Skip to content

Fix provenance/poetry dependencies #875

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Fix provenance/poetry dependencies #875

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
a96b7e6
generate provenance for pypi
shichengripple001 Oct 7, 2025
225b77c
require review
shichengripple001 Oct 7, 2025
b159185
fix poetry dependency/fix provenance
shichengripple001 Oct 7, 2025
719dee4
revert trigger
shichengripple001 Oct 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 38 additions & 7 deletions .github/workflows/publish_to_pypi.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,15 @@ on:
tags:
- "*"


jobs:
build:
name: Build distribution 📦
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
attestations: write
env:
POETRY_VERSION: 2.1.1

Expand All @@ -17,32 +22,50 @@ jobs:
uses: actions/setup-python@v5
with:
# Use the lowest supported version of Python for CI/CD
python-version: "3.8"
python-version: "3.9"
- name: Load cached .local
id: cache-poetry
uses: actions/cache@v3
with:
path: /home/runner/.local
key: dotlocal-${{ env.POETRY_VERSION }}-${{ hashFiles('poetry.lock') }}
Comment on lines 27 to 31
Copy link
Contributor

@coderabbitai coderabbitai bot Oct 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Upgrade cache action to v4.

actions/cache@v3 still runs on the deprecated Node 16 runner, so this workflow will start failing (actionlint already flags it). Please bump to actions/cache@v4.

🧰 Tools
🪛 actionlint (1.7.7)

28-28: the runner of "actions/cache@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents 
.github/workflows/publish_to_pypi.yml around lines 27 to 31: the workflow uses
actions/cache@v3 which relies on the deprecated Node 16 runner; update the
action to actions/cache@v4 by changing the uses field to actions/cache@v4 so the
cache step runs on the supported runtime and stops actionlint failures.

- name: Install poetry
if: steps.cache-poetry.outputs.cache-hit != 'true'
env:
PIP_INDEX_URL: https://pypi.org/simple
PIP_NO_CACHE_DIR: "1"
run: |
curl -sSL "https://install.python-poetry.org/" | python - --version "${{ env.POETRY_VERSION }}"
echo "${HOME}/.local/bin" >> $GITHUB_PATH
poetry --version || exit 1 # Verify installation
set -euo pipefail
python -m pip install --upgrade pip
python -m pip install "dulwich>=0.22.6,<0.23.0"
python -m pip install "https://github.com/python-poetry/poetry/releases/download/${POETRY_VERSION}/poetry-${POETRY_VERSION}-py3-none-any.whl"
poetry --version
- name: Build a binary wheel and a source tarball
run: poetry build
- name: Store the distribution packages
uses: actions/upload-artifact@v4
with:
name: python-package-distributions
path: dist/
- name: Generate build provenance attestation
id: provenance
uses: actions/attest-build-provenance@v1
with:
subject-path: "dist/*"
- name: Store provenance attestation
if: steps.provenance.outputs.bundle-path != ''
uses: actions/upload-artifact@v4
with:
name: python-package-provenance
path: ${{ steps.provenance.outputs.bundle-path }}
publish-to-pypi:
name: >-
Publish Python 🐍 distribution 📦 to PyPI
needs: build # Explicit dependency on build job
runs-on: ubuntu-latest
timeout-minutes: 10 # Adjust based on typical publishing time
environment:
name: official-release
url: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
permissions:
# More information about Trusted Publishing and OpenID Connect: https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/
id-token: write # IMPORTANT: mandatory for trusted publishing
Expand All @@ -60,6 +83,7 @@ jobs:
with:
verbose: true
verify-metadata: true
attestations: true

github-release:
name: >-
Expand All @@ -80,8 +104,13 @@ jobs:
with:
name: python-package-distributions
path: dist/
- name: Download provenance attestations
uses: actions/download-artifact@v4
with:
name: python-package-provenance
path: provenance/
- name: Sign the dists with Sigstore
uses: sigstore/gh-action-sigstore-python@v2.1.1
uses: sigstore/gh-action-sigstore-python@v3.0.1
with:
inputs: >-
./dist/*.tar.gz
Expand All @@ -103,5 +132,7 @@ jobs:
# sigstore-produced signatures and certificates.
run: >-
gh release upload
'${{ github.ref_name }}' dist/**
'${{ github.ref_name }}'
dist/**
provenance/**
--repo '${{ github.repository }}'