mirror of
https://gitcode.com/gh_mirrors/gh/gh-action-pypi-publish.git
synced 2026-07-02 10:25:13 +00:00
Expose PEP 740 attestations functionality
PR #236 This patch adds PEP 740 attestation generation to the workflow: when the Trusted Publishing flow is used, this will generate a publish attestation for each distribution being uploaded. These generated attestations are then fed into `twine`, which newly supports them via `--attestations`. Ref: https://github.com/pypi/warehouse/issues/15871
This commit is contained in:
+41
-1
@@ -39,6 +39,7 @@ INPUT_PACKAGES_DIR="$(get-normalized-input 'packages-dir')"
|
||||
INPUT_VERIFY_METADATA="$(get-normalized-input 'verify-metadata')"
|
||||
INPUT_SKIP_EXISTING="$(get-normalized-input 'skip-existing')"
|
||||
INPUT_PRINT_HASH="$(get-normalized-input 'print-hash')"
|
||||
INPUT_ATTESTATIONS="$(get-normalized-input 'attestations')"
|
||||
|
||||
PASSWORD_DEPRECATION_NUDGE="::error title=Password-based uploads disabled::\
|
||||
As of 2024, PyPI requires all users to enable Two-Factor \
|
||||
@@ -53,7 +54,37 @@ environments like GitHub Actions without needing to use username/password \
|
||||
combinations or API tokens to authenticate with PyPI. Read more: \
|
||||
https://docs.pypi.org/trusted-publishers"
|
||||
|
||||
if [[ "${INPUT_USER}" == "__token__" && -z "${INPUT_PASSWORD}" ]] ; then
|
||||
ATTESTATIONS_WITHOUT_TP_WARNING="::warning title=attestations input ignored::\
|
||||
The workflow was run with the 'attestations: true' input, but an explicit \
|
||||
password was also set, disabling Trusted Publishing. As a result, the \
|
||||
attestations input is ignored."
|
||||
|
||||
ATTESTATIONS_WRONG_INDEX_WARNING="::warning title=attestations input ignored::\
|
||||
The workflow was run with 'attestations: true' input, but the specified \
|
||||
repository URL does not support PEP 740 attestations. As a result, the \
|
||||
attestations input is ignored."
|
||||
|
||||
[[ "${INPUT_USER}" == "__token__" && -z "${INPUT_PASSWORD}" ]] \
|
||||
&& TRUSTED_PUBLISHING=true || TRUSTED_PUBLISHING=false
|
||||
|
||||
if [[ "${INPUT_ATTESTATIONS}" != "false" ]] ; then
|
||||
# Setting `attestations: true` without Trusted Publishing indicates
|
||||
# user confusion, since attestations (currently) require it.
|
||||
if ! "${TRUSTED_PUBLISHING}" ; then
|
||||
echo "${ATTESTATIONS_WITHOUT_TP_WARNING}"
|
||||
INPUT_ATTESTATIONS="false"
|
||||
fi
|
||||
|
||||
# Setting `attestations: true` with an index other than PyPI or TestPyPI
|
||||
# indicates user confusion, since attestations are not supported on other
|
||||
# indices presently.
|
||||
if [[ ! "${INPUT_REPOSITORY_URL}" =~ pypi\.org ]] ; then
|
||||
echo "${ATTESTATIONS_WRONG_INDEX_WARNING}"
|
||||
INPUT_ATTESTATIONS="false"
|
||||
fi
|
||||
fi
|
||||
|
||||
if "${TRUSTED_PUBLISHING}" ; then
|
||||
# No password supplied by the user implies that we're in the OIDC flow;
|
||||
# retrieve the OIDC credential and exchange it for a PyPI API token.
|
||||
echo "::debug::Authenticating to ${INPUT_REPOSITORY_URL} via Trusted Publishing"
|
||||
@@ -130,6 +161,15 @@ if [[ ${INPUT_VERBOSE,,} != "false" ]] ; then
|
||||
TWINE_EXTRA_ARGS="--verbose $TWINE_EXTRA_ARGS"
|
||||
fi
|
||||
|
||||
if [[ ${INPUT_ATTESTATIONS,,} != "false" ]] ; then
|
||||
# NOTE: Intentionally placed after `twine check`, to prevent attestation
|
||||
# NOTE: generation on distributions with invalid metadata.
|
||||
echo "::notice::Generating and uploading digital attestations"
|
||||
python /app/attestations.py "${INPUT_PACKAGES_DIR%%/}"
|
||||
|
||||
TWINE_EXTRA_ARGS="--attestations $TWINE_EXTRA_ARGS"
|
||||
fi
|
||||
|
||||
if [[ ${INPUT_PRINT_HASH,,} != "false" || ${INPUT_VERBOSE,,} != "false" ]] ; then
|
||||
python /app/print-hash.py ${INPUT_PACKAGES_DIR%%/}
|
||||
fi
|
||||
|
||||
Reference in New Issue
Block a user