Skip to content

Commit

Permalink
[PAN-1850] Publish to PyPI (#22)
Browse files Browse the repository at this point in the history
* feature: Publish to PyPI
  • Loading branch information
jpantos authored May 17, 2024
1 parent 1cf095d commit ea5e7a2
Show file tree
Hide file tree
Showing 3 changed files with 83 additions and 2 deletions.
70 changes: 68 additions & 2 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: Release Workflow
run-name: ${{ (github.event.release.prerelease && 'Beta') || 'Prod'}} Release for ${{ github.repository }} - ${{ github.event.release.tag_name }}
run-name: ${{ (github.event.release.prerelease && 'Pre-') || ''}}Release for ${{ github.repository }} - ${{ github.event.release.tag_name }}
on:
release:
# Triggered on Pre-Releases and Releases
Expand All @@ -10,23 +10,84 @@ concurrency:
group: deploy-${{ github.repository }}-release-${{ github.event.release.prerelease }}

jobs:
define-environment:
runs-on: ubuntu-latest
outputs:
version: ${{ steps.get-environment.outputs.version }}
steps:
- uses: step-security/harden-runner@v2
with:
disable-sudo: true
egress-policy: audit

- name: Configure Environment
id: get-environment
run: |
wget -O /usr/local/bin/semver https://raw.githubusercontent.com/fsaintjacques/semver-tool/master/src/semver
chmod +x /usr/local/bin/semver
if [[ $(semver validate ${{ github.event.release.tag_name }}) == "invalid" ]]; then
echo "::error title=Invalid Release::Release must be tagged with a valid SemVer version"
exit 1
fi
echo "version=$(semver get version ${{ github.event.release.tag_name }})" >> $GITHUB_OUTPUT
build:
name: Build Package
needs: define-environment
runs-on: ubuntu-latest
steps:
- uses: step-security/harden-runner@v2
with:
disable-sudo: true
egress-policy: audit

- uses: actions/checkout@v4

- uses: pantos-io/ci-workflows/.github/actions/install-poetry@v1

- name: Build package
run: make wheel
run: |
make check-version VERSION=${{ needs.define-environment.outputs.version }}
make wheel
- name: Freeze dependencies
run: |
poetry self add poetry-plugin-freeze
poetry freeze-wheel
- name: Upload build artifact
uses: actions/upload-artifact@v4
with:
name: common
path: dist

publish-pypi:
name: Publish to PyPi
needs: [define-environment, build]
runs-on: ubuntu-latest
environment:
name: pypi
url: https://pypi.org/p/pantos-common/${{ needs.define-environment.outputs.version }}
permissions:
id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
steps:
- uses: step-security/harden-runner@v2
with:
disable-sudo: true
egress-policy: audit

- name: Download build artifact
uses: actions/download-artifact@v4
with:
name: common
path: dist

- name: Publish package distributions to PyPi
uses: pypa/gh-action-pypi-publish@release/v1
with:
print-hash: true
repository-url: 'https://upload.pypi.org/legacy/'

add-assets:
name: Add Assets to the ${{ github.event.release.tag_name }} Release
needs: build
Expand All @@ -35,6 +96,11 @@ jobs:
contents: write
id-token: write
steps:
- uses: step-security/harden-runner@v2
with:
disable-sudo: true
egress-policy: audit

- uses: actions/download-artifact@v4
with:
name: common
Expand Down
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -9,3 +9,4 @@ dist/
find.sh
local/
.coverage
requirements.txt
14 changes: 14 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
@@ -1,5 +1,19 @@
PYTHON_FILES := pantos/common scripts tests

.PHONY: check-version
check-version:
@if [ -z "$(VERSION)" ]; then \
echo "Error: VERSION is not set"; \
exit 1; \
fi
@VERSION_FROM_POETRY=$$(poetry version | awk '{print $$2}') ; \
if test "$$VERSION_FROM_POETRY" != "$(VERSION)"; then \
echo "Version mismatch: expected $(VERSION), got $$VERSION_FROM_POETRY" ; \
exit 1 ; \
else \
echo "Version check passed" ; \
fi

.PHONY: wheel
wheel:
poetry build -f wheel
Expand Down

0 comments on commit ea5e7a2

Please sign in to comment.