3939 ssh_private_signing_key : ${{ secrets.SEMANTIC_RELEASE_PRIVATE_KEY }}
4040 ssh_public_signing_key : ${{ secrets.SEMANTIC_RELEASE_PUBLIC_KEY }}
4141
42+ - name : Hash Build Artifacts
43+ if : steps.release.outputs.released == 'true'
44+ id : hash
45+ run : |
46+ cd dist
47+ echo "hashes=$(find . -type f -exec sha256sum {} + | sort | base64 | tr -d '\n')" >> "$GITHUB_OUTPUT"
48+
4249name : Upload Build Artifacts
4350 if : steps.release.outputs.released == 'true'
4451 uses : actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
@@ -47,12 +54,24 @@ jobs:
4754 path : dist/
4855
4956 outputs :
57+ hashes : ${{ steps.hash.outputs.hashes }}
5058 released : ${{ steps.release.outputs.released }}
5159
52- publish :
53- runs-on : ubuntu-latest
60+ provenance :
5461 needs : release
5562 if : ${{ needs.release.outputs.released == 'true' }}
63+ permissions :
64+ actions : read
65+ id-token : write
66+ contents : write
67+ uses : slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
68+ with :
69+ base64-subjects : " ${{ needs.release.outputs.hashes }}"
70+
71+ publish :
72+ runs-on : ubuntu-latest
73+ needs : [release, provenance]
74+ if : ${{ needs.release.outputs.released == 'true' && needs.provenance.outputs.outcome == 'success' }}
5675 environment : release
5776 steps :
5877 - name : Harden Runner
@@ -65,12 +84,18 @@ jobs:
6584 fetch-depth : 0
6685 token : ${{ secrets.GH_TOKEN }}
6786
68- - name : Download Artifacts
87+ - name : Download Build Artifacts
6988 uses : actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
7089 with :
7190 name : dist
7291 path : dist
7392
93+ - name : Download Provenance
94+ uses : actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
95+ with :
96+ name : ${{ needs.provenance.outputs.provenance-name }}
97+ path : dist
98+
7499 - name : Publish to PyPI
75100 uses : pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # release/v1
76101
0 commit comments