Replace old step

edgarrmondragon · May 4, 2024 · 17a50c2 · 17a50c2
1 parent c89aace
commit 17a50c2
Showing 1 changed file with 7 additions and 25 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -44,47 +44,29 @@ jobs:
         path: dist
     - uses: pypa/gh-action-pypi-publish@81e9d935c883d0b210363ab89cf05f3894778450
 
-  attestations:
-    name: Attest Build Provenance
-    runs-on: ubuntu-latest
-    needs: [build]
-    permissions:
-      contents: read
-      id-token: write
-      attestations: write
-
-    steps:
-      - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e
-        with:
-          name: Packages
-          path: dist
-      - uses: actions/attest-build-provenance@eab7f69317b589ac05272d67712fdd10ab3d4d1d
-        with:
-          subject-path: "./dist/citric*"
-
   # Move this up when PyPI supports signing
   sign:
     name: Sign the distribution package
     if: startsWith(github.ref, 'refs/tags/') || github.event_name == 'workflow_dispatch'
     runs-on: ubuntu-latest
     needs: [build]
     permissions:
-      contents: write # IMPORTANT: mandatory for making GitHub Releases
-      id-token: write # IMPORTANT: mandatory for sigstore
+      contents: write     # IMPORTANT: mandatory for making GitHub Releases
+      id-token: write     # IMPORTANT: mandatory for attestations
+      attestations: write # IMPORTANT: mandatory for attestations
 
     steps:
       - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e
         with:
           name: Packages
           path: dist
-      - uses: sigstore/gh-action-sigstore-python@61f6a500bbfdd9a2a339cf033e5421951fbc1cd2
+      - uses: actions/attest-build-provenance@eab7f69317b589ac05272d67712fdd10ab3d4d1d
+        id: attest
         with:
-          inputs: >-
-            ./dist/*.tar.gz
-            ./dist/*.whl
+          subject-path: "./dist/citric*"
       - uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd
         with:
-          file: dist/**
+          file: ${{ steps.attest.outputs.bundle-path }}
           tag: ${{ github.event.inputs.tag || github.ref }}
           overwrite: false
           file_glob: true