From f6fd7721691b7b477223e6a59e63adc053e4ed79 Mon Sep 17 00:00:00 2001 From: Kevin Backhouse Date: Tue, 19 May 2026 14:09:44 +0100 Subject: [PATCH 1/2] Split workflow to reduce the available permissions during the build step. --- .github/workflows/publish-to-testpypi.yaml | 50 +++++++++++++++------- 1 file changed, 34 insertions(+), 16 deletions(-) diff --git a/.github/workflows/publish-to-testpypi.yaml b/.github/workflows/publish-to-testpypi.yaml index e37bc9d..849dd9d 100644 --- a/.github/workflows/publish-to-testpypi.yaml +++ b/.github/workflows/publish-to-testpypi.yaml @@ -3,22 +3,15 @@ name: Publish Pre-Release to TestPyPI on: workflow_dispatch jobs: - publish: - name: Build + build: + name: Build distribution runs-on: ubuntu-latest - # This environment is required as an input to pypa/gh-action-pypi-publish - environment: - name: testpypi - url: https://test.pypi.org/p/seclab-taskflow-agent - env: GITHUB_REPO: ${{ github.repository }} permissions: - contents: write - id-token: write # For trusted publishing - attestations: write # For artifact attestation + contents: read steps: - name: Checkout repository @@ -29,7 +22,7 @@ jobs: - name: Set up Python uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: - python-version: "3.13" + python-version: "3.14" - name: Install Hatch run: pip install --upgrade hatch @@ -52,17 +45,42 @@ jobs: - name: Build the wheel run: python3 -m hatch build - - name: Attest build provenance - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0 - with: - subject-path: ./dist/* - - name: Upload artifacts uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: python-package-distributions path: ./dist/ + publish: + name: Publish to TestPyPI + needs: build + runs-on: ubuntu-latest + + # This environment is required as an input to pypa/gh-action-pypi-publish + environment: + name: testpypi + url: https://test.pypi.org/p/seclab-taskflow-agent + + env: + GITHUB_REPO: ${{ github.repository }} + + permissions: + contents: write + id-token: write # For trusted publishing + attestations: write # For artifact attestation + + steps: + - name: Download distribution artifacts + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 + with: + name: python-package-distributions + path: ./dist/ + + - name: Attest build provenance + uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0 + with: + subject-path: ./dist/* + - name: Publish to TestPyPI uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 with: From 718bd9f013da628a555636d5db2c3799e760efc0 Mon Sep 17 00:00:00 2001 From: Kevin Backhouse Date: Tue, 19 May 2026 14:26:12 +0100 Subject: [PATCH 2/2] Pass release name between jobs --- .github/workflows/publish-to-testpypi.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/publish-to-testpypi.yaml b/.github/workflows/publish-to-testpypi.yaml index 849dd9d..98fdb00 100644 --- a/.github/workflows/publish-to-testpypi.yaml +++ b/.github/workflows/publish-to-testpypi.yaml @@ -6,6 +6,8 @@ jobs: build: name: Build distribution runs-on: ubuntu-latest + outputs: + release_name: ${{ steps.create_version_number.outputs.RELEASE_NAME }} env: GITHUB_REPO: ${{ github.repository }} @@ -90,5 +92,5 @@ jobs: - name: Create GitHub Release env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - RELEASE_NAME: ${{ steps.create_version_number.outputs.RELEASE_NAME }} + RELEASE_NAME: ${{ needs.build.outputs.release_name }} run: gh release create $RELEASE_NAME dist/* --repo $GITHUB_REPO --prerelease --generate-notes