-
Notifications
You must be signed in to change notification settings - Fork 5
177 lines (155 loc) · 5.35 KB
/
release.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
name: Release Workflow
run-name: ${{ (github.event.release.prerelease && 'Pre-') || ''}}Release for ${{ github.repository }} - ${{ github.event.release.tag_name }}
on:
release:
# Triggered on Pre-Releases and Releases
types: [released, prereleased]
# Only allow one release at the time
concurrency:
group: deploy-${{ github.repository }}-release-${{ github.event.release.prerelease }}
jobs:
define-environment:
runs-on: ubuntu-latest
outputs:
version: ${{ steps.get-environment.outputs.version }}
steps:
- uses: step-security/harden-runner@v2
with:
disable-sudo: true
egress-policy: audit
- name: Configure Environment
id: get-environment
run: |
wget -O /usr/local/bin/semver https://raw.githubusercontent.com/fsaintjacques/semver-tool/master/src/semver
chmod +x /usr/local/bin/semver
if [[ $(semver validate ${{ github.event.release.tag_name }}) == "invalid" ]]; then
echo "::error title=Invalid Release::Release must be tagged with a valid SemVer version"
exit 1
fi
echo "version=$(semver get release ${{ github.event.release.tag_name }})" >> $GITHUB_OUTPUT
build:
name: Build Package
needs: define-environment
runs-on: ubuntu-latest
steps:
- uses: step-security/harden-runner@v2
with:
disable-sudo: true
egress-policy: audit
- uses: actions/checkout@v4
- uses: pantos-io/ci-workflows/.github/actions/install-poetry@v1
- name: Build package
run: |
make check-version VERSION=${{ needs.define-environment.outputs.version }}
make build
- name: Freeze dependencies
run: |
poetry self add poetry-plugin-freeze
poetry freeze-wheel
# Copy the file "METADATA" from the wheel to "PKG-INFO" in the sdist
# Unzip wheel and sdist
mkdir tmp
cp dist/*.whl tmp/wheel.zip
unzip tmp/wheel.zip -d tmp/wheel/
# Untar sdist
mkdir tmp/sdist
tar -xzf dist/*.tar.gz -C tmp/sdist/
# Copy the file
cp tmp/wheel/*.dist-info/METADATA tmp/sdist/*/PKG-INFO
# Tar the sdist again
tar -czf dist/$(ls dist | grep .tar.gz) -C tmp/sdist/ .
# Remove the temporary directories
rm -rf tmp
- name: Upload build artifact
uses: actions/upload-artifact@v4
with:
name: common
path: dist
publish-pypi:
name: Publish to PyPi
needs: [define-environment, build]
runs-on: ubuntu-latest
environment:
name: pypi
url: https://pypi.org/project/pantos-common/${{ needs.define-environment.outputs.version }}
permissions:
id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
steps:
- uses: step-security/harden-runner@v2
with:
disable-sudo: true
egress-policy: audit
- name: Download build artifact
uses: actions/download-artifact@v4
with:
name: common
path: dist
- name: Publish package distributions to PyPi
uses: pypa/gh-action-pypi-publish@release/v1
with:
print-hash: true
repository-url: 'https://upload.pypi.org/legacy/'
add-assets:
name: Add Assets to the ${{ github.event.release.tag_name }} Release
needs: build
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write
steps:
- uses: step-security/harden-runner@v2
with:
disable-sudo: true
egress-policy: audit
- uses: actions/download-artifact@v4
with:
name: common
path: dist
- name: List directory
run: |
mkdir -p release
cp dist/*.whl release/
- uses: sigstore/[email protected]
with:
inputs: release/*
- uses: actions/upload-artifact@v4
with:
name: signed-common
path: release/*.whl
- name: Upload release assets
uses: svenstaro/upload-release-action@v2
with:
file: "./release/*"
file_glob: true
overwrite: true
repo_token: ${{ secrets.GITHUB_TOKEN }}
tag: ${{ github.event.release.tag_name }}
- uses: robinraju/[email protected]
name: Download tarball
with:
tag: ${{ github.event.release.tag_name }}
tarBall: true
zipBall: true
fileName: '*'
out-file-path: external-release
preRelease: ${{ github.event.release.prerelease }}
token: ${{ secrets.GITHUB_TOKEN }}
repository: ${{ github.repository }}
- name: List directory
run: |
ls -lha external-release
# Remove all the files in external-release that are also present in release
for file in $(ls release); do
rm -f external-release/$file
done
- uses: sigstore/[email protected]
with:
inputs: external-release/*
- name: Upload signed source code
uses: ncipollo/release-action@v1
with:
artifacts: "./external-release/*"
artifactErrorsFailBuild: true
allowUpdates: true
tag: ${{ github.event.release.tag_name }}
token: ${{ secrets.GITHUB_TOKEN }}