-
Notifications
You must be signed in to change notification settings - Fork 63
213 lines (188 loc) · 6.86 KB
/
publish.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
name: Test & Release
on:
release:
types: [published]
# pull_request:
# branches:
# - master
permissions:
contents: read
jobs:
linux:
runs-on: ubuntu-latest
permissions:
id-token: write # ability to mint the OIDC token permission is necessary to persist the attestation
contents: read
attestations: write # persist the attestation
strategy:
matrix:
platform: [ 'x86_64-unknown-linux-gnu', 'aarch64-unknown-linux-gnu' ]
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
with:
egress-policy: block
allowed-endpoints: >
api.github.com:443
cdn.quay.io:443
cdn01.quay.io:443
cdn02.quay.io:443
cdn03.quay.io:443
crates.io:443
files.pythonhosted.org:443
ghcr.io:443
github.com:443
index.crates.io:443
objects.githubusercontent.com:443
pkg-containers.githubusercontent.com:443
pypi.org:443
quay.io:443
sh.rustup.rs:443
static.crates.io:443
static.rust-lang.org:443
uploads.github.com:443
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b
with:
python-version: 3.8
architecture: x64
- uses: PyO3/maturin-action@ea5bac0f1ccd0ab11c805e2b804bfcb65dac2eab
with:
manylinux: auto
target: ${{ matrix.platform }}
command: build
args: --release --sdist -o dist -i 3.8 3.9 3.10 3.11 3.12 3.13
- name: Upload wheels
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # 4.4.3
with:
name: wheels-linux-${{ matrix.platform }}
path: dist
windows:
runs-on: windows-latest
permissions:
id-token: write # ability to mint the OIDC token permission is necessary to persist the attestation
contents: read
attestations: write # persist the attestation
strategy:
matrix:
target: [x64]
python-version: ['3.8', '3.9', '3.10', '3.11', '3.12', '3.13']
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b
with:
python-version: ${{ matrix.python-version }}
- uses: PyO3/maturin-action@ea5bac0f1ccd0ab11c805e2b804bfcb65dac2eab
env:
PYO3_PYTHON: python${{ matrix.python-version }}
with:
command: build
args: --release -o dist
- name: Upload wheels
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # 4.4.3
with:
name: wheels-windows-${{ matrix.python-version }}-${{ matrix.target }}
path: dist
macos:
runs-on: macos-latest
permissions:
id-token: write # ability to mint the OIDC token permission is necessary to persist the attestation
contents: read
attestations: write # persist the attestation
strategy:
matrix:
python-version: ['3.8', '3.9', '3.10', '3.11', '3.12', '3.13']
target: ['universal2', 'x86_64-apple-darwin']
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b
with:
python-version: ${{ matrix.python-version }}
- name: Build wheels - ${{ matrix.target }}
uses: PyO3/maturin-action@ea5bac0f1ccd0ab11c805e2b804bfcb65dac2eab
env:
PYO3_PYTHON: python${{ matrix.python-version }}
with:
target: ${{ matrix.target }}
command: build
args: --release -o dist
- name: Upload wheels
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # 4.4.3
with:
name: wheels-macos-${{ matrix.python-version }}-${{ matrix.target }}
path: dist
python-release-github:
runs-on: ubuntu-latest
needs: [ macos, windows, linux ]
permissions:
contents: write # To add assets to a release.
checks: write
packages: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.1.0
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
uploads.github.com:443
static.rust-lang.org:443
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.head_ref }}
- uses: dtolnay/rust-toolchain@7b1c307e0dcbda6122208f10795a713336a9b35a
with:
toolchain: "stable"
- name: Set up Python 3.8
uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
python-version: 3.8
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
path: wheels
pattern: wheels-*
merge-multiple: true
- name: Upload release binaries
uses: alexellis/upload-assets@13926a61cdb2cb35f5fdef1c06b8b591523236d3 # 0.4.1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
asset_paths: '["./wheels/tantivy-*"]'
release-pypy:
name: Release
runs-on: ubuntu-latest
needs: [ macos, windows, linux ]
permissions:
id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
with:
egress-policy: audit
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
path: wheels
pattern: wheels-*
merge-multiple: true
- name: Publish package distributions to Test PyPI
uses: pypa/gh-action-pypi-publish@f7600683efdcb7656dec5b29656edb7bc586e597 # v1.10.3
with:
repository-url: https://test.pypi.org/legacy/
packages-dir: wheels/
skip-existing: true
- name: Publish package distributions to PyPI
if: always()
uses: pypa/gh-action-pypi-publish@f7600683efdcb7656dec5b29656edb7bc586e597 # v1.10.3
with:
packages-dir: wheels/
skip-existing: true