Skip to content

Add trusted publisher release workfiow #7309

Add trusted publisher release workfiow

Add trusted publisher release workfiow #7309

Workflow file for this run

name: CI
on:
push:
branches: [main]
tags:
# Tags for all potential release numbers till 2030.
- "2[0-9].[0-3]" # 20.0 -> 29.3
- "2[0-9].[0-3].[0-9]+" # 20.0.0 -> 29.3.[0-9]+
pull_request:
schedule:
- cron: 0 0 * * MON # Run every Monday at 00:00 UTC
workflow_dispatch:
# allow manual runs on branches without a PR
env:
# The "FORCE_COLOR" variable, when set to 1,
# tells Nox to colorize itself.
FORCE_COLOR: "1"
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
cancel-in-progress: true
jobs:
docs:
name: docs
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.x"
- run: pip install nox
- run: nox -s docs
determine-changes:
runs-on: ubuntu-latest
outputs:
tests: ${{ steps.filter.outputs.tests }}
vendoring: ${{ steps.filter.outputs.vendoring }}
steps:
# For pull requests it's not necessary to checkout the code
- uses: dorny/paths-filter@v3
id: filter
with:
filters: |
vendoring:
# Anything that's touching "vendored code"
- "src/pip/_vendor/**"
- "pyproject.toml"
- "noxfile.py"
tests:
# Anything that's touching code-related stuff
- ".github/workflows/ci.yml"
- "src/**"
- "tests/**"
- "noxfile.py"
# The test suite should also run when cutting a release
# (which is the only time this file is modified).
- "NEWS.rst"
if: github.event_name == 'pull_request'
packaging:
name: packaging
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.x"
- name: Set up git credentials
run: |
git config --global user.email "[email protected]"
git config --global user.name "pip"
- run: pip install nox
- run: nox -s prepare-release -- 99.9
- run: git checkout 99.9
- run: pipx run build
- run: pipx run twine check dist/*
- run: pipx run check-manifest
vendoring:
name: vendoring
runs-on: ubuntu-latest
needs: [determine-changes]
if: >-
needs.determine-changes.outputs.vendoring == 'true' ||
github.event_name != 'pull_request'
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.x"
- run: pip install nox
- run: nox -s vendoring
- run: git diff --exit-code
tests-unix:
name: tests / ${{ matrix.python.key || matrix.python }} / ${{ matrix.os }}
runs-on: ${{ matrix.os }}
needs: [packaging, determine-changes]
if: >-
needs.determine-changes.outputs.tests == 'true' ||
github.event_name != 'pull_request'
strategy:
fail-fast: true
matrix:
os: [ubuntu-latest, macos-13, macos-latest]
python:
- "3.8"
- "3.9"
- "3.10"
- "3.11"
- "3.12"
- "3.13"
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python }}
allow-prereleases: true
- name: Install Ubuntu dependencies
if: matrix.os == 'ubuntu-latest'
run: |
sudo apt-get update
sudo apt-get install bzr
- name: Install MacOS dependencies
if: runner.os == 'macOS'
run: |
DEPS=breezy
if ! which svn; then
DEPS="${DEPS} subversion"
fi
brew install ${DEPS}
- run: pip install nox
# Main check
- name: Run unit tests
run: >-
nox -s test-${{ matrix.python.key || matrix.python }} --
-m unit
--verbose --numprocesses auto --showlocals
- name: Run integration tests
run: >-
nox -s test-${{ matrix.python.key || matrix.python }} --
-m integration
--verbose --numprocesses auto --showlocals
--durations=5
tests-windows:
name: tests / ${{ matrix.python }} / ${{ matrix.os }} / ${{ matrix.group }}
runs-on: ${{ matrix.os }}-latest
needs: [packaging, determine-changes]
if: >-
needs.determine-changes.outputs.tests == 'true' ||
github.event_name != 'pull_request'
strategy:
fail-fast: true
matrix:
os: [Windows]
python:
- "3.8"
# Commented out, since Windows tests are expensively slow,
# only test the oldest and newest Python supported by pip
# - "3.9"
# - "3.10"
# - "3.11"
# - "3.12"
- "3.13"
group: [1, 2]
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python }}
allow-prereleases: true
# We use C:\Temp (which is already available on the worker)
# as a temporary directory for all of the tests because the
# default value (under the user dir) is more deeply nested
# and causes tests to fail with "path too long" errors.
- run: pip install nox
env:
TEMP: "C:\\Temp"
# Main check
- name: Run unit tests
if: matrix.group == 1
run: >-
nox -s test-${{ matrix.python }} --
-m unit
--verbose --numprocesses auto --showlocals
env:
TEMP: "C:\\Temp"
- name: Run integration tests (group 1)
if: matrix.group == 1
run: >-
nox -s test-${{ matrix.python }} --
-m integration -k "not test_install"
--verbose --numprocesses auto --showlocals
env:
TEMP: "C:\\Temp"
- name: Run integration tests (group 2)
if: matrix.group == 2
run: >-
nox -s test-${{ matrix.python }} --
-m integration -k "test_install"
--verbose --numprocesses auto --showlocals
env:
TEMP: "C:\\Temp"
tests-zipapp:
name: tests / zipapp
runs-on: ubuntu-latest
needs: [packaging, determine-changes]
if: >-
needs.determine-changes.outputs.tests == 'true' ||
github.event_name != 'pull_request'
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.10"
- name: Install Ubuntu dependencies
run: |
sudo apt-get update
sudo apt-get install bzr
- run: pip install nox
# Main check
- name: Run integration tests
run: >-
nox -s test-3.10 --
-m integration
--verbose --numprocesses auto --showlocals
--durations=5
--use-zipapp
check: # This job does nothing and is only used for the branch protection
if: always()
needs:
- determine-changes
- docs
- packaging
- tests-unix
- tests-windows
- tests-zipapp
- vendoring
runs-on: ubuntu-latest
steps:
- name: Decide whether the needed jobs succeeded or failed
uses: re-actors/alls-green@release/v1
with:
allowed-skips: >-
${{
(
needs.determine-changes.outputs.vendoring != 'true'
&& github.event_name == 'pull_request'
)
&& 'vendoring'
|| ''
}}
,
${{
(
needs.determine-changes.outputs.tests != 'true'
&& github.event_name == 'pull_request'
)
&& '
tests-unix,
tests-windows,
tests-zipapp,
tests-importlib-metadata,
'
|| ''
}}
jobs: ${{ toJSON(needs) }}