⬆️ ozi-core~=1.2.13 #889
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Part of the OZI Project, under the Apache License v2.0 with LLVM Exceptions. | |
# See LICENSE.txt for license information. | |
# SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception | |
name: OZI | |
on: | |
push: | |
branches: | |
- "v?[0-9].[0-9]*" | |
- "v?[1-9]+[0-9].[0-9]*" | |
- "release/*" | |
permissions: | |
contents: read | |
jobs: | |
checkpoint-cp310-ubuntu-latest: | |
name: checkpoint (Python 3.10 on ubuntu-latest) | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
permissions: | |
id-token: write | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
files.pythonhosted.org:443 | |
github.com:443 | |
api.github.com:443 | |
oziproject.dev:443 | |
pypi.org:443 | |
registry.npmjs.org:443 | |
objects.githubusercontent.com:443 | |
fulcio.sigstore.dev:443 | |
rekor.sigstore.dev:443 | |
tuf-repo-cdn.sigstore.dev:443 | |
oauth2.sigstore.dev:443 | |
- uses: OZI-Project/checkpoint@38b742bcf99a1eae353d2f750d23f7a0c0e2174d # 1.0.1 | |
with: | |
python-version: "3.10" | |
parallel: false | |
checkpoint-cp311-ubuntu-latest: | |
name: checkpoint (Python 3.11 on ubuntu-latest) | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
permissions: | |
id-token: write | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
files.pythonhosted.org:443 | |
github.com:443 | |
api.github.com:443 | |
oziproject.dev:443 | |
pypi.org:443 | |
registry.npmjs.org:443 | |
objects.githubusercontent.com:443 | |
fulcio.sigstore.dev:443 | |
rekor.sigstore.dev:443 | |
tuf-repo-cdn.sigstore.dev:443 | |
oauth2.sigstore.dev:443 | |
- uses: OZI-Project/checkpoint@38b742bcf99a1eae353d2f750d23f7a0c0e2174d # 1.0.1 | |
with: | |
python-version: "3.11" | |
parallel: false | |
checkpoint-cp312-ubuntu-latest: | |
name: checkpoint (Python 3.12 on ubuntu-latest) | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
permissions: | |
id-token: write | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
files.pythonhosted.org:443 | |
github.com:443 | |
api.github.com:443 | |
oziproject.dev:443 | |
pypi.org:443 | |
registry.npmjs.org:443 | |
objects.githubusercontent.com:443 | |
fulcio.sigstore.dev:443 | |
rekor.sigstore.dev:443 | |
tuf-repo-cdn.sigstore.dev:443 | |
oauth2.sigstore.dev:443 | |
- uses: OZI-Project/checkpoint@38b742bcf99a1eae353d2f750d23f7a0c0e2174d # 1.0.1 | |
with: | |
python-version: "3.12" | |
parallel: false | |
checkpoint-cp313-ubuntu-latest: | |
name: checkpoint (Python 3.13 on ubuntu-latest) | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
permissions: | |
id-token: write | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
files.pythonhosted.org:443 | |
github.com:443 | |
api.github.com:443 | |
oziproject.dev:443 | |
pypi.org:443 | |
registry.npmjs.org:443 | |
objects.githubusercontent.com:443 | |
fulcio.sigstore.dev:443 | |
rekor.sigstore.dev:443 | |
tuf-repo-cdn.sigstore.dev:443 | |
- uses: OZI-Project/checkpoint@38b742bcf99a1eae353d2f750d23f7a0c0e2174d | |
with: | |
python-version: "3.13" | |
checkpoint: | |
runs-on: ubuntu-latest | |
needs: [checkpoint-cp310-ubuntu-latest, checkpoint-cp311-ubuntu-latest, checkpoint-cp312-ubuntu-latest] | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
draft: | |
needs: checkpoint | |
runs-on: ubuntu-latest | |
concurrency: draft | |
strategy: | |
fail-fast: true | |
permissions: | |
contents: write | |
id-token: write | |
outputs: | |
drafted: ${{ steps.draft.outputs.drafted }} | |
tag: ${{ steps.draft.outputs.tag }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
api.github.com:443 | |
github.com:443 | |
pypi.org:443 | |
api.deps.dev:443 | |
files.pythonhosted.org:443 | |
downloads.python.org:443 | |
- uses: OZI-Project/draft@23eab64fb44d03215598b6fffcfff890bfb7ec4b | |
id: draft | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
release: | |
needs: [draft, checkpoint] | |
runs-on: ubuntu-latest | |
concurrency: release | |
strategy: | |
matrix: | |
py: | |
- 'security2' | |
- 'security1' | |
- 'bugfix' | |
- 'prerelease' | |
fail-fast: true | |
max-parallel: 1 | |
outputs: | |
hashes: ${{ steps.release.outputs.hashes }} | |
permissions: | |
contents: write | |
id-token: write | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
api.github.com:443 | |
files.pythonhosted.org:443 | |
fulcio.sigstore.dev:443 | |
oziproject.dev:443 | |
www.oziproject.dev:443 | |
github.com:443 | |
pypi.org:443 | |
rekor.sigstore.dev:443 | |
tuf-repo-cdn.sigstore.dev:443 | |
objects.githubusercontent.com:443 | |
quay.io:443 | |
cdn03.quay.io:443 | |
downloads.python.org:443 | |
oauth2.sigstore.dev:443 | |
- uses: OZI-Project/release@d764d82aa0900effc1590b0281ff35d67be592fd # 1.0.3 | |
id: release | |
with: | |
tag: ${{ needs.draft.outputs.tag }} | |
python-dist: ${{ matrix.py }} | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
generate-provenance: | |
needs: [draft, release, checkpoint] | |
name: Generate build provenance | |
permissions: | |
actions: read # To read the workflow path. | |
id-token: write # To sign the provenance. | |
contents: write # To add assets to a release. | |
# Currently this action needs to be referred by tag. More details at: | |
# https://github.com/slsa-framework/slsa-github-generator#verification-of-provenance | |
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 | |
with: | |
provenance-name: provenance-${{ github.event.repository.name }}-${{ needs.draft.outputs.tag }}.intoto.jsonl | |
base64-subjects: "${{ needs.release.outputs.hashes }}" | |
upload-tag-name: "${{ needs.draft.outputs.tag }}" | |
upload-assets: true | |
publish: | |
runs-on: ubuntu-latest | |
needs: [draft, release, generate-provenance] | |
permissions: | |
actions: read | |
contents: write | |
id-token: write | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
api.github.com:443 | |
upload.pypi.org:443 | |
uploads.github.com:443 | |
- uses: OZI-Project/publish@6a44652f29d676922cf9e10d3ebc39b723078729 | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} |