Merge pull request beeware#2604 from rmartin16/attest-package

Use new create package action with attestation
t-arn · May 30, 2024 · d68e9a8 · d68e9a8
2 parents 9005cc2 + 65d1169
commit d68e9a8
Show file tree

Hide file tree

Showing 6 changed files with 58 additions and 41 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -5,10 +5,15 @@ on:
     branches:
       - main
   workflow_call:
+    inputs:
+      attest-package:
+        description: "Create GitHub provenance attestation for the package."
+        default: "false"
+        type: string
     outputs:
-      artifact-name:
-        description: "Name of the uploaded artifact; use for artifact retrieval."
-        value: ${{ jobs.package.outputs.artifact-name }}
+      artifact-basename:
+        description: "Base name of the uploaded artifacts; use for artifact retrieval."
+        value: ${{ jobs.package.outputs.artifact-basename }}
 
 env:
   min_python_version: "3.8"
@@ -38,12 +43,11 @@ jobs:
       tox-source: "./core[dev]"
 
   package:
-    name: Python package
-    uses: beeware/.github/.github/workflows/python-package-create.yml@main
-    with:
-      tox-source: "./core[dev]"
-      build-subdirectory: ${{ matrix.subdir }}
-      distribution-path: "*/dist/*"
+    name: Package Toga
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
     strategy:
       matrix:
         subdir:
@@ -58,6 +62,10 @@ jobs:
         - "textual"
         - "web"
         - "winforms"
+    uses: beeware/.github/.github/workflows/python-package-create.yml@main
+    with:
+      build-subdirectory: ${{ matrix.subdir }}
+      attest: ${{ inputs.attest-package }}
 
   core:
     name: Test core
@@ -94,29 +102,33 @@ jobs:
     steps:
     - name: Checkout
       uses: actions/[email protected]
+      with:
+        fetch-depth: 0
 
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/[email protected]
       with:
         python-version: ${{ matrix.python-version }}
 
-    - name: Install dev Dependencies
-      run: |
-        # We don't actually want to install toga-core;
-        # we just want the dev extras so we have a known version of tox and coverage
-        python -m pip install ./core[dev]
+    - name: Install Tox
+      uses: beeware/.github/.github/actions/install-requirement@main
+      with:
+        requirements: tox
+        extra: dev
+        project-root: core
 
     - name: Get Packages
       uses: actions/[email protected]
       with:
-        pattern: ${{ needs.package.outputs.artifact-name }}-*
+        pattern: ${{ format('{0}-*', needs.package.outputs.artifact-basename) }}
         merge-multiple: true
+        path: dist
 
     - name: Test
       run: |
         # The $(ls ...) shell expansion is done in the Github environment;
         # the value of TOGA_INSTALL_COMMAND will be a literal string without any shell expansions to perform
-        TOGA_INSTALL_COMMAND="python -m pip install ../$(ls core/dist/toga_core-*.whl)[dev] ../$(ls dummy/dist/toga_dummy-*.whl)" \
+        TOGA_INSTALL_COMMAND="python -m pip install ../$(ls dist/toga_core-*.whl)[dev] ../$(ls dist/toga_dummy-*.whl)" \
           tox -e py-cov
         tox -qe coverage$(tr -dc "0-9" <<< "${{ matrix.python-version }}")
         mv core/.coverage core/.coverage.${{ matrix.platform }}.${{ matrix.python-version }}
@@ -145,11 +157,12 @@ jobs:
         # https://github.com/nedbat/coveragepy/issues/1572#issuecomment-1522546425
         python-version: ${{ env.min_python_version }}
 
-    - name: Install dev dependencies
-      run: |
-        # We don't actually want to install toga-core;
-        # we just want the dev extras so we have a known version of coverage
-        python -m pip install ./core[dev]
+    - name: Install Tox
+      uses: beeware/.github/.github/actions/install-requirement@main
+      with:
+        requirements: tox
+        extra: dev
+        project-root: core
 
     - name: Retrieve Coverage Data
       uses: actions/[email protected]

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -8,6 +8,8 @@ on:
 jobs:
   ci:
     uses: ./.github/workflows/ci.yml
+    with:
+      attest-package: "true"
 
   docs:
     name: Verify Docs Build
@@ -24,28 +26,29 @@ jobs:
     permissions:
       contents: write
     steps:
-      - name: Set build variables
+      - name: Set Build Variables
         run: |
-          echo "VERSION=${GITHUB_REF_NAME#v}" >> $GITHUB_ENV
+          echo "VERSION=${GITHUB_REF_NAME#v}" | tee -a $GITHUB_ENV
 
-      - name: Get packages
+      - name: Get Packages
         uses: actions/[email protected]
         with:
-          pattern: ${{ needs.ci.outputs.artifact-name }}-*
+          pattern: ${{ format('{0}-*', needs.ci.outputs.artifact-basename) }}
           merge-multiple: true
+          path: dist
 
-      - name: Create release
+      - name: Create Release
         uses: ncipollo/[email protected]
         with:
           name: ${{ env.VERSION }}
           draft: true
-          artifacts: "*/dist/*"
+          artifacts: "dist/*"
           artifactErrorsFailBuild: true
 
   deploy-test:
     name: Publish to TestPyPI
     runs-on: ubuntu-latest
-    needs: [ci, release]
+    needs: [ ci, release ]
     permissions:
       # This permission is required for trusted publishing.
       id-token: write
@@ -68,16 +71,17 @@ jobs:
         - "toga_web"
         - "toga_winforms"
     steps:
-      - name: Get packages
+      - name: Get Packages
         uses: actions/[email protected]
         with:
-          pattern: ${{ needs.ci.outputs.artifact-name }}-*
+          pattern: ${{ format('{0}-*', needs.ci.outputs.artifact-basename) }}
           merge-multiple: true
+          path: staging_dist
 
       - name: Extract ${{ matrix.package }}
         run: |
           mkdir dist
-          mv */dist/$(echo ${{ matrix.package }} | sed 's/_/?/')-[0-9]* dist
+          mv staging_dist/$(echo ${{ matrix.package }} | sed 's/_/?/')-[0-9]* dist
 
       - name: Publish to TestPyPI
         uses: pypa/gh-action-pypi-publish@release/v1

diff --git a/changes/2604.misc.rst b/changes/2604.misc.rst
@@ -0,0 +1 @@
+``hynek/build-and-inspect-python-package`` is now used to create the Python package.
diff --git a/demo/pyproject.toml b/demo/pyproject.toml
@@ -119,3 +119,7 @@ build_gradle_dependencies = [
     "com.google.android.material:material:1.11.0",
     "androidx.swiperefreshlayout:swiperefreshlayout:1.1.0",
 ]
+
+[tool.check-wheel-contents]
+# WOO2: duplicated files (i.e. resource images)
+ignore = "W002"
diff --git a/toga/pyproject.toml b/toga/pyproject.toml
@@ -81,3 +81,8 @@ dependencies = [
     # Web
     "toga-web == {version}; sys_platform=='emscripten'",
 ]
+
+[tool.check-wheel-contents]
+# WOO7: wheel library is empty
+# W008: wheel is empty
+ignore = "W007,W008"
diff --git a/tox.ini b/tox.ini
@@ -106,13 +106,3 @@ commands =
     all  : python -m sphinx {[docs]sphinx_args} {posargs} -v -a -E -b html {[docs]docs_dir} {[docs]build_dir}{/}html
     live-!src : sphinx-autobuild {[docs]sphinx_args} {posargs} -b html {[docs]docs_dir} {[docs]build_dir}{/}live
     live-src  : sphinx-autobuild {[docs]sphinx_args} {posargs} -a -E --watch {tox_root}{/}core{/}src{/}toga -b html {[docs]docs_dir} {[docs]build_dir}{/}live
-
-[testenv:package]
-skip_install = True
-passenv = FORCE_COLOR
-deps =
-    build==1.2.1
-    twine==5.1.0
-commands =
-    python -m build {posargs}
-    python -m twine check {posargs}{/}dist{/}*