python-poetry-cli-template/.github/workflows/delivery.yml at main · cloud-city-crafted/python-poetry-cli-template · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
name: Continuous Delivery

on:
  workflow_dispatch:

  pull_request_target:
    types: ["closed"]
    branches: ["main"]

env:
  BRANCH_NAME: ${{ github.head_ref || github.ref_name }}

jobs:
  release:
    if: github.event.pull_request.merged == true
    runs-on: ubuntu-latest

    steps:
      - name: Checkout Source Code
        uses: actions/checkout@v4
        with:
          token: ${{ secrets.GH_TOKEN }}

      - name: Install Poetry
        run: pipx install poetry

      - name: Setup Python
        uses: actions/setup-python@v4
        with:
          cache: "poetry"

      - name: Install Python Dependencies
        run: poetry install --no-ansi --without dev

      - name: Run End-to-End Tests
        run: poetry run pytest tests/e2e

      - name: Configure GPG
        run: |
          mkdir -p "$HOME/.gnupg"
          echo "default-cache-ttl 21600" >> "$HOME/.gnupg/gpg-agent.conf"
          echo "allow-preset-passphrase" >> "$HOME/.gnupg/gpg-agent.conf"
          find "$HOME/.gnupg" -type f -exec chmod 600 {} \;
          find "$HOME/.gnupg" -type d -exec chmod 700 {} \;
          gpg-connect-agent RELOADAGENT /bye

      - name: Configure Git
        id: configure-git
        env:
          GPG_PRIVATE_KEY: ${{ secrets.SERVICE_ACCOUNT_GPG_PRIVATE_KEY }}
          GPG_PRIVATE_KEY_PASSPHRASE: ${{ secrets.SERVICE_ACCOUNT_GPG_PASSPHRASE }}
          SERVICE_ACCOUNT_USERNAME: ${{ vars.SERVICE_ACCOUNT_USERNAME }}
          SERVICE_ACCOUNT_EMAIL_ADDRESS: ${{ vars.SERVICE_ACCOUNT_EMAIL_ADDRESS }}
        run: |
          echo "$GPG_PRIVATE_KEY" | gpg --import --pinentry-mode loopback --passphrase "$GPG_PRIVATE_KEY_PASSPHRASE"
          key_metadata=$(gpg --with-colons --with-keygrip --list-secret-keys $SERVICE_ACCOUNT_EMAIL_ADDRESS)
          key_id=$(echo "$key_metadata" | awk -F: 'NR == 1 { print $5 }')
          key_fingerprint=$(echo "$key_metadata" | awk -F: 'NR == 2 { print $10 }')
          key_grip=$(echo "$key_metadata" | awk -F: 'NR == 3 { print $10 }')
          echo "$GPG_PRIVATE_KEY_PASSPHRASE" | "$(gpgconf --list-dirs libexecdir)"/gpg-preset-passphrase --preset $key_grip

          git config --global user.name $SERVICE_ACCOUNT_USERNAME
          git config --global user.email $SERVICE_ACCOUNT_EMAIL_ADDRESS
          git config --global user.signingkey $key_id
          git config --global commit.gpgsign true
          git config --global tag.gpgsign true

          echo "gpg-key-fingerprint=$key_fingerprint" >> $GITHUB_OUTPUT

      - name: Create GitHub Release
        env:
          GH_TOKEN: ${{ secrets.GH_TOKEN }}
          BUMP_TYPE: ${{ startsWith(env.BRANCH_NAME, 'bug') || startsWith(env.BRANCH_NAME, 'fix') && 'patch' || 'minor' }}
        run: |
          package_version="$(poetry version $BUMP_TYPE --short)"
          poetry build
          git commit -am "chore: Bump package version to v$package_version" --no-verify
          git push
          gh release create --generate-notes "v$package_version" ./dist/*${package_version}*

      - name: Clean Up GPG Credentials
        env:
          GPG_PRIVATE_KEY_FINGERPRINT: ${{ steps.configure-git.outputs.gpg-key-fingerprint }}
        run: echo $GPG_PRIVATE_KEY_FINGERPRINT | xargs gpg --batch --yes --delete-secret-and-public-keys