
24791c7774
Merge pull request #266 from mosfet80/patch-1 2024-09-29 01:37:58 +02:00
Facundo Tuesca
d8c894824b Fix magic link nudge formatting in job summary 2024-09-27 20:47:50 +02:00
Facundo Tuesca
a1ce3844ac Check for Trusted Publishing in magic link logic 2024-09-27 20:47:02 +02:00
mosfet80
00b87c80e8
Update check-jsonschema and pre-commit libs
https://github.com/python-jsonschema/check-jsonschema/releases

https://github.com/pre-commit/pre-commit-hooks/releases/tag/v4.6.0
2024-09-23 11:56:13 +02:00
mosfet80
a571f1e128
Update pylint lib
https://github.com/pylint-dev/pylint/releases/tag/v3.3.0
2024-09-23 11:52:50 +02:00
Sviatoslav Sydorenko (Святослав Сидоренко)
897895f1e1
Merge pull request #262 from trail-of-forks/ww/bump-attestations-req
Some checks failed
🧪 / smoke-test (push) Has been cancelled
Resolves #263
2024-09-20 23:35:44 +02:00
William Woodruff
ce32325c61
requirements: bump pypi-attestations to 0.0.12
Signed-off-by: William Woodruff <william@trailofbits.com>
2024-09-19 18:14:50 +02:00
Facundo Tuesca
36978192ca
Add nudge message with magic link to create new Trusted Publisher
Some checks failed
🧪 / smoke-test (push) Has been cancelled
PR #250

Co-authored-by: Sviatoslav Sydorenko <sviat@redhat.com>
2024-09-05 17:25:58 +02:00
Sviatoslav Sydorenko (Святослав Сидоренко)
4f8925cefa
Merge pull request #258 from facutuesca/patch-1 2024-09-05 17:06:25 +02:00
Facundo Tuesca
a58e550ac2
Remove redundant Path.absolute() call 2024-09-03 16:21:03 +02:00
Sviatoslav Sydorenko
0ab0b79471
🚑 Invert the dists-to-attest validity check
Some checks failed
🧪 / smoke-test (push) Has been cancelled
This bug sneaked into #236 but should not affect many people as the
attestations generation feature is experimental and opt-in.

Fixes #256
2024-09-03 10:25:06 +02:00