weblate/.github/workflows/setup.yml at main · WeblateOrg/weblate · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
# Copyright © Michal Čihař <michal@weblate.org>
#
# SPDX-License-Identifier: GPL-3.0-or-later

name: Distribution

on:
  push:
    branches-ignore:
    - renovate/**
    - weblate
    - dependabot/**
    tags:
    - weblate-*
  pull_request:

permissions:
  contents: read

jobs:
  dist:
    runs-on: ubuntu-24.04
    name: Build packages
    env:
      PYTHONUNBUFFERED: 1
      PYTHONWARNINGS: default,ignore:unclosed:ResourceWarning
    steps:
    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        persist-credentials: false
    - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
      with:
        enable-cache: false
        version: 0.11.12
    - name: Setup Python
      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
      with:
        python-version: '3.14'
    - name: Set reproducible build timestamp
      run: echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> "$GITHUB_ENV"
    - name: build
      run: |
        echo "::add-matcher::.github/matchers/setuptools.json"
        uv build
        echo "::remove-matcher owner=setuptools::"
        rm -f dist/.gitignore
    - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
      with:
        path: dist/*
        name: dist

  sign_dist:
    runs-on: ubuntu-24.04
    name: Sign packages
    if: github.event_name == 'push'
    needs:
    - dist
    permissions:
      contents: read
      # Needed for Sigstore
      id-token: write
      # Needed for attestations
      attestations: write
    steps:
    - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        name: dist
        path: dist
    - name: Setup Python
      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
      with:
        python-version: '3.14'
    - name: Sign the dists with Sigstore
      uses: sigstore/gh-action-sigstore-python@04cffa1d795717b140764e8b640de88853c92acc # v3.3.0
      with:
        inputs: dist/*
    - name: Attest
      uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
      with:
        subject-path: dist/*
    - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
      with:
        path: dist/*
        name: dist-signed

  sbom:
    runs-on: ubuntu-24.04
    name: Build SBOM
    steps:
    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        persist-credentials: false
    - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
      with:
        enable-cache: false
        version: 0.11.12
    - name: Setup Python
      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
      with:
        python-version: '3.14'
    - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e   # v6.4.0
      with:
        node-version: 26
        package-manager-cache: false
    - name: Generate SBOM
      id: generate-sbom
      env:
        # renovate-cyclonedx-cli
        CYCLONEDX_CLI_VERSION: v0.32.0
        CYCLONEDX_CLI_DIGEST: sha256:454879e6a4a405c8a13bff49b8982adcb0596f3019b26b0811c66e4d7f0783e1
      run: |
        version=$(uv run --frozen --only-group sbom ./scripts/show-version.py)
        sbom="build/sbom/weblate-$version-sbom.cdx.json"
        mkdir -p build/sbom
        uv export --preview-features sbom-export --format cyclonedx1.5 --all-extras --no-dev > build/sbom/python.json
        ./scripts/reproducible-sbom.py build/sbom/python.json
        cd client
        yarn install --check-files
        npm sbom --omit dev --sbom-format cyclonedx --sbom-type application > ../build/sbom/javascript.json
        cd ..
        ./scripts/reproducible-sbom.py build/sbom/javascript.json
        cyclonedx_cli=/tmp/cyclonedx-linux-x64
        curl -fsSL "https://github.com/CycloneDX/cyclonedx-cli/releases/download/$CYCLONEDX_CLI_VERSION/cyclonedx-linux-x64" > "$cyclonedx_cli"
        echo "${CYCLONEDX_CLI_DIGEST#sha256:}  $cyclonedx_cli" | sha256sum --check --strict
        chmod +x "$cyclonedx_cli"
        "$cyclonedx_cli" merge --input-files build/sbom/*.json --output-file "$sbom"
        ./scripts/reproducible-sbom.py "$sbom"
        echo "path=$sbom" >> "$GITHUB_OUTPUT"
    - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
      with:
        path: ${{ steps.generate-sbom.outputs.path }}
        name: sbom

  attest_sbom:
    runs-on: ubuntu-24.04
    name: Attest SBOM
    if: github.event_name == 'push'
    needs:
    - sign_dist
    - sbom
    permissions:
      # Needed for attestations
      attestations: write
      contents: read
      id-token: write
    steps:
    - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        name: dist-signed
        path: dist
    - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        name: sbom
        path: sbom
    - name: Locate SBOM
      id: locate-sbom
      run: |
        path=$(find sbom -type f -name '*-sbom.cdx.json' -print -quit)
        test -n "$path"
        echo "path=$path" >> "$GITHUB_OUTPUT"
    - uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
      with:
        subject-path: dist/*
        sbom-path: ${{ steps.locate-sbom.outputs.path }}

  lint:
    runs-on: ubuntu-24.04
    name: Lint packages
    env:
      PYTHONUNBUFFERED: 1
    needs:
    - dist
    steps:
    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        persist-credentials: false
    - name: Install apt dependencies
      run: sudo ./ci/apt-install
    - name: Set up Python
      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
      with:
        python-version: '3.14'
    - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
      with:
        enable-cache: false
        version: 0.11.12
    - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        name: dist
        path: dist
    - name: Cleanup dist
      # Remove files not supported on PyPI (eg. Sigstore signatures)
      run: find dist -mindepth 1 -not -name '*.tar.gz' -not -name '*.whl' -delete
    - name: list wheel
      run: unzip -l dist/*.whl
    - name: list sdist
      run: tar tvf dist/*.tar.gz
    - name: twine check
      run: uvx twine check --strict dist/*
    - name: pydistcheck
      run: uvx pydistcheck --inspect dist/*
    - name: pyroma
      run: uvx --with pip pyroma dist/*.tar.gz
    - name: check-manifest
      run: uvx --with pip check-manifest -v
    - name: Prepare sdist tree for wheel comparison
      id: wheel-source
      run: |
        source_dir=$(mktemp -d)
        tar --strip-components=1 -xf dist/*.tar.gz -C "$source_dir"
        echo "path=$source_dir" >> "$GITHUB_OUTPUT"
    - name: Build source catalogs
      working-directory: ${{ steps.wheel-source.outputs.path }}
      # Wheels ship generated .mo files, while Git and sdist ship .po sources.
      # Compile catalogs before comparing the wheel against the sdist tree.
      run: uv run --with translate-toolkit --with setuptools --no-project python setup.py build_mo
    - name: check-wheel-contents
      working-directory: ${{ steps.wheel-source.outputs.path }}
      run: uvx check-wheel-contents "$GITHUB_WORKSPACE"/dist/*.whl
    - name: install
      run: |
        uv venv .venv-install
        source .venv-install/bin/activate
        uv pip install dist/*.whl

  notes:
    runs-on: ubuntu-24.04
    name: Build release notes
    steps:
    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        persist-credentials: false
    - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
      with:
        enable-cache: false
        version: 0.11.12
    - name: Set up Python
      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
      with:
        python-version: '3.14'
    - name: Install apt dependencies
      run: |
        sudo apt update
        sudo apt install -y graphviz pandoc
    - name: Install Python dependencies
      run: uv sync --only-group docs --frozen
    - name: Sphinx build
      run: |
        . .venv/bin/activate
        ./ci/run-docs
    - name: Convert release notes
      run: |
        version=$(sed -n '/^VERSION =/ s/.*"\(.*\)"/\1/p' weblate/utils/version.py)
        namever="weblate-$version"
        sed "s/latest/$namever/" < scripts/release-notes-filter.lua > scripts/release-notes-filter.version.lua
        mkdir dist
        ./scripts/extract-release-notes.py > "dist/Weblate-$version.html"
        pandoc "dist/Weblate-$version.html" --write=gfm --wrap=none --lua-filter=scripts/release-notes-filter.version.lua -o "dist/Weblate-$version.md"
        rm scripts/release-notes-filter.version.lua
    - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
      with:
        path: dist/*
        name: notes

  publish_pypi:
    name: Publish to PyPI
    if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags/weblate')
    environment: pypi
    permissions:
      # this permission is mandatory for trusted publishing
      id-token: write
    needs:
    - notes
    - sign_dist
    - attest_sbom
    - lint
    runs-on: ubuntu-24.04
    steps:
    - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        name: dist-signed
        path: dist
    - name: Cleanup dist
      # Remove files not supported on PyPI (eg. Sigstore signatures)
      run: find dist -mindepth 1 -not -name '*.tar.gz' -not -name '*.whl' -delete
    - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
      with:
        enable-cache: false
        version: 0.11.12
    - run: uv publish --trusted-publishing always

  publish_github:
    name: Publish to GitHub
    if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags/weblate')
    permissions:
      # this permission is mandatory for creating a release
      contents: write
    needs:
    - notes
    - sign_dist
    - attest_sbom
    - lint
    runs-on: ubuntu-24.04
    steps:
    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        persist-credentials: false
    - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        name: dist-signed
        path: dist
    - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        name: sbom
        path: sbom
    - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        name: notes
        path: notes
    - name: Extract notes body
      run: tail -n+3 notes/Weblate-*.md > notes.md
    - name: Extract notes title
      id: get-name
      run: echo "name=$(head -n1 notes/Weblate-*.md)"  > "$GITHUB_OUTPUT"
    - env:
        VERSION: ${{ github.ref_name }}
        GH_TOKEN: ${{ github.token }}
        TITLE: ${{ steps.get-name.outputs.name }}
      run: |
        gh release create "$VERSION" --verify-tag --title "$TITLE" --notes-file notes.md dist/* sbom/*