44 pull_request :
55 branches :
66 - master
7- push :
8- tags :
9- - " v* "
7+ release :
8+ types :
9+ - published
1010
1111jobs :
1212 build_bdist :
@@ -31,19 +31,13 @@ jobs:
3131 arch : ARM64
3232
3333 steps :
34- - uses : actions/checkout@v6
34+ - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
3535 with :
3636 fetch-depth : 0
37-
38- # For aarch64 support
39- # https://cibuildwheel.pypa.io/en/stable/faq/#emulation
40- # - uses: docker/setup-qemu-action@v3
41- # with:
42- # platforms: all
43- # if: runner.os == 'Linux' && matrix.arch == 'aarch64'
37+ persist-credentials : false
4438
4539 - name : Build just oldest and newest on PRs, all on tags
46- if : ${{ github.event_name }} == pull_request
40+ if : github.event_name == " pull_request"
4741 shell : bash
4842 # - On PPs, omit musllinux for speed
4943 # - On PRs, run just oldest and newest Python versions (3.11 is the oldest abi3 target)
@@ -57,51 +51,39 @@ jobs:
5751 echo "Setting CIBW_TEST_SKIP=$CIBW_TEST_SKIP"
5852
5953name : " Building ${{ matrix.os }} (${{ matrix.arch }}) wheels"
60- uses : pypa/cibuildwheel@v3.3.1
54+ uses : pypa/cibuildwheel@298ed2fb2c105540f5ed055e8a6ad78d82dd3a7e # v3.3.1
6155 env :
6256 CIBW_SKIP : ${{ env.CIBW_SKIP }}
6357 CIBW_TEST_SKIP : ${{ env.CIBW_TEST_SKIP }}
6458 CIBW_ARCHS : ${{ matrix.arch }}
6559
66- - uses : actions/upload-artifact@v6
60+ - uses : actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
6761 with :
6862 name : pypi-artifacts-${{ matrix.os }}-${{ matrix.arch }}
6963 path : ${{ github.workspace }}/wheelhouse/*.whl
70-
64+ permissions :
65+ actions : write
7166
7267 build_sdist :
7368 name : Build source distribution
7469 runs-on : ubuntu-22.04
7570 steps :
76- - uses : actions/checkout@v6
71+ - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
7772 with :
7873 fetch-depth : 0
74+ persist-credentials : false
7975
8076 - name : Build sdist
8177 run : >
8278 pip install build
8379 && python -m build --sdist . --outdir dist
8480
85- uses : actions/upload-artifact@v6
81+ uses : actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
8682 with :
8783 name : pypi-artifacts
8884 path : ${{ github.workspace }}/dist/*.tar.gz
89-
90- show-artifacts :
91- needs : [build_bdist, build_sdist]
92- name : " Show artifacts"
93- runs-on : ubuntu-22.04
94- steps :
95- - uses : actions/download-artifact@v7
96- with :
97- pattern : pypi-artifacts*
98- path : ${{ github.workspace }}/dist
99- merge-multiple : true
100-
101- - shell : bash
102- run : |
103- ls -l ${{ github.workspace }}/dist
104-
85+ permissions :
86+ actions : write
10587
10688 publish-artifacts-pypi :
10789 needs : [build_bdist, build_sdist]
@@ -110,14 +92,17 @@ jobs:
11092 # upload to PyPI for every tag starting with 'v'
11193 if : github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags/v')
11294 steps :
113- - uses : actions/download-artifact@v7
95+ - uses : actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
11496 with :
11597 pattern : pypi-artifacts*
11698 path : ${{ github.workspace }}/dist
11799 merge-multiple : true
118100
119- - uses : pypa/gh-action-pypi-publish@release/v1
101+ # Move to Trusted Publishing
102+ - uses : pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
120103 with :
121104 user : __token__
122105 password : ${{ secrets.PYPI_PASSWORD }}
123106 print_hash : true
107+ permissions :
108+ id-token : write # IMPORTANT: this permission is mandatory for trusted publishing
0 commit comments