Skip to content

Release for pantos-io/common - 4.0.1 #19

Release for pantos-io/common - 4.0.1

Release for pantos-io/common - 4.0.1 #19

Workflow file for this run

name: Release Workflow
run-name: ${{ (github.event.release.prerelease && 'Pre-') || ''}}Release for ${{ github.repository }} - ${{ github.event.release.tag_name }}
on:
release:
# Triggered on Pre-Releases and Releases
types: [released, prereleased]
# Only allow one release at the time
concurrency:
group: deploy-${{ github.repository }}-release-${{ github.event.release.prerelease }}
jobs:
define-environment:
runs-on: ubuntu-latest
outputs:
version: ${{ steps.get-environment.outputs.version }}
steps:
- uses: step-security/harden-runner@v2
with:
disable-sudo: true
egress-policy: audit
- name: Configure Environment
id: get-environment
run: |
wget -O /usr/local/bin/semver https://raw.githubusercontent.com/fsaintjacques/semver-tool/master/src/semver
chmod +x /usr/local/bin/semver
if [[ $(semver validate ${{ github.event.release.tag_name }}) == "invalid" ]]; then
echo "::error title=Invalid Release::Release must be tagged with a valid SemVer version"
exit 1
fi
echo "version=$(semver get release ${{ github.event.release.tag_name }})" >> $GITHUB_OUTPUT
build:
name: Build Package
needs: define-environment
runs-on: ubuntu-latest
steps:
- uses: step-security/harden-runner@v2
with:
disable-sudo: true
egress-policy: audit
- uses: actions/checkout@v4
- uses: pantos-io/ci-workflows/.github/actions/install-poetry@v1
- name: Build package
run: |
make check-version VERSION=${{ needs.define-environment.outputs.version }}
make build
- name: Freeze dependencies
run: |
poetry self add poetry-plugin-freeze
poetry freeze-wheel
# Copy the file "METADATA" from the wheel to "PKG-INFO" in the sdist
# Unzip wheel and sdist
mkdir tmp
cp dist/*.whl tmp/wheel.zip
unzip tmp/wheel.zip -d tmp/wheel/
# Untar sdist
mkdir tmp/sdist
tar -xzf dist/*.tar.gz -C tmp/sdist/
# Copy the file
cp tmp/wheel/*.dist-info/METADATA tmp/sdist/*/PKG-INFO
# Tar the sdist again
tar -czf dist/$(ls dist | grep .tar.gz) -C tmp/sdist/ .
# Remove the temporary directories
rm -rf tmp
- name: Upload build artifact
uses: actions/upload-artifact@v4
with:
name: common
path: dist
publish-pypi:
name: Publish to PyPi
needs: [define-environment, build]
runs-on: ubuntu-latest
environment:
name: pypi
url: https://pypi.org/project/pantos-common/${{ needs.define-environment.outputs.version }}
permissions:
id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
steps:
- uses: step-security/harden-runner@v2
with:
disable-sudo: true
egress-policy: audit
- name: Download build artifact
uses: actions/download-artifact@v4
with:
name: common
path: dist
- name: Publish package distributions to PyPi
uses: pypa/gh-action-pypi-publish@release/v1
with:
print-hash: true
repository-url: 'https://upload.pypi.org/legacy/'
add-assets:
name: Add Assets to the ${{ github.event.release.tag_name }} Release
needs: build
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write
steps:
- uses: step-security/harden-runner@v2
with:
disable-sudo: true
egress-policy: audit
- uses: actions/download-artifact@v4
with:
name: common
path: dist
- name: List directory
run: |
mkdir -p release
cp dist/*.whl release/
- uses: sigstore/[email protected]
with:
inputs: release/*
- uses: actions/upload-artifact@v4
with:
name: signed-common
path: release/*.whl
- name: Upload release assets
uses: svenstaro/upload-release-action@v2
with:
file: "./release/*"
file_glob: true
overwrite: true
repo_token: ${{ secrets.GITHUB_TOKEN }}
tag: ${{ github.event.release.tag_name }}
- uses: robinraju/[email protected]
name: Download tarball
with:
tag: ${{ github.event.release.tag_name }}
tarBall: true
zipBall: true
fileName: '*'
out-file-path: external-release
preRelease: ${{ github.event.release.prerelease }}
token: ${{ secrets.GITHUB_TOKEN }}
repository: ${{ github.repository }}
- name: List directory
run: |
ls -lha external-release
# Remove all the files in external-release that are also present in release
for file in $(ls release); do
rm -f external-release/$file
done
- uses: sigstore/[email protected]
with:
inputs: external-release/*
- name: Upload signed source code
uses: ncipollo/release-action@v1
with:
artifacts: "./external-release/*"
artifactErrorsFailBuild: true
allowUpdates: true
tag: ${{ github.event.release.tag_name }}
token: ${{ secrets.GITHUB_TOKEN }}