3636
3737jobs :
3838 config : # Select the workflow config based on the event trigger.
39- runs-on : ubuntu-latest
39+ name : Configure workflow
4040 outputs :
4141 jobs : ${{ steps.config.outputs.jobs }}
4242 os : ${{ steps.config.outputs.os }}
4343 python-version : ${{ steps.config.outputs.python-version }}
44+ runs-on : ubuntu-latest
4445 steps :
4546 - id : config
4647 uses : glenn20/python-ci/config@dev
@@ -55,17 +56,14 @@ jobs:
5556 jobs : ${{ needs.config.outputs.jobs }}
5657 os : ${{ needs.config.outputs.os }}
5758 python-version : ${{ needs.config.outputs.python-version }}
58- permissions :
59- id-token : write # IMPORTANT: mandatory for github release
60- contents : write # IMPORTANT: mandatory for github release
6159
6260 # We can't use trusted publishing from a reusable workflow in another
6361 # repository, so the publish workflows must be run from here.
6462 publish :
65- if : ${{ contains(needs.config.outputs.jobs, 'publish') }}
6663 name : Publish to pypi.org
6764 needs : [config, ci-workflow]
6865 runs-on : ubuntu-latest
66+ if : ${{ contains(needs.config.outputs.jobs, 'publish') }}
6967 environment :
7068 name : publish-pypi
7169 url : ${{ steps.publish.outputs.url }}
7674 uses : glenn20/python-ci/publish@dev
7775 with :
7876 test-only : ${{ contains(fromJson(needs.config.outputs.jobs), 'publish') && 'false' || 'true' }}
77+
78+ # We run the github release job here instead of in ci-workflow, as it requires
79+ # permissions to sign the release and to simplify the workflow dependency
80+ # graph on the github UI.
81+ release :
82+ name : Create GitHub release
83+ needs : [config, ci-workflow]
84+ uses : glenn20/python-ci/.github/workflows/github-release.yaml@dev
85+ permissions :
86+ id-token : write # Required for signing the release
87+ contents : write # Required for github release
88+ if : ${{ contains(fromJson(needs.config.outputs.jobs), 'release') }}
0 commit comments