-
-
Notifications
You must be signed in to change notification settings - Fork 0
138 lines (116 loc) · 4.17 KB
/
publish.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
name: Build package and publish to GitHub and Test PyPI
on:
push:
tags:
- 'v*'
jobs:
check_publish:
name: "Check if we should publish"
runs-on: ubuntu-latest
outputs:
result: ${{ steps.check_pyproject_toml.outputs.version_exit_code }}
steps:
- name: "Checkout repository"
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0
- name: "Setup Python"
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
with:
python-version: "3.x"
- name: "Check pyproject.toml for a new version"
id: check_pyproject_toml
run: |
cd ./publish && echo "version_exit_code=$((python3 check_pyproject.py --tag ${{ github.ref_name }}) 2>&1)" >> $GITHUB_OUTPUT
fail_if_output_not_zero:
name: "Fail the job if the publish check doesn't return '0'"
runs-on: ubuntu-latest
needs: [ check_publish ]
if: needs.check_publish.outputs.result != '0'
steps:
- run: |
echo "Job failed, there is an issue with the tag; check that the version exists in pyproject and not in pypi" && exit 1
build:
name: "Build package"
runs-on: ubuntu-latest
needs: [ check_publish ]
if: needs.check_publish.outputs.result == '0'
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
steps:
- name: "Checkout repository"
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0
- name: "Setup Python"
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
with:
python-version: "3.x"
- name: "Install dependencies"
run: pip install -r requirements/build.txt
# Use the commit date instead of the current date during the build.
- name: "Build dists"
run: |
SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct) \
python -m build
# Generate hashes used for provenance.
- name: "Generate hashes"
id: hash
run: |
cd dist && echo "hashes=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
- name: "Upload dists"
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
with:
name: "dist"
path: "dist/"
if-no-files-found: error
retention-days: 5
provenance:
name: "Generate provenance"
needs: [ build ]
permissions:
actions: read
contents: write
id-token: write # Needed to access the workflow's OIDC identity.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
with:
base64-subjects: "${{ needs.build.outputs.hashes }}"
upload-assets: true
publish-to-test-pypi:
name: "Publish to Test PyPI"
needs: [ build, provenance ]
permissions:
id-token: write # Needed for trusted publishing to PyPI.
runs-on: "ubuntu-latest"
environment:
name: "testpypi"
url: "https://test.pypi.org/p/ngohub/${{ github.ref_name }}/"
steps:
- name: "Download dists"
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: "dist"
path: "dist/"
- name: "Publish dists to Test PyPI"
uses: pypa/gh-action-pypi-publish@ec4db0b4ddc65acdf4bff5fa45ac92d78b56bdf0 # v1.9.0
with:
repository-url: https://test.pypi.org/legacy/
publish-to-pypi:
name: "Publish to PyPI"
if: startsWith(github.ref, 'refs/tags/')
needs: [ publish-to-test-pypi ]
permissions:
contents: write # Needed for making GitHub releases
id-token: write # Needed for trusted publishing to PyPI.
runs-on: "ubuntu-latest"
environment:
name: "Publish"
url: "https://pypi.org/p/ngohub/${{ github.ref_name }}/"
steps:
- name: "Download dists"
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: "dist"
path: "dist/"
- name: "Publish dists to PyPI"
uses: pypa/gh-action-pypi-publish@ec4db0b4ddc65acdf4bff5fa45ac92d78b56bdf0 # v1.9.0