Release . by @vbarda #3
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: release | |
| run-name: Release ${{ inputs.working-directory }} by @${{ github.actor }} | |
| on: | |
| workflow_call: | |
| inputs: | |
| working-directory: | |
| required: true | |
| type: string | |
| description: "From which folder this pipeline executes" | |
| workflow_dispatch: | |
| inputs: | |
| working-directory: | |
| description: "From which folder this pipeline executes" | |
| default: "." | |
| dangerous-nonmain-release: | |
| required: false | |
| type: boolean | |
| default: false | |
| description: "Release from a non-main branch (danger!)" | |
| env: | |
| PYTHON_VERSION: "3.11" | |
| UV_FROZEN: "true" | |
| UV_NO_SYNC: "true" | |
| jobs: | |
| build: | |
| if: github.ref == 'refs/heads/main' || inputs.dangerous-nonmain-release | |
| environment: Scheduled testing | |
| runs-on: ubuntu-latest | |
| outputs: | |
| pkg-name: ${{ steps.check-version.outputs.pkg-name }} | |
| version: ${{ steps.check-version.outputs.version }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python + uv | |
| uses: "./.github/actions/uv_setup" | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| # We want to keep this build stage *separate* from the release stage, | |
| # so that there's no sharing of permissions between them. | |
| # The release stage has trusted publishing and GitHub repo contents write access, | |
| # and we want to keep the scope of that access limited just to the release job. | |
| # Otherwise, a malicious `build` step (e.g. via a compromised dependency) | |
| # could get access to our GitHub or PyPI credentials. | |
| # | |
| # Per the trusted publishing GitHub Action: | |
| # > It is strongly advised to separate jobs for building [...] | |
| # > from the publish job. | |
| # https://github.com/pypa/gh-action-pypi-publish#non-goals | |
| - name: Build project for distribution | |
| run: uv build | |
| - name: Upload build | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: dist | |
| path: ${{ inputs.working-directory }}/dist/ | |
| - name: Check Version | |
| id: check-version | |
| shell: python | |
| working-directory: ${{ inputs.working-directory }} | |
| run: | | |
| import os | |
| import tomllib | |
| with open("pyproject.toml", "rb") as f: | |
| data = tomllib.load(f) | |
| pkg_name = data["project"]["name"] | |
| version = data["project"]["version"] | |
| with open(os.environ["GITHUB_OUTPUT"], "a") as f: | |
| f.write(f"pkg-name={pkg_name}\n") | |
| f.write(f"version={version}\n") | |
| publish: | |
| needs: | |
| - build | |
| runs-on: ubuntu-latest | |
| permissions: | |
| # This permission is used for trusted publishing: | |
| # https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/ | |
| # | |
| # Trusted publishing has to also be configured on PyPI for each package: | |
| # https://docs.pypi.org/trusted-publishers/adding-a-publisher/ | |
| id-token: write | |
| defaults: | |
| run: | |
| working-directory: ${{ inputs.working-directory }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python + uv | |
| uses: "./.github/actions/uv_setup" | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: dist | |
| path: ${{ inputs.working-directory }}/dist/ | |
| - name: Publish package distributions to PyPI | |
| uses: pypa/gh-action-pypi-publish@release/v1 | |
| with: | |
| packages-dir: ${{ inputs.working-directory }}/dist/ | |
| verbose: true | |
| print-hash: true | |
| # Temp workaround since attestations are on by default as of gh-action-pypi-publish v1.11.0 | |
| attestations: false | |
| mark-release: | |
| needs: | |
| - build | |
| - publish | |
| runs-on: ubuntu-latest | |
| permissions: | |
| # This permission is needed by `ncipollo/release-action` to | |
| # create the GitHub release. | |
| contents: write | |
| defaults: | |
| run: | |
| working-directory: ${{ inputs.working-directory }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python + uv | |
| uses: "./.github/actions/uv_setup" | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: dist | |
| path: ${{ inputs.working-directory }}/dist/ | |
| - name: Create Tag | |
| uses: ncipollo/release-action@v1 | |
| with: | |
| artifacts: "dist/*" | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| generateReleaseNotes: true | |
| tag: ${{needs.build.outputs.pkg-name}}==${{ needs.build.outputs.version }} | |
| body: ${{ needs.release-notes.outputs.release-body }} | |
| commit: main | |
| makeLatest: true |