Skip to content

Publish to PyPI

Publish to PyPI #912

Workflow file for this run

name: Publish to PyPI
on:
workflow_dispatch:
inputs:
run_id:
description: The run of wheel-builder to use for finding artifacts.
required: true
environment:
description: Which PyPI environment to upload to
required: true
type: choice
options: ["testpypi", "pypi"]
workflow_run:
workflows: ["Wheel Builder"]
types: [completed]
env:
PUBLISH_REQUIREMENTS_PATH: .github/requirements/publish-requirements.txt
permissions:
contents: read
jobs:
publish:
runs-on: ubuntu-latest
# We're not actually verifying that the triggering push event was for a
# tag, because github doesn't expose enough information to do so.
# wheel-builder.yml currently only has push events for tags.
if: github.event_name == 'workflow_dispatch' || (github.event.workflow_run.event == 'push' && github.event.workflow_run.conclusion == 'success')
permissions:
id-token: "write"
attestations: "write"
steps:
- run: echo "$EVENT_CONTEXT"
env:
EVENT_CONTEXT: ${{ toJson(github.event) }}
- run: |
echo "PYPI_URL=https://upload.pypi.org/legacy/" >> $GITHUB_ENV
if: github.event_name == 'workflow_run' || (github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'pypi')
- run: |
echo "PYPI_URL=https://test.pypi.org/legacy/" >> $GITHUB_ENV
if: github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'testpypi'
- uses: dawidd6/action-download-artifact@80620a5d27ce0ae443b965134db88467fc607b43 # v7
with:
path: tmpdist/
run_id: ${{ github.event.inputs.run_id || github.event.workflow_run.id }}
- run: mkdir dist/
- run: |
find tmpdist/ -type f -name 'cryptography*' -exec mv {} dist/ \;
- name: Publish package distributions to PyPI
uses: pypa/gh-action-pypi-publish@15c56dba361d8335944d31a2ecd17d700fc7bcbc # v1.12.2
with:
repository-url: ${{ env.PYPI_URL }}
skip-existing: true
# Do not perform attestation for things for TestPyPI. This is
# because there's nothing that would prevent a malicious PyPI from
# serving a signed TestPyPI asset in place of a release intended for
# PyPI.
attestations: ${{ env.PYPI_URL == 'https://upload.pypi.org/legacy/' }}