|
| 1 | +name: Continuous Delivery |
| 2 | + |
| 3 | +on: |
| 4 | + push: |
| 5 | + branches: |
| 6 | + - main |
| 7 | + |
| 8 | +# default: least privileged permissions across all jobs |
| 9 | +permissions: |
| 10 | + contents: read |
| 11 | + |
| 12 | + |
| 13 | + |
| 14 | +jobs: |
| 15 | + release: |
| 16 | + runs-on: ubuntu-latest |
| 17 | + concurrency: |
| 18 | + group: ${{ github.workflow }}-release-${{ github.ref_name }} |
| 19 | + cancel-in-progress: false |
| 20 | + |
| 21 | + env: |
| 22 | + PROJECT_PATH: ${{ github.repository }} |
| 23 | + QTWEBENGINE_DISABLE_SANDBOX: 1 |
| 24 | + QT_QPA_PLATFORM: "offscreen" |
| 25 | + |
| 26 | + permissions: |
| 27 | + contents: write |
| 28 | + |
| 29 | + steps: |
| 30 | + # Note: We checkout the repository at the branch that triggered the workflow |
| 31 | + # with the entire history to ensure to match PSR's release branch detection |
| 32 | + # and history evaluation. |
| 33 | + # However, we forcefully reset the branch to the workflow sha because it is |
| 34 | + # possible that the branch was updated while the workflow was running. This |
| 35 | + # prevents accidentally releasing un-evaluated changes. |
| 36 | + - name: Setup | Checkout Repository on Release Branch |
| 37 | + uses: actions/checkout@v4 |
| 38 | + with: |
| 39 | + ref: ${{ github.ref_name }} |
| 40 | + fetch-depth: 0 |
| 41 | + ssh-key: ${{ secrets.CI_DEPLOY_SSH_KEY }} |
| 42 | + ssh-known-hosts: ${{ secrets.CI_DEPLOY_SSH_KNOWN_HOSTS }} |
| 43 | + |
| 44 | + - name: Set up Python |
| 45 | + uses: actions/setup-python@v5 |
| 46 | + with: |
| 47 | + python-version: '3.11' |
| 48 | + |
| 49 | + - name: Setup | Force release branch to be at workflow sha |
| 50 | + run: | |
| 51 | + git reset --hard ${{ github.sha }} |
| 52 | + - name: Evaluate | Verify upstream has NOT changed |
| 53 | + # Last chance to abort before causing an error as another PR/push was applied to |
| 54 | + # the upstream branch while this workflow was running. This is important |
| 55 | + # because we are committing a version change (--commit). You may omit this step |
| 56 | + # if you have 'commit: false' in your configuration. |
| 57 | + # |
| 58 | + # You may consider moving this to a repo script and call it from this step instead |
| 59 | + # of writing it in-line. |
| 60 | + shell: bash |
| 61 | + run: | |
| 62 | + set +o pipefail |
| 63 | +
|
| 64 | + UPSTREAM_BRANCH_NAME="$(git status -sb | head -n 1 | cut -d' ' -f2 | grep -E '\.{3}' | cut -d'.' -f4)" |
| 65 | + printf '%s\n' "Upstream branch name: $UPSTREAM_BRANCH_NAME" |
| 66 | +
|
| 67 | + set -o pipefail |
| 68 | +
|
| 69 | + if [ -z "$UPSTREAM_BRANCH_NAME" ]; then |
| 70 | + printf >&2 '%s\n' "::error::Unable to determine upstream branch name!" |
| 71 | + exit 1 |
| 72 | + fi |
| 73 | +
|
| 74 | + git fetch "${UPSTREAM_BRANCH_NAME%%/*}" |
| 75 | +
|
| 76 | + if ! UPSTREAM_SHA="$(git rev-parse "$UPSTREAM_BRANCH_NAME")"; then |
| 77 | + printf >&2 '%s\n' "::error::Unable to determine upstream branch sha!" |
| 78 | + exit 1 |
| 79 | + fi |
| 80 | +
|
| 81 | + HEAD_SHA="$(git rev-parse HEAD)" |
| 82 | +
|
| 83 | + if [ "$HEAD_SHA" != "$UPSTREAM_SHA" ]; then |
| 84 | + printf >&2 '%s\n' "[HEAD SHA] $HEAD_SHA != $UPSTREAM_SHA [UPSTREAM SHA]" |
| 85 | + printf >&2 '%s\n' "::error::Upstream has changed, aborting release..." |
| 86 | + exit 1 |
| 87 | + fi |
| 88 | +
|
| 89 | + printf '%s\n' "Verified upstream branch has not changed, continuing with release..." |
| 90 | +
|
| 91 | + - name: Semantic Version Release |
| 92 | + id: release |
| 93 | + env: |
| 94 | + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| 95 | + run: | |
| 96 | + pip install python-semantic-release==9.* wheel build twine |
| 97 | + semantic-release -vv version |
| 98 | + if [ ! -d dist ]; then echo No release will be made; exit 0; fi |
| 99 | + twine upload dist/* -u __token__ -p ${{ secrets.CI_PYPI_TOKEN }} --skip-existing |
| 100 | + semantic-release publish |
0 commit comments