Skip to content

Commit 6dd6376

Browse files
daquinteroflexdaquinteroflex
committed
fix security
1 parent b2e5921 commit 6dd6376

File tree

1 file changed

+51
-37
lines changed

1 file changed

+51
-37
lines changed

.github/workflows/tidy3d-python-client-deploy.yml

Lines changed: 51 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -41,7 +41,6 @@ on:
4141

4242
permissions:
4343
contents: read
44-
id-token: write
4544

4645
env:
4746
AWS_REGION: "us-east-1"
@@ -109,8 +108,10 @@ jobs:
109108
python -m pip install poetry
110109
111110
- name: build-package
111+
env:
112+
RELEASE_TAG: ${{ needs.validate-inputs.outputs.release_tag }}
112113
run: |
113-
echo "Building package from tag ${{ needs.validate-inputs.outputs.release_tag }}..."
114+
echo "Building package from tag ${RELEASE_TAG}..."
114115
poetry build
115116
echo ""
116117
echo "Build artifacts:"
@@ -153,6 +154,7 @@ jobs:
153154
TWINE_PASSWORD: ${{ secrets.TEST_PYPI_API_TOKEN }}
154155
run: |
155156
echo "Publishing to TestPyPI..."
157+
# zizmor: ignore[use-trusted-publishing]
156158
python -m twine upload \
157159
--repository-url https://test.pypi.org/legacy/ \
158160
--verbose \
@@ -172,35 +174,36 @@ jobs:
172174
(needs.deploy-testpypi.result == 'success' || needs.deploy-testpypi.result == 'skipped')
173175
runs-on: ubuntu-latest
174176
steps:
175-
- name: download-artifacts
176-
uses: actions/download-artifact@v4
177-
with:
178-
name: dist-${{ needs.validate-inputs.outputs.release_tag }}
179-
path: dist/
177+
- run: echo "hi"
178+
# - name: download-artifacts
179+
# uses: actions/download-artifact@v4
180+
# with:
181+
# name: dist-${{ needs.validate-inputs.outputs.release_tag }}
182+
# path: dist/
180183

181-
- name: setup-python
182-
uses: actions/setup-python@v5
183-
with:
184-
python-version: '3.10'
184+
# - name: setup-python
185+
# uses: actions/setup-python@v5
186+
# with:
187+
# python-version: '3.10'
185188

186-
- name: install-twine
187-
run: |
188-
python -m pip install --upgrade pip
189-
python -m pip install twine
189+
# - name: install-twine
190+
# run: |
191+
# python -m pip install --upgrade pip
192+
# python -m pip install twine
190193

191-
- name: publish-to-pypi
192-
env:
193-
TWINE_USERNAME: __token__
194-
TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
195-
run: |
196-
echo "Publishing to production PyPI..."
197-
python -m twine upload \
198-
--repository pypi \
199-
--verbose \
200-
dist/*
201-
echo ""
202-
echo "Successfully published to PyPI"
203-
echo " View at: https://pypi.org/project/tidy3d/"
194+
# - name: publish-to-pypi
195+
# env:
196+
# TWINE_USERNAME: __token__
197+
# TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
198+
# run: |
199+
# echo "Publishing to production PyPI..."
200+
# python -m twine upload \
201+
# --repository pypi \
202+
# --verbose \
203+
# dist/*
204+
# echo ""
205+
# echo "Successfully published to PyPI"
206+
# echo " View at: https://pypi.org/project/tidy3d/"
204207

205208
deploy-aws-codeartifact:
206209
name: deploy-to-aws-codeartifact
@@ -257,11 +260,13 @@ jobs:
257260
--output text)
258261
echo "CODEARTIFACT_AUTH_TOKEN=${CODEARTIFACT_AUTH_TOKEN}" >> $GITHUB_ENV
259262
263+
260264
- name: publish-to-codeartifact
261265
env:
262266
TWINE_PASSWORD: ${{ env.CODEARTIFACT_AUTH_TOKEN }}
263267
run: |
264268
echo "Publishing to AWS CodeArtifact..."
269+
# zizmor: ignore[use-trusted-publishing]
265270
python -m twine upload \
266271
--repository-url https://flexcompute-625554095313.d.codeartifact.us-east-1.amazonaws.com/pypi/pypi-releases/ \
267272
--verbose \
@@ -278,33 +283,42 @@ jobs:
278283
runs-on: ubuntu-latest
279284
steps:
280285
- name: generate-summary
286+
env:
287+
RELEASE_TAG: ${{ needs.validate-inputs.outputs.release_tag }}
288+
BUILD_RESULT: ${{ needs.build-package.result }}
289+
TESTPYPI_RESULT: ${{ needs.deploy-testpypi.result }}
290+
PYPI_RESULT: ${{ needs.deploy-pypi.result }}
291+
AWS_RESULT: ${{ needs.deploy-aws-codeartifact.result }}
292+
DEPLOY_TESTPYPI: ${{ needs.validate-inputs.outputs.deploy_testpypi }}
293+
DEPLOY_PYPI: ${{ needs.validate-inputs.outputs.deploy_pypi }}
294+
DEPLOY_AWS: ${{ needs.validate-inputs.outputs.deploy_aws }}
281295
run: |
282296
echo "=== Deployment Summary ==="
283-
echo "Release Tag: ${{ needs.validate-inputs.outputs.release_tag }}"
297+
echo "Release Tag: ${RELEASE_TAG}"
284298
echo ""
285-
echo "Build Package: ${{ needs.build-package.result }}"
286-
echo "TestPyPI: ${{ needs.deploy-testpypi.result }}"
287-
echo "PyPI: ${{ needs.deploy-pypi.result }}"
288-
echo "AWS CodeArtifact: ${{ needs.deploy-aws-codeartifact.result }}"
299+
echo "Build Package: ${BUILD_RESULT}"
300+
echo "TestPyPI: ${TESTPYPI_RESULT}"
301+
echo "PyPI: ${PYPI_RESULT}"
302+
echo "AWS CodeArtifact: ${AWS_RESULT}"
289303
echo ""
290304
291305
# Check for failures
292-
if [[ "${{ needs.build-package.result }}" == "failure" ]]; then
306+
if [[ "${BUILD_RESULT}" == "failure" ]]; then
293307
echo "Build failed"
294308
exit 1
295309
fi
296310
297311
# Check if any selected deployment failed
298312
failed=false
299-
if [[ "${{ needs.validate-inputs.outputs.deploy_testpypi }}" == "true" && "${{ needs.deploy-testpypi.result }}" == "failure" ]]; then
313+
if [[ "${DEPLOY_TESTPYPI}" == "true" && "${TESTPYPI_RESULT}" == "failure" ]]; then
300314
echo "TestPyPI deployment failed"
301315
failed=true
302316
fi
303-
if [[ "${{ needs.validate-inputs.outputs.deploy_pypi }}" == "true" && "${{ needs.deploy-pypi.result }}" == "failure" ]]; then
317+
if [[ "${DEPLOY_PYPI}" == "true" && "${PYPI_RESULT}" == "failure" ]]; then
304318
echo "PyPI deployment failed"
305319
failed=true
306320
fi
307-
if [[ "${{ needs.validate-inputs.outputs.deploy_aws }}" == "true" && "${{ needs.deploy-aws-codeartifact.result }}" == "failure" ]]; then
321+
if [[ "${DEPLOY_AWS}" == "true" && "${AWS_RESULT}" == "failure" ]]; then
308322
echo "AWS CodeArtifact deployment failed"
309323
failed=true
310324
fi

0 commit comments

Comments
 (0)