From ea5e7a2c99ff83671708d11027d8eacdd3a95914 Mon Sep 17 00:00:00 2001 From: jpantos <150924733+jpantos@users.noreply.github.com> Date: Fri, 17 May 2024 14:50:30 +0200 Subject: [PATCH] [PAN-1850] Publish to PyPI (#22) * feature: Publish to PyPI --- .github/workflows/release.yaml | 70 +++++++++++++++++++++++++++++++++- .gitignore | 1 + Makefile | 14 +++++++ 3 files changed, 83 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 715fe09..a8516e1 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,5 +1,5 @@ name: Release Workflow -run-name: ${{ (github.event.release.prerelease && 'Beta') || 'Prod'}} Release for ${{ github.repository }} - ${{ github.event.release.tag_name }} +run-name: ${{ (github.event.release.prerelease && 'Pre-') || ''}}Release for ${{ github.repository }} - ${{ github.event.release.tag_name }} on: release: # Triggered on Pre-Releases and Releases @@ -10,16 +10,50 @@ concurrency: group: deploy-${{ github.repository }}-release-${{ github.event.release.prerelease }} jobs: + define-environment: + runs-on: ubuntu-latest + outputs: + version: ${{ steps.get-environment.outputs.version }} + steps: + - uses: step-security/harden-runner@v2 + with: + disable-sudo: true + egress-policy: audit + + - name: Configure Environment + id: get-environment + run: | + wget -O /usr/local/bin/semver https://raw.githubusercontent.com/fsaintjacques/semver-tool/master/src/semver + chmod +x /usr/local/bin/semver + if [[ $(semver validate ${{ github.event.release.tag_name }}) == "invalid" ]]; then + echo "::error title=Invalid Release::Release must be tagged with a valid SemVer version" + exit 1 + fi + echo "version=$(semver get version ${{ github.event.release.tag_name }})" >> $GITHUB_OUTPUT + build: name: Build Package + needs: define-environment runs-on: ubuntu-latest steps: + - uses: step-security/harden-runner@v2 + with: + disable-sudo: true + egress-policy: audit + - uses: actions/checkout@v4 - uses: pantos-io/ci-workflows/.github/actions/install-poetry@v1 - name: Build package - run: make wheel + run: | + make check-version VERSION=${{ needs.define-environment.outputs.version }} + make wheel + + - name: Freeze dependencies + run: | + poetry self add poetry-plugin-freeze + poetry freeze-wheel - name: Upload build artifact uses: actions/upload-artifact@v4 @@ -27,6 +61,33 @@ jobs: name: common path: dist + publish-pypi: + name: Publish to PyPi + needs: [define-environment, build] + runs-on: ubuntu-latest + environment: + name: pypi + url: https://pypi.org/p/pantos-common/${{ needs.define-environment.outputs.version }} + permissions: + id-token: write # IMPORTANT: this permission is mandatory for trusted publishing + steps: + - uses: step-security/harden-runner@v2 + with: + disable-sudo: true + egress-policy: audit + + - name: Download build artifact + uses: actions/download-artifact@v4 + with: + name: common + path: dist + + - name: Publish package distributions to PyPi + uses: pypa/gh-action-pypi-publish@release/v1 + with: + print-hash: true + repository-url: 'https://upload.pypi.org/legacy/' + add-assets: name: Add Assets to the ${{ github.event.release.tag_name }} Release needs: build @@ -35,6 +96,11 @@ jobs: contents: write id-token: write steps: + - uses: step-security/harden-runner@v2 + with: + disable-sudo: true + egress-policy: audit + - uses: actions/download-artifact@v4 with: name: common diff --git a/.gitignore b/.gitignore index 29be41b..9e352b3 100644 --- a/.gitignore +++ b/.gitignore @@ -9,3 +9,4 @@ dist/ find.sh local/ .coverage +requirements.txt diff --git a/Makefile b/Makefile index 462a6ff..1c293e2 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,19 @@ PYTHON_FILES := pantos/common scripts tests +.PHONY: check-version +check-version: + @if [ -z "$(VERSION)" ]; then \ + echo "Error: VERSION is not set"; \ + exit 1; \ + fi + @VERSION_FROM_POETRY=$$(poetry version | awk '{print $$2}') ; \ + if test "$$VERSION_FROM_POETRY" != "$(VERSION)"; then \ + echo "Version mismatch: expected $(VERSION), got $$VERSION_FROM_POETRY" ; \ + exit 1 ; \ + else \ + echo "Version check passed" ; \ + fi + .PHONY: wheel wheel: poetry build -f wheel