Skip to content
Create releases

build: fix release workflow permissions (#3389) #1232

Sign in to view logs

build: fix release workflow permissions (#3389)

build: fix release workflow permissions (#3389) #1232

Workflow file for this run

.github/workflows/create-releases.yml at a526ee8
name: Create releases
on:
push:
branches:
- main
jobs:
release:
name: release
if: github.ref == 'refs/heads/main' && github.repository == 'openai/openai-python'
runs-on: ubuntu-latest
environment: publish
outputs:
releases_created: ${{ steps.release.outputs.releases_created }}
permissions:
contents: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: stainless-api/trigger-release-please@bb6677c5a04578eec1ccfd9e1913b5b78ed64c61 # v1.4.0
id: release
with:
repo: ${{ github.event.repository.full_name }}
stainless-api-key: ${{ secrets.STAINLESS_API_KEY }}
build:
name: build
needs: release
if: ${{ needs.release.outputs.releases_created == 'true' }}
runs-on: ubuntu-latest
# Build distributions without OIDC access so package build code cannot mint
# a PyPI publishing token. The publish job handles only the upload.
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Set up Rye
uses: eifinger/setup-rye@c694239a43768373e87d0103d7f547027a23f3c8
with:
version: '0.44.0'
enable-cache: true
- name: Build package
run: |
mkdir -p dist
rye build --clean
- name: Upload package distributions
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: python-package-distributions
path: dist/
if-no-files-found: error
retention-days: 1
publish:
name: publish
needs: build
runs-on: ubuntu-latest
environment: publish
# PyPI Trusted Publishing requires id-token: write. Keep it scoped to this
# minimal upload-only job rather than the build job.
permissions:
contents: read
id-token: write
steps:
- name: Download package distributions
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: python-package-distributions
path: dist/
- name: Publish to PyPI
uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0