python-server-sdk/.github/workflows/manual-publish.yml at main · launchdarkly/python-server-sdk · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
name: Publish Package
on:
  workflow_dispatch:
    inputs:
      dry_run:
        description: "Is this a dry run? If so no package will be published."
        type: boolean
        required: true

jobs:
  build-publish:
    runs-on: ubuntu-latest
    # Needed to get tokens during publishing.
    permissions:
      id-token: write
      contents: read
      attestations: write # Needed for artifact attestations
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-python@v5
        with:
          python-version: "3.10"

      - name: Install poetry
        uses: abatilo/actions-poetry@7b6d33e44b4f08d7021a1dee3c044e9c253d6439 # v3.0.0

      - uses: launchdarkly/gh-actions/actions/release-secrets@release-secrets-v1.2.0
        name: "Get PyPI token"
        with:
          aws_assume_role: ${{ vars.AWS_ROLE_ARN }}
          ssm_parameter_pairs: "/production/common/releasing/pypi/token = PYPI_AUTH_TOKEN"

      - uses: ./.github/actions/build

      - name: Publish package distributions to PyPI
        if: ${{ format('{0}', inputs.dry_run) == 'false' }}
        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
        with:
          password: ${{env.PYPI_AUTH_TOKEN}}

      - name: Attest build provenance
        if: ${{ format('{0}', inputs.dry_run) == 'false' }}
        uses: actions/attest@v4
        with:
          subject-path: 'dist/*'