Merge pull request #877 from OZI-Project/main #291
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: OZI | |
| on: | |
| push: | |
| branches: | |
| - "v?[0-9].[0-9]*" | |
| - "v?[1-9]+[0-9].[0-9]*" | |
| permissions: | |
| contents: read | |
| jobs: | |
| checkpoint-cp311-ubuntu-latest: | |
| name: checkpoint (Python 3.11 on ubuntu-latest) | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| permissions: | |
| id-token: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 | |
| with: | |
| disable-sudo: false | |
| egress-policy: block | |
| allowed-endpoints: > | |
| files.pythonhosted.org:443 | |
| github.com:443 | |
| api.github.com:443 | |
| oziproject.dev:443 | |
| www.oziproject.dev:443 | |
| pypi.org:443 | |
| registry.npmjs.org:443 | |
| objects.githubusercontent.com:443 | |
| fulcio.sigstore.dev:443 | |
| rekor.sigstore.dev:443 | |
| tuf-repo-cdn.sigstore.dev:443 | |
| azure.archive.ubuntu.com:80 | |
| security.ubuntu.com:443 | |
| archive.ubuntu.com:443 | |
| - run: sudo apt-get install -y gettext | |
| - uses: OZI-Project/checkpoint@1.9.3 | |
| with: | |
| python-version: "3.11" | |
| submodules: true | |
| checkpoint-cp312-ubuntu-latest: | |
| name: checkpoint (Python 3.12 on ubuntu-latest) | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| permissions: | |
| id-token: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 | |
| with: | |
| disable-sudo: false | |
| egress-policy: block | |
| allowed-endpoints: > | |
| files.pythonhosted.org:443 | |
| github.com:443 | |
| api.github.com:443 | |
| oziproject.dev:443 | |
| www.oziproject.dev:443 | |
| pypi.org:443 | |
| registry.npmjs.org:443 | |
| objects.githubusercontent.com:443 | |
| fulcio.sigstore.dev:443 | |
| rekor.sigstore.dev:443 | |
| tuf-repo-cdn.sigstore.dev:443 | |
| azure.archive.ubuntu.com:80 | |
| security.ubuntu.com:443 | |
| archive.ubuntu.com:443 | |
| - run: sudo apt-get install -y gettext | |
| - uses: OZI-Project/checkpoint@1.9.3 | |
| with: | |
| python-version: "3.12" | |
| submodules: true | |
| checkpoint-cp313-ubuntu-latest: | |
| name: checkpoint (Python 3.13 on ubuntu-latest) | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| permissions: | |
| id-token: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 | |
| with: | |
| disable-sudo: false | |
| egress-policy: block | |
| allowed-endpoints: > | |
| files.pythonhosted.org:443 | |
| github.com:443 | |
| api.github.com:443 | |
| oziproject.dev:443 | |
| www.oziproject.dev:443 | |
| pypi.org:443 | |
| registry.npmjs.org:443 | |
| objects.githubusercontent.com:443 | |
| fulcio.sigstore.dev:443 | |
| rekor.sigstore.dev:443 | |
| tuf-repo-cdn.sigstore.dev:443 | |
| azure.archive.ubuntu.com:80 | |
| security.ubuntu.com:443 | |
| archive.ubuntu.com:443 | |
| - run: sudo apt-get install -y gettext | |
| - uses: OZI-Project/checkpoint@1.9.3 | |
| with: | |
| python-version: "3.13" | |
| submodules: true | |
| checkpoint: | |
| runs-on: ubuntu-latest | |
| needs: [checkpoint-cp311-ubuntu-latest,checkpoint-cp312-ubuntu-latest, checkpoint-cp313-ubuntu-latest] | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| draft: | |
| needs: checkpoint | |
| runs-on: ubuntu-latest | |
| concurrency: draft | |
| strategy: | |
| fail-fast: true | |
| permissions: | |
| contents: write | |
| id-token: write | |
| outputs: | |
| drafted: ${{ steps.draft.outputs.drafted }} | |
| tag: ${{ steps.draft.outputs.tag }} | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| github.com:443 | |
| - uses: OZI-Project/draft@1.16.0 | |
| id: draft | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| release: | |
| needs: [draft, checkpoint] | |
| runs-on: ubuntu-latest | |
| concurrency: release | |
| strategy: | |
| matrix: | |
| py: | |
| - security2 | |
| - security1 | |
| - bugfix | |
| - prerelease | |
| fail-fast: true | |
| max-parallel: 1 | |
| outputs: | |
| hashes: ${{ steps.release.outputs.hashes }} | |
| permissions: | |
| contents: write | |
| id-token: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 | |
| with: | |
| disable-sudo: false | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| files.pythonhosted.org:443 | |
| fulcio.sigstore.dev:443 | |
| github.com:443 | |
| pypi.org:443 | |
| rekor.sigstore.dev:443 | |
| tuf-repo-cdn.sigstore.dev:443 | |
| oziproject.dev:443 | |
| www.oziproject.dev:443 | |
| objects.githubusercontent.com:443 | |
| quay.io:443 | |
| cdn03.quay.io:443 | |
| downloads.python.org:443 | |
| azure.archive.ubuntu.com:80 | |
| security.ubuntu.com:443 | |
| archive.ubuntu.com:443 | |
| - run: sudo apt-get install -y gettext | |
| - uses: OZI-Project/release@3b2d9beadc38335e9fdace1dc21d7d5807d7be76 | |
| id: release | |
| with: | |
| python-dist: ${{ matrix.py }} | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| tag: ${{ needs.draft.outputs.tag }} | |
| generate-provenance: | |
| needs: [draft, release] | |
| name: Generate build provenance | |
| permissions: | |
| actions: read # To read the workflow path. | |
| id-token: write # To sign the provenance. | |
| contents: write # To add assets to a release. | |
| # Currently this action needs to be referred by tag. More details at: | |
| # https://github.com/slsa-framework/slsa-github-generator#verification-of-provenance | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 | |
| with: | |
| provenance-name: provenance-${{ github.event.repository.name }}-${{ needs.draft.outputs.tag }}.intoto.jsonl | |
| base64-subjects: "${{ needs.release.outputs.hashes }}" | |
| upload-tag-name: "${{ needs.draft.outputs.tag }}" | |
| upload-assets: true | |
| publish: | |
| runs-on: ubuntu-latest | |
| needs: [draft, release, generate-provenance] | |
| if: needs.draft.outputs.drafted == 'true' | |
| permissions: | |
| contents: write | |
| id-token: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| github.com:443 | |
| api.github.com:443 | |
| upload.pypi.org:443 | |
| uploads.github.com:443 | |
| fulcio.sigstore.dev:443 | |
| rekor.sigstore.dev:443 | |
| tuf-repo-cdn.sigstore.dev:443 | |
| ghcr.io:443 | |
| pkg-containers.githubusercontent.com:443 | |
| - uses: OZI-Project/publish@1.16.0 | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Publish package distributions to PyPI | |
| uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc |