⬆️ ozi-core~=1.2.13 #889
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Part of the OZI Project, under the Apache License v2.0 with LLVM Exceptions. | |
| # See LICENSE.txt for license information. | |
| # SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception | |
| name: OZI | |
| on: | |
| push: | |
| branches: | |
| - "v?[0-9].[0-9]*" | |
| - "v?[1-9]+[0-9].[0-9]*" | |
| - "release/*" | |
| permissions: | |
| contents: read | |
| jobs: | |
| checkpoint-cp310-ubuntu-latest: | |
| name: checkpoint (Python 3.10 on ubuntu-latest) | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| permissions: | |
| id-token: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| files.pythonhosted.org:443 | |
| github.com:443 | |
| api.github.com:443 | |
| oziproject.dev:443 | |
| pypi.org:443 | |
| registry.npmjs.org:443 | |
| objects.githubusercontent.com:443 | |
| fulcio.sigstore.dev:443 | |
| rekor.sigstore.dev:443 | |
| tuf-repo-cdn.sigstore.dev:443 | |
| oauth2.sigstore.dev:443 | |
| - uses: OZI-Project/checkpoint@38b742bcf99a1eae353d2f750d23f7a0c0e2174d # 1.0.1 | |
| with: | |
| python-version: "3.10" | |
| parallel: false | |
| checkpoint-cp311-ubuntu-latest: | |
| name: checkpoint (Python 3.11 on ubuntu-latest) | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| permissions: | |
| id-token: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| files.pythonhosted.org:443 | |
| github.com:443 | |
| api.github.com:443 | |
| oziproject.dev:443 | |
| pypi.org:443 | |
| registry.npmjs.org:443 | |
| objects.githubusercontent.com:443 | |
| fulcio.sigstore.dev:443 | |
| rekor.sigstore.dev:443 | |
| tuf-repo-cdn.sigstore.dev:443 | |
| oauth2.sigstore.dev:443 | |
| - uses: OZI-Project/checkpoint@38b742bcf99a1eae353d2f750d23f7a0c0e2174d # 1.0.1 | |
| with: | |
| python-version: "3.11" | |
| parallel: false | |
| checkpoint-cp312-ubuntu-latest: | |
| name: checkpoint (Python 3.12 on ubuntu-latest) | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| permissions: | |
| id-token: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| files.pythonhosted.org:443 | |
| github.com:443 | |
| api.github.com:443 | |
| oziproject.dev:443 | |
| pypi.org:443 | |
| registry.npmjs.org:443 | |
| objects.githubusercontent.com:443 | |
| fulcio.sigstore.dev:443 | |
| rekor.sigstore.dev:443 | |
| tuf-repo-cdn.sigstore.dev:443 | |
| oauth2.sigstore.dev:443 | |
| - uses: OZI-Project/checkpoint@38b742bcf99a1eae353d2f750d23f7a0c0e2174d # 1.0.1 | |
| with: | |
| python-version: "3.12" | |
| parallel: false | |
| checkpoint-cp313-ubuntu-latest: | |
| name: checkpoint (Python 3.13 on ubuntu-latest) | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| permissions: | |
| id-token: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| files.pythonhosted.org:443 | |
| github.com:443 | |
| api.github.com:443 | |
| oziproject.dev:443 | |
| pypi.org:443 | |
| registry.npmjs.org:443 | |
| objects.githubusercontent.com:443 | |
| fulcio.sigstore.dev:443 | |
| rekor.sigstore.dev:443 | |
| tuf-repo-cdn.sigstore.dev:443 | |
| - uses: OZI-Project/checkpoint@38b742bcf99a1eae353d2f750d23f7a0c0e2174d | |
| with: | |
| python-version: "3.13" | |
| checkpoint: | |
| runs-on: ubuntu-latest | |
| needs: [checkpoint-cp310-ubuntu-latest, checkpoint-cp311-ubuntu-latest, checkpoint-cp312-ubuntu-latest] | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| draft: | |
| needs: checkpoint | |
| runs-on: ubuntu-latest | |
| concurrency: draft | |
| strategy: | |
| fail-fast: true | |
| permissions: | |
| contents: write | |
| id-token: write | |
| outputs: | |
| drafted: ${{ steps.draft.outputs.drafted }} | |
| tag: ${{ steps.draft.outputs.tag }} | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| github.com:443 | |
| pypi.org:443 | |
| api.deps.dev:443 | |
| files.pythonhosted.org:443 | |
| downloads.python.org:443 | |
| - uses: OZI-Project/draft@23eab64fb44d03215598b6fffcfff890bfb7ec4b | |
| id: draft | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| release: | |
| needs: [draft, checkpoint] | |
| runs-on: ubuntu-latest | |
| concurrency: release | |
| strategy: | |
| matrix: | |
| py: | |
| - 'security2' | |
| - 'security1' | |
| - 'bugfix' | |
| - 'prerelease' | |
| fail-fast: true | |
| max-parallel: 1 | |
| outputs: | |
| hashes: ${{ steps.release.outputs.hashes }} | |
| permissions: | |
| contents: write | |
| id-token: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| files.pythonhosted.org:443 | |
| fulcio.sigstore.dev:443 | |
| oziproject.dev:443 | |
| www.oziproject.dev:443 | |
| github.com:443 | |
| pypi.org:443 | |
| rekor.sigstore.dev:443 | |
| tuf-repo-cdn.sigstore.dev:443 | |
| objects.githubusercontent.com:443 | |
| quay.io:443 | |
| cdn03.quay.io:443 | |
| downloads.python.org:443 | |
| oauth2.sigstore.dev:443 | |
| - uses: OZI-Project/release@d764d82aa0900effc1590b0281ff35d67be592fd # 1.0.3 | |
| id: release | |
| with: | |
| tag: ${{ needs.draft.outputs.tag }} | |
| python-dist: ${{ matrix.py }} | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| generate-provenance: | |
| needs: [draft, release, checkpoint] | |
| name: Generate build provenance | |
| permissions: | |
| actions: read # To read the workflow path. | |
| id-token: write # To sign the provenance. | |
| contents: write # To add assets to a release. | |
| # Currently this action needs to be referred by tag. More details at: | |
| # https://github.com/slsa-framework/slsa-github-generator#verification-of-provenance | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 | |
| with: | |
| provenance-name: provenance-${{ github.event.repository.name }}-${{ needs.draft.outputs.tag }}.intoto.jsonl | |
| base64-subjects: "${{ needs.release.outputs.hashes }}" | |
| upload-tag-name: "${{ needs.draft.outputs.tag }}" | |
| upload-assets: true | |
| publish: | |
| runs-on: ubuntu-latest | |
| needs: [draft, release, generate-provenance] | |
| permissions: | |
| actions: read | |
| contents: write | |
| id-token: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| upload.pypi.org:443 | |
| uploads.github.com:443 | |
| - uses: OZI-Project/publish@6a44652f29d676922cf9e10d3ebc39b723078729 | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} |