mcp-toolz

name: Publish to PyPI "on": release: types: [published] workflow_dispatch: inputs: environment: description: 'Publishing environment' required: true type: choice options: - pypi - testpypi default: testpypi # Declare minimal permissions for all jobs permissions: read-all jobs: build: name: Build distribution runs-on: ubuntu-latest permissions: contents: read steps: - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5 - name: Set up Python uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6 with: python-version: "3.13" cache: 'pip' - name: Install build dependencies run: | python -m pip install --require-hashes --no-cache-dir -r requirements-pip.txt pip install --require-hashes --no-cache-dir -r requirements-dev.txt - name: Build distribution run: python -m build - name: Upload distribution artifacts uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v4 with: name: dist path: dist/ retention-days: 5 publish-pypi: name: Publish to PyPI needs: build runs-on: ubuntu-latest permissions: id-token: write # Required for trusted publishing to PyPI contents: read # Only run on actual releases, not manual workflow dispatches to TestPyPI if: github.event_name == 'release' || (github.event_name == 'workflow_dispatch' && inputs.environment == 'pypi') steps: - name: Download distribution artifacts uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v4 with: name: dist path: dist/ - name: Publish to PyPI uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1 publish-testpypi: name: Publish to TestPyPI needs: build runs-on: ubuntu-latest permissions: id-token: write # Required for trusted publishing to TestPyPI contents: read # Only run on manual workflow dispatch to TestPyPI if: github.event_name == 'workflow_dispatch' && inputs.environment == 'testpypi' steps: - name: Download distribution artifacts uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v4 with: name: dist path: dist/ - name: Publish to TestPyPI uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1 with: repository-url: https://test.pypi.org/legacy/ sign-provenance: name: Sign with SLSA provenance needs: build runs-on: ubuntu-latest permissions: id-token: write # Required for signing contents: write # Required for attestation and release upload attestations: write # Only run on actual releases if: github.event_name == 'release' steps: - name: Download distribution artifacts uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v4 with: name: dist path: dist/ - name: Attest build provenance id: attest uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v1 with: subject-path: 'dist/*' - name: Sign artifacts with Sigstore uses: sigstore/gh-action-sigstore-python@270f433185478a1a3902211f074a7efa94452f55 # v3.0.1 with: inputs: >- ./dist/*.tar.gz ./dist/*.whl - name: Copy attestation bundle for OpenSSF Scorecard run: | # Copy the attestation bundle from the action output # The bundle contains attestations for all artifacts in JSON Lines format if [ -n "${{ steps.attest.outputs.bundle-path }}" ] && [ -f "${{ steps.attest.outputs.bundle-path }}" ]; then cp "${{ steps.attest.outputs.bundle-path }}" dist/attestations.intoto.jsonl echo "✓ Copied attestation bundle to dist/attestations.intoto.jsonl" ls -lh dist/attestations.intoto.jsonl else echo "⚠️ No attestation bundle found at output path" fi - name: Upload attestation bundles and signatures to release uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2 if: startsWith(github.ref, 'refs/tags/') with: files: | dist/*.sigstore.json dist/*.intoto.jsonl