-
Notifications
You must be signed in to change notification settings - Fork 7
192 lines (181 loc) Β· 7.28 KB
/
release.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
# This workflow is triggered on push to tags and runs the following steps:
# 1. Check and Build Distribution
# 2. Publish to TestPyPI
# 3. Publish to PyPI if the previous step is successful
# 4. Sign Distribution with Sigstore
# 5. Create GitHub Release with the signed distribution
name: π¦ CI Pipeline 2 -- Release
# Controls when the action will run. Triggers the workflow on push or pull request
# events but only for the master branch
on:
push:
tags:
- "*.*.*"
paths:
- "**"
- "!docs/**"
- "!examples/**"
env:
TERM: xterm
VENV_PATH: .venv
jobs:
# Wait for the testing pipeline to finish
wait-for-testing:
name: π Wait for Testing Pipeline
runs-on: ubuntu-latest
if: ${{ github.repository == 'crs4/rocrate-validator' }}
steps:
- name: Wait for testing pipeline to succeed
uses: fountainhead/[email protected]
id: wait-for-testing
with:
token: ${{ secrets.GITHUB_TOKEN }}
checkName: β Run tests
ref: ${{ github.sha }}
- name: Do something with a passing build
if: steps.wait-for-testing.outputs.conclusion == 'success'
run: echo "Testing pipeline passed" && exit 0
- name: Do something with a failing build
if: steps.wait-for-testing.outputs.conclusion == 'failure'
run: echo "Testing pipeline failed" && exit 1
# Check and Build Distribution
build:
name: π Check and Build Distribution
runs-on: ubuntu-latest
needs: wait-for-testing
if: ${{ github.repository == 'crs4/rocrate-validator' }}
steps:
# Access the tag from the first workflow's outputs
- name: β¬οΈ Checkout code
uses: actions/checkout@v4
- name: π Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.x"
- name: π§ Set up Python Environment
run: |
pip install --upgrade pip
pip install poetry
- name: π¦ Install Package Dependencies
run: poetry install --no-interaction --no-ansi
- name: β
Check version
run: |
if [ "${{ github.event_name }}" == "push" ] && [ "${{ github.ref_type }}" == "tag" ]; then
declared_version=$(poetry version -s)
echo "Checking tag '${{ github.ref }}' against package version $declared_version"
if [ "${{ github.ref }}" != "refs/tags/$declared_version" ]; then
echo "Tag '${{ github.ref }}' does not match the declared package version '$declared_version'"
exit 1
else
echo "Tag '${{ github.ref }}' matches the declared package version '$declared_version'"
fi
fi
- name: ποΈ Build a binary wheel and a source tarball
run: poetry build
- name: π¦ Store the distribution packages
uses: actions/upload-artifact@v4
with:
name: python-package-distributions
path: |
dist/*.whl
dist/*.tar.gz
# Publish to TestPyPI
publish-to-testpypi:
name: π¦ Publish to TestPyPI
runs-on: ubuntu-latest
needs: build
environment:
name: testpypi
url: https://test.pypi.org/p/roc-validator
permissions:
id-token: write # IMPORTANT: mandatory for trusted publishing
steps:
- name: β¬οΈ Download all the distribution packages
uses: actions/download-artifact@v4
with:
name: python-package-distributions
path: dist/
- name: π¦ Publish distribution to TestPyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
repository-url: https://test.pypi.org/legacy/
# Publish to PyPI
publish-to-pypi:
name: π¦ Publish to PyPI
runs-on: ubuntu-latest
needs: [build, publish-to-testpypi]
environment:
name: pypi
url: https://pypi.org/p/roc-validator
permissions:
id-token: write # IMPORTANT: mandatory for trusted publishing
steps:
- name: β¬οΈ Download all the dists
uses: actions/download-artifact@v4
with:
name: python-package-distributions
path: dist/
- name: π¦ Publish distribution to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
# Sign and Upload to GitHub Release
sign-packages:
name: ποΈ Sign the Python distribution with Sigstore
needs: publish-to-pypi
runs-on: ubuntu-latest
permissions:
contents: write # IMPORTANT: mandatory for making GitHub Releases
id-token: write # IMPORTANT: mandatory for sigstore
steps:
- name: β¬οΈ Download all the distribution packages
uses: actions/download-artifact@v4
with:
name: python-package-distributions
path: dist/
- name: ποΈ Sign the dists with Sigstore
uses: sigstore/[email protected]
with:
inputs: >-
./dist/*.tar.gz
./dist/*.whl
- name: π¦ Store the signed distribution packages
uses: actions/upload-artifact@v4
with:
name: python-package-signatures
path: dist/*.sigstore
# Create GitHub Release
github_release:
name: π Release on GitHub
needs: sign-packages
runs-on: ubuntu-latest
permissions:
contents: write # IMPORTANT: mandatory for making GitHub Releases
id-token: write # IMPORTANT: mandatory for sigstore
steps:
- name: β¬οΈ Download all the distribution packages
uses: actions/download-artifact@v4
with:
name: python-package-distributions
path: dist/
- name: β¬οΈ Download all the distribution signatures
uses: actions/download-artifact@v4
with:
name: python-package-signatures
path: dist/
- name: π Create GitHub Release
env:
GITHUB_TOKEN: ${{ github.token }}
run: >-
gh release create
'${{ github.ref_name }}'
--repo '${{ github.repository }}'
--generate-notes
- name: π¦ Upload artifacts to GitHub Release
env:
GITHUB_TOKEN: ${{ github.token }}
# Upload to GitHub Release using the `gh` CLI.
# `dist/` contains the built packages, and the
# sigstore-produced signatures and certificates.
run: >-
gh release upload
'${{ github.ref_name }}' dist/**
--repo '${{ github.repository }}'