From cda4a98109eb008e83b3a1a07974bde6841c132a Mon Sep 17 00:00:00 2001 From: Nathan Gillett Date: Thu, 21 May 2026 08:27:36 -0500 Subject: [PATCH] Inline PyPI publish for trusted publishing compatibility PyPI OIDC does not support reusable workflows. Publish from a native job with gh-action-pypi-publish while keeping Cosign signing on the reusable generic path. Signed-off-by: Nathan Gillett --- .github/workflows/release-pypi.yml | 34 ++++++++++++++++++++---------- 1 file changed, 23 insertions(+), 11 deletions(-) diff --git a/.github/workflows/release-pypi.yml b/.github/workflows/release-pypi.yml index 5909afc..cff1650 100644 --- a/.github/workflows/release-pypi.yml +++ b/.github/workflows/release-pypi.yml @@ -142,21 +142,33 @@ jobs: name: "IntentProof Release: Publish Python Package" needs: build if: github.event_name != 'workflow_dispatch' || inputs.publish_to_pypi + runs-on: ubuntu-latest permissions: attestations: write - contents: write + contents: read id-token: write packages: write - uses: IntentProof/intentproof-tools/.github/workflows/release-build-sign.yml@e982df238d9f111bc1f59b7473988c0d538dabb6 - with: - artifact_kind: pypi - subject_name: intentproof - release_version: ${{ needs.build.outputs.release_version }} - release_ref: ${{ needs.build.outputs.release_ref }} - pypi_dist_dir: dist - pypi_package_path: . - artifact_download_name: python-release-package - attest_to_rekor: ${{ github.event_name != 'workflow_dispatch' }} + steps: + - uses: actions/download-artifact@v4 + with: + name: python-release-package + path: dist + + - uses: actions/setup-python@v5 + with: + python-version: '3.12' + + - name: Validate Python distributions + run: | + set -euo pipefail + python -m pip install --upgrade twine + test -d dist + twine check dist/* + + - uses: pypa/gh-action-pypi-publish@release/v1 + with: + packages-dir: dist + attestations: true sign: name: "IntentProof Release: Sign Python Distributions"