Fix: Add missing id-token permission (#74) #17

Workflow file for this run

.github/workflows/test-gha-workflows.yaml at 40b684f

	---
	# SPDX-License-Identifier: Apache-2.0
	# SPDX-FileCopyrightText: 2024 The Linux Foundation <https://linuxfoundation.org>

	name: "🧪 Test GitHub Actions/Workflows"

	# yamllint disable-line rule:truthy
	on:
	workflow_dispatch:
	push:
	branches: [main, master]
	# paths: [".github/actions/", ".github/workflows/"]

	env:
	default-python: "3.10"
	artefacts: "dist"

	jobs:
	### Test Individual Composite Actions ###

	test:
	name: "Validate Actions/Workflows"
	runs-on: ubuntu-latest
	if: github.event_name == 'push' \|\| github.event_name == 'workflow_dispatch'
	steps:
	- name: "Checkout repository"
	uses: actions/checkout@v4
	with:
	# Does not currently work: https://github.com/actions/checkout/issues/1471
	fetch-tags: true
	# latest-semantic-tag currently contains a workaround for this behaviour

	- name: "Action: semantic-tag-latest"
	id: semantic-tag-latest
	# yamllint disable-line rule:line-length
	uses: os-climate/devops-reusable-workflows/.github/actions/semantic-tag-latest@main

	- name: "Action: semantic-tag-increment"
	id: semantic-tag-increment
	# yamllint disable-line rule:line-length
	uses: os-climate/devops-reusable-workflows/.github/actions/semantic-tag-increment@main
	with:
	tag: "${{ steps.semantic-tag-latest.outputs.TAG }}"
	type: "minor"

	### Primary Python Workflow Testing ###

	identify-content:
	name: "Identify Content"
	runs-on: ubuntu-latest
	outputs:
	python: ${{ steps.identify-content.outputs.python }}
	notebooks: ${{ steps.identify-content.outputs.notebooks }}

	steps:
	- uses: actions/checkout@v4

	- name: "Identify Content"
	id: identify-content
	run: \|
	# Inspect files in repository

	# Check if repository contains a Python project
	if [ -f pyproject.toml ]; then
	echo "Python project metadata found"
	echo "python=true" >> "$GITHUB_OUTPUT"
	else
	echo "python=false" >> "$GITHUB_OUTPUT"
	fi

	# Check if repository contains Jupyter Notebooks
	NOTEBOOKS=$(find . -name '*.ipynb' \| wc -l )
	if [ "$NOTEBOOKS" -ne 0 ]; then
	echo "Jupyter notebooks found"
	echo "notebooks=true" >> "$GITHUB_OUTPUT"
	else
	echo "notebooks=false" >> "$GITHUB_OUTPUT"
	fi

	python-project:
	name: "Python Project"
	needs:
	- identify-content
	if: needs.identify-content.outputs.python == 'true'
	runs-on: ubuntu-latest
	outputs:
	matrix: ${{ steps.python.outputs.matrixjson }}

	steps:
	- uses: actions/checkout@v4

	- name: "Extract Python Versioning"
	id: python
	# yamllint disable-line rule:line-length
	uses: os-climate/devops-reusable-workflows/.github/actions/python-versions-matrix@main

	python-build:
	name: "Python Build"
	needs:
	- python-project
	runs-on: "ubuntu-latest"
	continue-on-error: true
	strategy:
	fail-fast: false
	matrix: ${{ fromJson(needs.python-project.outputs.matrix) }}
	permissions:
	contents: write
	# Required by SigStore signing action
	id-token: write
	outputs:
	publish: ${{ steps.python-project-build.outputs.publish }}

	steps:
	- uses: actions/checkout@v4

	- name: "Setup Python"
	uses: actions/setup-python@v5
	with:
	python-version: ${{ matrix.python-version }}

	- name: "Setup PDM Build Tool"
	uses: pdm-project/setup-pdm@v4
	with:
	python-version: ${{ matrix.python-version }}

	- name: "Action: semantic-tag-latest"
	id: semantic-tag-latest
	# yamllint disable-line rule:line-length
	uses: os-climate/devops-reusable-workflows/.github/actions/semantic-tag-latest@main

	- name: "🏷️ Create initial tag"
	id: set-initial-tag
	if: steps.semantic-tag-latest.outputs.tag-missing == 'true'
	# https://github.com/softprops/action-gh-release
	uses: softprops/action-gh-release@v2
	with:
	token: ${{ secrets.GITHUB_TOKEN }}
	prerelease: true
	tag_name: v0.0.1

	- name: "Build: Python Project"
	id: python-project-build
	if: steps.semantic-tag-latest.outputs.missing == 'false'
	# yamllint disable-line rule:line-length
	uses: os-climate/devops-reusable-workflows/.github/actions/python-project-build@main
	with:
	artefacts: ${{ env.artefacts}}

	- name: "Validate Artefacts with Twine"
	id: python-twine-check
	with:
	artefacts: ${{ env.artefacts}}
	uses: os-climate/devops-reusable-workflows/.github/actions/python-twine-check@main

	- name: "Sign packages with Sigstore"
	uses: sigstore/[email protected]
	env:
	package-path: ${{ env.artefacts }}
	with:
	inputs: >-
	./${{ env.artefacts }}/*.tar.gz
	./${{ env.artefacts }}/*.whl

	- name: Store the distribution packages
	uses: actions/upload-artifact@v4
	with:
	name: ${{ github.ref_name }}
	path: ${{ env.artefacts }}

	github:
	name: "📦 Publish to GitHub"
	# Only publish on tag pushes
	needs: python-build
	runs-on: ubuntu-latest
	permissions:
	# IMPORTANT: mandatory to publish artefacts
	contents: write
	steps:
	- name: "⬇ Download build artefacts"
	uses: actions/download-artifact@v4
	with:
	name: ${{ github.ref_name }}
	path: ${{ env.artefacts }}

	- name: "🌥️ Set environment variables"
	id: setenv
	run: \|
	# vernum="${{ env.default-python }}.$(date +'%Y%m%d%H%M')"
	datetime="$(date +'%Y%m%d%H%M')"
	echo "datetime=${datetime}" >> "$GITHUB_OUTPUT"

	- name: "📦 Publish DEVELOPMENT artefacts to GitHub"
	if: startsWith(github.ref, 'refs/tags/') != true
	# https://github.com/softprops/action-gh-release
	uses: softprops/action-gh-release@v2
	with:
	token: ${{ secrets.GITHUB_TOKEN }}
	prerelease: true
	tag_name: ${{ github.ref_name }}-dev
	name: "Test/Development Build: ${{ github.ref_name }}"
	# body_path: ${{ github.workspace }}/CHANGELOG.rst
	files: \|
	${{ env.artefacts }}/*.tar.gz
	${{ env.artefacts }}/*.whl
	${{ env.artefacts }}/.sigstore

	- name: "📦 Publish PRODUCTION artefacts to GitHub"
	if: startsWith(github.ref, 'refs/tags/')
	# https://github.com/softprops/action-gh-release
	uses: softprops/action-gh-release@v2
	with:
	token: ${{ secrets.GITHUB_TOKEN }}
	prerelease: false
	tag_name: ${{ github.ref_name }}
	name: "Test/Development Build: ${{ github.ref_name }}"
	# body_path: ${{ github.workspace }}/CHANGELOG.rst
	files: \|
	${{ env.artefacts }}/*.tar.gz
	${{ env.artefacts }}/*.whl
	${{ env.artefacts }}/.sigstore

	testpypi:
	name: "📦 Test PyPI publishing"
	# Only publish on tag pushes
	# if: startsWith(github.ref, 'refs/tags/')
	needs: python-build
	runs-on: ubuntu-latest
	environment:
	name: testpypi
	permissions:
	# IMPORTANT: mandatory for trusted publishing
	id-token: write
	steps:
	- name: "⬇ Download build artefacts"
	uses: actions/download-artifact@v4
	with:
	name: ${{ github.ref_name }}
	path: ${{ env.artefacts }}

	- name: "Validate build artefacts"
	id: files
	run: \|
	if [ -f ${{ env.artefacts }}/buildvars.txt ]; then
	rm ${{ env.artefacts }}/buildvars.txt
	fi
	if (ls ${{ env.artefacts }}/.sigstore); then
	rm ${{ env.artefacts }}/.sigstore
	fi

	- name: "Publish to test PyPI"
	uses: pypa/gh-action-pypi-publish@release/v1
	with:
	repository-url: https://test.pypi.org/legacy/
	verbose: true
	packages-dir: ${{ env.artefacts }}

	pypi:
	name: "📦 Publish to PyPI"
	# Only publish on tag pushes
	if:
	startsWith(github.ref, 'refs/tags/') &&
	needs.python-build.outputs.publish == 'true'
	# contains(github.event.head_commit.message, '[release]')
	needs: [python-build, testpypi]
	runs-on: ubuntu-latest
	environment:
	name: pypi
	permissions:
	# IMPORTANT: mandatory for trusted publishing
	id-token: write
	steps:
	- name: "⬇ Download build artefacts"
	uses: actions/download-artifact@v4
	with:
	name: ${{ github.ref_name }}
	path: ${{ env.artefacts }}

	- name: "Remove files unsupported by PyPi"
	run: \|
	if (ls ${{ env.artefacts }}/.sigstore); then
	rm ${{ env.artefacts }}/.sigstore
	fi

	# - name: "📦 Publish to PyPI"
	# uses: pypa/gh-action-pypi-publish@release/v1
	# with:
	# verbose: true
	# packages-dir: ${{ env.artefacts }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix: Add missing id-token permission (#74) #17

Workflow file

Fix: Add missing id-token permission (#74) #17

Jobs

Run details

Workflow file for this run