hardening #21
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: build-wheels | |
| on: | |
| push: | |
| branches: | |
| - main | |
| tags: | |
| - 'v*' | |
| workflow_dispatch: | |
| permissions: {} | |
| jobs: | |
| linux-wheels: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| strategy: | |
| matrix: | |
| target: [x86_64, i686, aarch64] | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| persist-credentials: false | |
| - uses: PyO3/maturin-action@e10f6c464b90acceb5f640d31beda6d586ba7b4a # v1.49.3 | |
| with: | |
| target: ${{ matrix.target }} | |
| maturin-version: latest | |
| command: build | |
| manylinux: auto | |
| args: --release --sdist -i 3.9 3.10 3.11 3.12 3.13 3.13t 3.14 3.14t | |
| - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: linux-wheels-${{ matrix.target }} | |
| path: target/wheels/ | |
| osx-wheels: | |
| runs-on: ${{ matrix.os }} | |
| permissions: | |
| contents: read | |
| strategy: | |
| matrix: | |
| include: | |
| - os: macos-latest | |
| target: x86_64-apple-darwin | |
| python-version: "3.9" | |
| - os: macos-latest | |
| target: x86_64-apple-darwin | |
| python-version: "3.10" | |
| - os: macos-latest | |
| target: x86_64-apple-darwin | |
| python-version: "3.11" | |
| - os: macos-latest | |
| target: x86_64-apple-darwin | |
| python-version: "3.12" | |
| - os: macos-latest | |
| target: x86_64-apple-darwin | |
| python-version: "3.13" | |
| - os: macos-latest | |
| target: x86_64-apple-darwin | |
| python-version: "3.13t" | |
| - os: macos-latest | |
| target: x86_64-apple-darwin | |
| python-version: "3.14" | |
| - os: macos-latest | |
| target: x86_64-apple-darwin | |
| python-version: "3.14t" | |
| - os: macos-latest | |
| target: aarch64-apple-darwin | |
| python-version: "3.9" | |
| - os: macos-latest | |
| target: aarch64-apple-darwin | |
| python-version: "3.10" | |
| - os: macos-latest | |
| target: aarch64-apple-darwin | |
| python-version: "3.11" | |
| - os: macos-latest | |
| target: aarch64-apple-darwin | |
| python-version: "3.12" | |
| - os: macos-latest | |
| target: aarch64-apple-darwin | |
| python-version: "3.13" | |
| - os: macos-latest | |
| target: aarch64-apple-darwin | |
| python-version: "3.13t" | |
| - os: macos-latest | |
| target: aarch64-apple-darwin | |
| python-version: "3.14" | |
| - os: macos-latest | |
| target: aarch64-apple-darwin | |
| python-version: "3.14t" | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| persist-credentials: false | |
| - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| allow-prereleases: true | |
| - uses: PyO3/maturin-action@e10f6c464b90acceb5f640d31beda6d586ba7b4a # v1.49.3 | |
| with: | |
| target: ${{ matrix.target }} | |
| maturin-version: latest | |
| command: build | |
| args: --release | |
| - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: osx-${{ matrix.target }}-${{ matrix.python-version }}-wheel | |
| path: target/wheels/ | |
| windows-wheels: | |
| runs-on: windows-latest | |
| permissions: | |
| contents: read | |
| strategy: | |
| matrix: | |
| python-version: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.13t", "3.14", "3.14t"] | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| persist-credentials: false | |
| - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| allow-prereleases: true | |
| - uses: PyO3/maturin-action@e10f6c464b90acceb5f640d31beda6d586ba7b4a # v1.49.3 | |
| with: | |
| maturin-version: latest | |
| command: build | |
| args: --release | |
| - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: windows-${{ matrix.python-version }}-wheel | |
| path: target/wheels/ | |
| collect-wheels: | |
| needs: [osx-wheels, windows-wheels, linux-wheels] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 | |
| with: | |
| path: wheels/ | |
| merge-multiple: true | |
| - name: Display structure of downloaded files | |
| run: ls -R wheels/ | |
| - name: Upload wheels as artifact | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: all-wheels | |
| path: wheels/ | |
| retention-days: 7 | |
| publish-pypi: | |
| needs: [collect-wheels] | |
| runs-on: ubuntu-latest | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| environment: | |
| name: pypi | |
| url: https://pypi.org/p/sqloxide | |
| permissions: | |
| id-token: write | |
| attestations: write | |
| contents: read | |
| steps: | |
| - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 | |
| with: | |
| name: all-wheels | |
| path: wheels/ | |
| - name: Generate build provenance attestations | |
| uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0 | |
| with: | |
| subject-path: 'wheels/*' | |
| - name: Publish to PyPI | |
| uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4 | |
| with: | |
| packages-dir: wheels/ | |
| attestations: true |