From f27796983d116fc9e32772e587b4b1cb12a5d793 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Leonard=20G=C3=B6hrs?= <l.goehrs@pengutronix.de>
Date: Wed, 24 Apr 2024 15:33:24 +0200
Subject: [PATCH] CI: add automatic publication to pypi.org and test.pypi.org
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We want to reduce the potential for human error in our publication process
and also streamline the process for everyone with the permission to create
tags in the repository.

The CI job runs for new commits pushed to the master branch and newly
pushed tags, as long as the PUBLISH_PYPI GitHub Action variable is set
to "true".
This is to prevent CI runs on forked repository from failing because they
are not allowed to publish on pypi.org and test.pypi.org.
A fork that wants to use the publish logic just has to set the
PUBLISH_PYPI variable for their repository.

The job does not check out the git repository (hence why it does not use
the existing publication logic in the Makefile) and instead downloads
the artifacts generated by the build job.

All builds are uploaded to test.pypi.org (so they can be tested via pip
install) and tagged releases are uploaded to pypi.org as well.

Also remove the upload helpers from the Makefile to make it clear that
they are replaced by the automated process.

Signed-off-by: Leonard Göhrs <l.goehrs@pengutronix.de>
---
 .github/workflows/check-and-build.yaml   | 39 ---------------
 .github/workflows/check-and-publish.yaml | 64 ++++++++++++++++++++++++
 Makefile                                 |  8 +--
 3 files changed, 66 insertions(+), 45 deletions(-)
 delete mode 100644 .github/workflows/check-and-build.yaml
 create mode 100644 .github/workflows/check-and-publish.yaml

diff --git a/.github/workflows/check-and-build.yaml b/.github/workflows/check-and-build.yaml
deleted file mode 100644
index ad0a99a..0000000
--- a/.github/workflows/check-and-build.yaml
+++ /dev/null
@@ -1,39 +0,0 @@
-name: Check and Build
-
-on: [push, pull_request]
-
-jobs:
-  codespell:
-    name: Codespell
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - run: make qa-codespell
-
-  pytest:
-    name: Python Test
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - run: make qa-pytest
-
-  ruff:
-    name: Python Format and Lint
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - run: make qa-ruff
-
-  build:
-    name: Python Build
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          # include tags and full history for setuptools_scm
-          fetch-depth: 0
-      - run: make build
-      - uses: actions/upload-artifact@v4
-        with:
-          name: dist
-          path: dist
diff --git a/.github/workflows/check-and-publish.yaml b/.github/workflows/check-and-publish.yaml
new file mode 100644
index 0000000..11413c4
--- /dev/null
+++ b/.github/workflows/check-and-publish.yaml
@@ -0,0 +1,64 @@
+name: Check and Publish
+
+on: [push, pull_request]
+
+jobs:
+  codespell:
+    name: Codespell
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: make qa-codespell
+
+  pytest:
+    name: Python Test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: make qa-pytest
+
+  ruff:
+    name: Python Format and Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: make qa-ruff
+
+  build:
+    name: Python Build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          # include tags and full history for setuptools_scm
+          fetch-depth: 0
+      - run: make build
+      - uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist
+
+  publish:
+    name: Publish
+    if: ${{ github.event_name == 'push' && vars.PUBLISH_PYPI == 'true' && (startsWith(github.ref, 'refs/tags') || github.ref == 'refs/heads/master') }}
+    runs-on: ubuntu-latest
+    needs:
+      - codespell
+      - pytest
+      - ruff
+      - build
+    permissions:
+      id-token: write
+    steps:
+      - name: Download artifacts from build stage
+        uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+      - name: Publish distribution package to TestPyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          repository-url: https://test.pypi.org/legacy/
+      - name: Publish distribution package to PyPI
+        if: ${{ startsWith(github.ref, 'refs/tags') }}
+        uses: pypa/gh-action-pypi-publish@release/v1
diff --git a/Makefile b/Makefile
index 04cb9b6..29305b4 100644
--- a/Makefile
+++ b/Makefile
@@ -12,10 +12,10 @@ $(PYTHON_PACKAGING_VENV)/.created:
 	$(PYTHON) -m venv $(PYTHON_PACKAGING_VENV) && \
 	. $(PYTHON_PACKAGING_VENV)/bin/activate && \
 	$(PYTHON) -m pip install --upgrade pip && \
-	$(PYTHON) -m pip install build twine
+	$(PYTHON) -m pip install build
 	date > $(PYTHON_PACKAGING_VENV)/.created
 
-.PHONY: packaging-env build _release
+.PHONY: packaging-env build
 
 packaging-env: $(PYTHON_PACKAGING_VENV)/.created
 
@@ -24,10 +24,6 @@ build: packaging-env
 	rm -rf dist *.egg-info && \
 	$(PYTHON) -m build
 
-_release: build
-	. $(PYTHON_PACKAGING_VENV)/bin/activate && \
-	$(PYTHON) -m twine upload dist/*
-
 # helper ######################################################################
 .PHONY: clean envs