dnsimple-python/.github/workflows/release.yml at f2c1306cca55f2d8661d4f2d48fee134a9644495 · dnsimple/dnsimple-python · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
---
name: Release

on:
  workflow_run:
    workflows:
      - "CI"
    types:
      - completed

jobs:
  validate-tag:
    name: Check tag
    runs-on: ubuntu-latest
    outputs:
      valid_tag: ${{ steps.validation.outputs.valid_tag }}
    if: ${{ github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'push' && startsWith(github.event.workflow_run.head_branch, 'v') }}
    steps:
      - name: Check out the repository including tags
        uses: actions/checkout@v6
        with:
          ref: ${{ github.event.workflow_run.head_sha }}
          fetch-depth: 0
          fetch-tags: true
      - name: Validate tag
        id: validation
        run: |
          # Validation is necessary in the unlikely case that a branch matching the tag naming pattern is pushed
          # and the CI workflow in that branch is modified to run upon a push to that branch
          REF='${{ github.event.workflow_run.head_branch }}' # This can be a branch or tag name
          if [[ "$REF" != v*.*.* ]]; then
            echo "valid_tag=false" >> "$GITHUB_OUTPUT"; exit 0
          fi
          # Validate that the tag exists
          if ! git rev-parse -q --verify "refs/tags/$REF" >/dev/null; then
            echo "There is no tag matching $REF - $REF is a branch"
            echo "valid_tag=false" >> "$GITHUB_OUTPUT"; exit 0
          fi
          # Validate that the tag is for the same commit that was pushed
          TAG_SHA="$(git rev-parse "$REF^{commit}")"
          COMMIT_SHA="${{ github.event.workflow_run.head_sha }}"
          if [ "$TAG_SHA" != "$COMMIT_SHA" ]; then
            echo "Tag SHA $TAG_SHA does not match pushed commit SHA $COMMIT_SHA"
            echo "valid_tag=false" >> "$GITHUB_OUTPUT"; exit 0
          fi
          echo "Tag $REF exists and is valid. Tag $TAG_SHA matches the pushed commit $COMMIT_SHA."
          echo "valid_tag=true"  >> "$GITHUB_OUTPUT"
  publish:
    name: Publish to PyPI
    needs: validate-tag
    runs-on: ubuntu-latest
    if: ${{ needs.validate-tag.outputs.valid_tag == 'true' && github.event.workflow_run.conclusion == 'success' }}
    steps:
      - uses: actions/checkout@v6

      - name: Set up Python
        uses: actions/setup-python@v6
        with:
          python-version: '3.13'

      - name: Set up Poetry
        uses: abatilo/actions-poetry@v4
        with:
          poetry-version: '1.4.1'

      - name: Install dependencies
        run: poetry install --without test

      - name: Publish distribution to PyPI
        run: poetry publish --build -u __token__ -p '${{ secrets.PYPI_API_TOKEN }}'