Skip to content

🔧 MAINTAIN: keep GitHub Actions up to date #16

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
gaige merged 3 commits into from
Oct 19, 2025
Merged

🔧 MAINTAIN: keep GitHub Actions up to date #16

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
dd3930d
🔧 MAINTAIN: keep GitHub Actions up to date
KyleKing Oct 19, 2025
40c727d
ci: update sigstore/gh-action-sigstore-python
KyleKing Oct 19, 2025
2856391
ci: enforce tags starting with 'v'
KyleKing Oct 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,3 +9,13 @@ updates:
directory: "/" # Location of package manifests
schedule:
interval: "monthly"
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "monthly"
groups:
all-dependencies:
update-types:
- "major"
- "minor"
- "patch"
9 changes: 4 additions & 5 deletions .github/workflows/tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,10 +83,8 @@ jobs:
uses: actions/setup-python@v5
with:
python-version: "3.x"
- name: Upgrade Pip
run: python -m pip install --upgrade pip
- name: Install Poetry
run: python -m pip install build
- name: Install build tooling
run: python -m pip install --upgrade pip build
- name: Build a binary wheel and a source tarball
run: python3 -m build
- name: Store the distribution packages
Expand Down Expand Up @@ -135,11 +133,12 @@ jobs:
name: python-package-distributions
path: dist/
- name: Sign the dists with Sigstore
uses: sigstore/gh-action-sigstore-python@v2.1.1
uses: sigstore/gh-action-sigstore-python@v3.0.0
Copy link
Copy Markdown
Collaborator Author

@KyleKing KyleKing Oct 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using this action isn't recommended (https://github.com/sigstore/gh-action-sigstore-python/blob/be60bbea7f8770c9c9673a8fabafec00df7f458f/README.md) because the SigStore version is encapsulated by the pypa/gh-action-pypi-publish action

The files modified during the pypi-publish action should be uploaded directly, right?

Copy link
Copy Markdown
Collaborator Author

@KyleKing KyleKing Oct 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Although, I might just not have a good understanding of what the best practices are now and haven't been following the OIDC changes closely

Copy link
Copy Markdown
Collaborator

@gaige gaige Oct 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They're separate issues. The first action pushes to pypi and signs there. The second one signs the artifacts as part of the github release.

with:
inputs: >-
./dist/*.tar.gz
./dist/*.whl
upload-signing-artifacts: 'false'
- name: Create GitHub Release
env:
GITHUB_TOKEN: ${{ github.token }}
Expand Down