Release #104
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| tag: | |
| description: "The version to release (e.g., '20260414')." | |
| type: string | |
| sha: | |
| description: "The full SHA of the commit to be released (e.g., 'd09ff921d92d6da8d8a608eaa850dc8c0f638194')." | |
| type: string | |
| dry-run: | |
| description: "Dry run? Tests the release process without publishing." | |
| default: false | |
| required: false | |
| type: boolean | |
| env: | |
| FORCE_COLOR: 1 | |
| permissions: {} | |
| jobs: | |
| release: | |
| name: Release | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| runs-on: depot-ubuntu-24.04-8 | |
| permissions: | |
| contents: write | |
| packages: write | |
| # Permissions used for actions/attest-build-provenance | |
| id-token: write | |
| attestations: write | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| submodules: recursive | |
| persist-credentials: true # needed for git operations below | |
| - uses: extractions/setup-crate@4993624604c307fbca528d28a3c8b60fa5ecc859 # v1.4.0 | |
| with: | |
| repo: casey/just | |
| version: 1.42.4 | |
| # Perform a release in dry-run mode. | |
| - run: just release-dry-run ${GH_TOKEN} ${GITHUB_EVENT_INPUTS_SHA} ${GITHUB_EVENT_INPUTS_TAG} | |
| if: ${{ github.event.inputs.dry-run == 'true' }} | |
| env: | |
| GITHUB_EVENT_INPUTS_SHA: ${{ github.event.inputs.sha }} | |
| GITHUB_EVENT_INPUTS_TAG: ${{ github.event.inputs.tag }} | |
| - name: Configure Git identity | |
| if: ${{ github.event.inputs.dry-run == 'false' }} | |
| run: | | |
| git config --global user.name "$GITHUB_ACTOR" | |
| git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com" | |
| # Fetch the commit so that it exists locally. | |
| - name: Fetch commit | |
| if: ${{ github.event.inputs.dry-run == 'false' }} | |
| run: git fetch origin ${GITHUB_EVENT_INPUTS_SHA} | |
| env: | |
| GITHUB_EVENT_INPUTS_SHA: ${{ github.event.inputs.sha }} | |
| # Associate the commit with the tag. | |
| - name: Create tag | |
| if: ${{ github.event.inputs.dry-run == 'false' }} | |
| run: git tag ${GITHUB_EVENT_INPUTS_TAG} ${GITHUB_EVENT_INPUTS_SHA} | |
| env: | |
| GITHUB_EVENT_INPUTS_TAG: ${{ github.event.inputs.tag }} | |
| GITHUB_EVENT_INPUTS_SHA: ${{ github.event.inputs.sha }} | |
| - name: Push tag | |
| if: ${{ github.event.inputs.dry-run == 'false' }} | |
| run: git push origin ${GITHUB_EVENT_INPUTS_TAG} | |
| env: | |
| GITHUB_EVENT_INPUTS_TAG: ${{ github.event.inputs.tag }} | |
| # Create a GitHub release. | |
| - name: Create GitHub Release | |
| if: ${{ github.event.inputs.dry-run == 'false' }} | |
| run: just release-create ${GITHUB_EVENT_INPUTS_TAG} | |
| env: | |
| GITHUB_EVENT_INPUTS_TAG: ${{ github.event.inputs.tag }} | |
| # Uploading the relevant artifact to the GitHub release. | |
| - run: just release-run ${GH_TOKEN} ${GITHUB_EVENT_INPUTS_SHA} ${GITHUB_EVENT_INPUTS_TAG} | |
| if: ${{ github.event.inputs.dry-run == 'false' }} | |
| env: | |
| GITHUB_EVENT_INPUTS_SHA: ${{ github.event.inputs.sha }} | |
| GITHUB_EVENT_INPUTS_TAG: ${{ github.event.inputs.tag }} | |
| - name: Generate attestations | |
| uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 | |
| if: ${{ github.event.inputs.dry-run == 'false' }} | |
| with: | |
| subject-path: | | |
| dist/*.tar.gz | |
| dist/*.tar.zst | |
| - name: Publish to Astral mirror | |
| if: ${{ github.event.inputs.dry-run == 'false' }} | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ secrets.MIRROR_R2_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.MIRROR_R2_SECRET_ACCESS_KEY }} | |
| AWS_ENDPOINT_URL: https://${{ secrets.MIRROR_R2_CLOUDFLARE_ACCOUNT_ID }}.r2.cloudflarestorage.com | |
| AWS_DEFAULT_REGION: auto | |
| R2_BUCKET: ${{ secrets.MIRROR_R2_BUCKET_NAME }} | |
| PROJECT: python-build-standalone | |
| VERSION: ${{ github.event.inputs.tag }} | |
| run: | | |
| just release-upload-mirror \ | |
| ${R2_BUCKET} \ | |
| github/${PROJECT}/releases/download/${VERSION}/ \ | |
| ${VERSION} | |
| publish-versions: | |
| needs: release | |
| if: ${{ github.event.inputs.dry-run == 'false' }} | |
| uses: ./.github/workflows/publish-versions.yml | |
| with: | |
| tag: ${{ github.event.inputs.tag }} | |
| secrets: inherit |