ioc-finder/.github/workflows/python-publish.yml at main · fhightower/ioc-finder · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
# This workflow will upload a Python Package to PyPI when a release is created
# Uses PyPI trusted publishing (OIDC) — no secrets required.
# Configure at: https://pypi.org/manage/project/ioc-finder/settings/publishing/

name: Upload Python Package to PyPi

on:
  push:
    tags:
      - 'v*'

jobs:
  deploy:

    runs-on: ubuntu-latest

    permissions:
      id-token: write   # required for OIDC trusted publishing
      contents: read

    steps:
    - uses: actions/checkout@v4
      with:
        fetch-depth: 0
    - name: Ensure tag commit is on main
      run: |
        git fetch origin main
        git merge-base --is-ancestor "$GITHUB_SHA" origin/main
    - name: Set up Python
      uses: actions/setup-python@v5
      with:
        python-version: '3.x'
    - name: Verify version matches tag
      run: |
        TAG_VERSION="${GITHUB_REF_NAME#v}"
        PKG_VERSION=$(python -c "import tomllib; print(tomllib.load(open('pyproject.toml','rb'))['project']['version'])")
        if [ "$TAG_VERSION" != "$PKG_VERSION" ]; then
          echo "::error::Tag version ($TAG_VERSION) does not match package version ($PKG_VERSION)"
          exit 1
        fi
    - name: Set up uv
      uses: astral-sh/setup-uv@v6
    - name: Build
      run: uv build
    - name: Publish to PyPI
      uses: pypa/gh-action-pypi-publish@release/v1