diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index be37d8e..929160b 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -1,30 +1,20 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# For more information see: -# https://nasa-ammos.github.io/slim/docs/guides/software-lifecycle/application-starter-kits/python-starter-kit/ -# -# ******** NOTE ******** -# This file publishes to TestPyPi. To enable public PyPi the repository flag -# must be removed from the Twine upload call in the "Publish package" block. -# -name: "Upload Python Package" +# This workflows will upload a package when a release is created +# For more information see: +# https://docs.github.com/en/actions/use-cases-and-examples/publishing-packages/about-packaging-with-github-actions +# https://docs.pypi.org/trusted-publishers/ + +name: Upload Python Package on: release: - branches: [main] - types: [published] + types: [ published ] jobs: - deploy: - name: Deploy + + build: runs-on: ubuntu-latest - permissions: - actions: write - contents: read - security-events: write steps: - - name: Checkout repository + - name: Checkout code uses: actions/checkout@v4 with: fetch-depth: 0 @@ -40,10 +30,33 @@ jobs: run: | python3 -m build --wheel python3 setup.py sdist --format=zip - - name: Publish package - env: - TWINE_USERNAME: __token__ - TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }} + - name: Verify package run: | twine check dist/* - twine upload --repository testpypi --verbose dist/*.whl dist/*.zip + - name: Store package + uses: actions/upload-artifact@v4 + with: + name: python-package-distribution + path: | + dist/*.whl + dist/*.zip + if-no-files-found: error + + release: + runs-on: ubuntu-latest + needs: build + environment: + name: release + permissions: + id-token: write # mandatory for trusted publishing + steps: + - name: Retrieve package + uses: actions/download-artifact@v4 + with: + name: python-package-distribution + path: dist/ + - name: Publish package (PyPi) + uses: pypa/gh-action-pypi-publish@release/v1 + with: + print-hash: true + repository-url: https://upload.pypi.org/legacy/ # for testing sub https://test.pypi.org/legacy/ diff --git a/CHANGELOG.md b/CHANGELOG.md index 1888e59..f660017 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,9 +6,21 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [1.0.0] - 2023-01-31 +### Templatized Python Starter Kit +- Support of [SLIM project](https://nasa-ammos.github.io/slim/) instructional writeups +- Templatized implementation of best practice documentation +- Automatic publishing to the [PyPi Python Package Index](https://pypi.org/) -### Added +## [1.0.1] - 2024-03-15 +### Scanning operations +- GitHub Actions-based secrets detection +- GitHub Actions-based SCRUB (CodeQL) analysis +- GitHub Actions-based Pylint static code analysis +- Add updated SLIM Governance documentation + +## [1.0.2] - 2024-10-31 +### Trusted Publishing +- Updates to GitHub Actions Workflow file to support Trusted Publishing for PyPi as an OpenID Connect trusted identity provider + - Separate Build and Release into separate segments to support independent management of publishing permissions and allow multiple publishing endpoints + - Utilize `upload-artifact` action to store and retrieve packaged builds during the workflow process -- -- -- diff --git a/slim_sample_project/version.py b/slim_sample_project/version.py index 1f356cc..a6221b3 100644 --- a/slim_sample_project/version.py +++ b/slim_sample_project/version.py @@ -1 +1 @@ -__version__ = '1.0.0' +__version__ = '1.0.2'