-
Notifications
You must be signed in to change notification settings - Fork 135
413 lines (408 loc) · 15.3 KB
/
release.yml
File metadata and controls
413 lines (408 loc) · 15.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
# This workflow is autogenerated by xcookie.
# File kind: release
# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
# Based on ~/code/xcookie/xcookie/builders/github_actions.py
# See: https://github.com/Erotemic/xcookie
name: BinPyRelease
on:
push:
workflow_dispatch:
jobs:
build_sdist:
##
# Build the sdist artifact used by the release workflow.
# This workflow intentionally builds artifacts but does not run the
# full test matrix.
##
name: Build sdist
runs-on: ubuntu-latest
steps:
- name: Checkout source
uses: actions/checkout@v6.0.2
- name: Set up Python 3.13
uses: actions/setup-python@v5.6.0
with:
python-version: '3.13'
- name: Build sdist
shell: bash
run: |-
python -m pip install pip uv -U
python -m uv pip install setuptools>=0.8 wheel build twine
python -m build --sdist --outdir wheelhouse
python -m twine check ./wheelhouse/line_profiler*.tar.gz
- name: Show built files
shell: bash
run: ls -la wheelhouse
- uses: actions/upload-artifact@v6.0.0
name: Upload sdist artifact
with:
name: sdist_wheels
path: ./wheelhouse/line_profiler*.tar.gz
build_binpy_wheels:
##
# Build binary wheels used by the release workflow.
##
name: ${{ matrix.os }}, arch=${{ matrix.arch }}
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
# Normally, xcookie generates explicit lists of platforms to build / test
# on, but in this case cibuildwheel does that for us, so we need to just
# set the environment variables for cibuildwheel. These are parsed out of
# the standard [tool.cibuildwheel] section in pyproject.toml and set
# explicitly here.
os:
- ubuntu-latest
- macOS-latest
- windows-latest
- ubuntu-24.04-arm
cibw_skip:
- '*-win32 cp310-win_arm64 cp313-musllinux_i686'
arch:
- auto
steps:
- name: Checkout source
uses: actions/checkout@v6.0.2
- name: Enable MSVC 64bit
uses: ilammy/msvc-dev-cmd@v1
if: ${{ startsWith(matrix.os, 'windows-') }}
with:
arch: ${{ contains(matrix.os, 'arm') && 'arm64' || 'x64' }}
- name: Build binary wheels
uses: pypa/cibuildwheel@v3.3.1
with:
output-dir: wheelhouse
config-file: pyproject.toml
env:
CIBW_SKIP: ${{ matrix.cibw_skip }}
CIBW_TEST_SKIP: '*-win_arm64'
CIBW_ARCHS_LINUX: ${{ matrix.arch }}
PYTHONUTF8: '1'
VSCMD_ARG_TGT_ARCH: ''
- name: Show built files
shell: bash
run: ls -la wheelhouse
- uses: actions/upload-artifact@v6.0.0
name: Upload wheels artifact
with:
name: wheels-${{ matrix.os }}-${{ matrix.arch }}
path: ./wheelhouse/line_profiler*.whl
test_deploy:
name: Deploy Test
runs-on: ubuntu-latest
if: github.event_name == 'push' && github.event.ref == 'refs/heads/main'
needs:
- build_binpy_wheels
- build_sdist
steps:
- name: Checkout source
uses: actions/checkout@v6.0.2
- uses: actions/download-artifact@v4.1.8
name: Download wheels
with:
pattern: wheels-*
merge-multiple: true
path: wheelhouse
- uses: actions/download-artifact@v4.1.8
name: Download sdist
with:
name: sdist_wheels
path: wheelhouse
- name: Show files to upload
shell: bash
run: ls -la wheelhouse
- name: Sign distributions
env:
GPG_SECRET_SIGNING_SUBKEY_B64: ${{ secrets.GPG_SECRET_SIGNING_SUBKEY_B64 }}
GPG_PUBLIC_KEY_B64: ${{ secrets.GPG_PUBLIC_KEY_B64 }}
GPG_OWNER_TRUST_B64: ${{ secrets.GPG_OWNER_TRUST_B64 }}
run: |-
GPG_EXECUTABLE=gpg
$GPG_EXECUTABLE --version
openssl version
$GPG_EXECUTABLE --list-keys
echo "Importing GPG keys from CI secrets"
printf '%s' "$GPG_PUBLIC_KEY_B64" | base64 -d | $GPG_EXECUTABLE --import
printf '%s' "$GPG_OWNER_TRUST_B64" | base64 -d | $GPG_EXECUTABLE --import-ownertrust
printf '%s' "$GPG_SECRET_SIGNING_SUBKEY_B64" | base64 -d | $GPG_EXECUTABLE --import
echo "Finish importing GPG keys"
$GPG_EXECUTABLE --list-keys || true
$GPG_EXECUTABLE --list-keys
GPG_KEYID=$(cat dev/public_gpg_key)
echo "GPG_KEYID = '$GPG_KEYID'"
IMPORTED_FPR=$($GPG_EXECUTABLE --list-keys --with-colons "$GPG_KEYID" | awk -F: '/^fpr/ { print $10; exit }')
if [[ "$IMPORTED_FPR" != "$GPG_KEYID" ]]; then echo "ERROR: imported GPG fingerprint $IMPORTED_FPR does not match pinned $GPG_KEYID"; exit 1; fi
echo "GPG fingerprint verified: $IMPORTED_FPR"
VERSION=$(python -c "import setup; print(setup.VERSION)")
python -m pip install pip uv -U
python -m pip install packaging twine -U
python -m pip install urllib3 requests[security]
GPG_SIGN_CMD="$GPG_EXECUTABLE --batch --yes --detach-sign --armor --local-user $GPG_KEYID"
WHEEL_PATHS=(wheelhouse/*.whl wheelhouse/*.tar.gz)
WHEEL_PATHS_STR=$(printf '"%s" ' "${WHEEL_PATHS[@]}")
echo "$WHEEL_PATHS_STR"
for WHEEL_PATH in "${WHEEL_PATHS[@]}"
do
echo "------"
echo "WHEEL_PATH = $WHEEL_PATH"
$GPG_SIGN_CMD --output $WHEEL_PATH.asc $WHEEL_PATH
$GPG_EXECUTABLE --verify $WHEEL_PATH.asc $WHEEL_PATH || echo "hack, the first run of gpg very fails"
$GPG_EXECUTABLE --verify $WHEEL_PATH.asc $WHEEL_PATH
done
ls -la wheelhouse
python -m pip install opentimestamps-client
ots stamp wheelhouse/*.whl wheelhouse/*.tar.gz wheelhouse/*.asc
ls -la wheelhouse
- name: Prepare publish directory
shell: bash
run: |-
mkdir -p publish_wheelhouse
shopt -s nullglob
for FPATH in wheelhouse/*.whl wheelhouse/*.tar.gz wheelhouse/*.zip
do
cp "$FPATH" publish_wheelhouse/
done
ls -la publish_wheelhouse
- name: Publish test artifacts to TestPyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
packages-dir: publish_wheelhouse
skip-existing: true
repository-url: https://test.pypi.org/legacy/
- uses: actions/upload-artifact@v6.0.0
name: Upload deploy artifacts
with:
name: deploy_artifacts
path: |-
wheelhouse/*.whl
wheelhouse/*.zip
wheelhouse/*.tar.gz
wheelhouse/*.asc
wheelhouse/*.ots
permissions:
contents: read
id-token: write
environment: testpypi
live_deploy:
name: Deploy Live
runs-on: ubuntu-latest
if: github.event_name == 'push' && (startsWith(github.event.ref, 'refs/tags') || startsWith(github.event.ref, 'refs/heads/release'))
needs:
- build_binpy_wheels
- build_sdist
steps:
- name: Checkout source
uses: actions/checkout@v6.0.2
- uses: actions/download-artifact@v4.1.8
name: Download wheels
with:
pattern: wheels-*
merge-multiple: true
path: wheelhouse
- uses: actions/download-artifact@v4.1.8
name: Download sdist
with:
name: sdist_wheels
path: wheelhouse
- name: Show files to upload
shell: bash
run: ls -la wheelhouse
- name: Sign distributions
env:
GPG_SECRET_SIGNING_SUBKEY_B64: ${{ secrets.GPG_SECRET_SIGNING_SUBKEY_B64 }}
GPG_PUBLIC_KEY_B64: ${{ secrets.GPG_PUBLIC_KEY_B64 }}
GPG_OWNER_TRUST_B64: ${{ secrets.GPG_OWNER_TRUST_B64 }}
run: |-
GPG_EXECUTABLE=gpg
$GPG_EXECUTABLE --version
openssl version
$GPG_EXECUTABLE --list-keys
echo "Importing GPG keys from CI secrets"
printf '%s' "$GPG_PUBLIC_KEY_B64" | base64 -d | $GPG_EXECUTABLE --import
printf '%s' "$GPG_OWNER_TRUST_B64" | base64 -d | $GPG_EXECUTABLE --import-ownertrust
printf '%s' "$GPG_SECRET_SIGNING_SUBKEY_B64" | base64 -d | $GPG_EXECUTABLE --import
echo "Finish importing GPG keys"
$GPG_EXECUTABLE --list-keys || true
$GPG_EXECUTABLE --list-keys
GPG_KEYID=$(cat dev/public_gpg_key)
echo "GPG_KEYID = '$GPG_KEYID'"
IMPORTED_FPR=$($GPG_EXECUTABLE --list-keys --with-colons "$GPG_KEYID" | awk -F: '/^fpr/ { print $10; exit }')
if [[ "$IMPORTED_FPR" != "$GPG_KEYID" ]]; then echo "ERROR: imported GPG fingerprint $IMPORTED_FPR does not match pinned $GPG_KEYID"; exit 1; fi
echo "GPG fingerprint verified: $IMPORTED_FPR"
VERSION=$(python -c "import setup; print(setup.VERSION)")
python -m pip install pip uv -U
python -m pip install packaging twine -U
python -m pip install urllib3 requests[security]
GPG_SIGN_CMD="$GPG_EXECUTABLE --batch --yes --detach-sign --armor --local-user $GPG_KEYID"
WHEEL_PATHS=(wheelhouse/*.whl wheelhouse/*.tar.gz)
WHEEL_PATHS_STR=$(printf '"%s" ' "${WHEEL_PATHS[@]}")
echo "$WHEEL_PATHS_STR"
for WHEEL_PATH in "${WHEEL_PATHS[@]}"
do
echo "------"
echo "WHEEL_PATH = $WHEEL_PATH"
$GPG_SIGN_CMD --output $WHEEL_PATH.asc $WHEEL_PATH
$GPG_EXECUTABLE --verify $WHEEL_PATH.asc $WHEEL_PATH || echo "hack, the first run of gpg very fails"
$GPG_EXECUTABLE --verify $WHEEL_PATH.asc $WHEEL_PATH
done
ls -la wheelhouse
python -m pip install opentimestamps-client
ots stamp wheelhouse/*.whl wheelhouse/*.tar.gz wheelhouse/*.asc
ls -la wheelhouse
- name: Prepare publish directory
shell: bash
run: |-
mkdir -p publish_wheelhouse
shopt -s nullglob
for FPATH in wheelhouse/*.whl wheelhouse/*.tar.gz wheelhouse/*.zip
do
cp "$FPATH" publish_wheelhouse/
done
ls -la publish_wheelhouse
- name: Publish live artifacts to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
packages-dir: publish_wheelhouse
skip-existing: true
- uses: actions/upload-artifact@v6.0.0
name: Upload deploy artifacts
with:
name: deploy_artifacts
path: |-
wheelhouse/*.whl
wheelhouse/*.zip
wheelhouse/*.tar.gz
wheelhouse/*.asc
wheelhouse/*.ots
permissions:
contents: read
id-token: write
environment: pypi
release:
name: Create Github Release
if: github.event_name == 'push' && (startsWith(github.event.ref, 'refs/tags') || startsWith(github.event.ref, 'refs/heads/release'))
runs-on: ubuntu-latest
permissions:
contents: write
needs:
- live_deploy
steps:
- name: Checkout source
uses: actions/checkout@v6.0.2
- uses: actions/download-artifact@v4.1.8
name: Download artifacts
with:
name: deploy_artifacts
path: wheelhouse
- name: Show files to release
shell: bash
run: ls -la wheelhouse
- run: 'echo "Automatic Release Notes. TODO: improve" > ${{ github.workspace }}-CHANGELOG.txt'
- name: Tag Release Commit
if: (startsWith(github.event.ref, 'refs/heads/release'))
run: |-
export VERSION=$(python -c "import setup; print(setup.VERSION)")
git tag "v$VERSION"
git push origin "v$VERSION"
- uses: softprops/action-gh-release@v1
name: Create Release
id: create_release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
body_path: ${{ github.workspace }}-CHANGELOG.txt
tag_name: ${{ github.ref }}
name: Release ${{ github.ref }}
body: Automatic Release
generate_release_notes: true
draft: true
prerelease: false
files: |-
wheelhouse/*.whl
wheelhouse/*.asc
wheelhouse/*.ots
wheelhouse/*.zip
wheelhouse/*.tar.gz
###
# Trusted publishing setup checklist
#
# This release workflow file:
# .github/workflows/release.yml
# Workflow page:
# github.com/pyutils/line_profiler/actions/workflows/release.yml
# Workflow source:
# github.com/pyutils/line_profiler/blob/main/.github/workflows/release.yml
# GitHub environments:
# github.com/pyutils/line_profiler/settings/environments
#
# Official references:
# https://docs.pypi.org/trusted-publishers/
# https://docs.pypi.org/trusted-publishers/using-a-publisher/
# https://docs.pypi.org/trusted-publishers/security-model/
# https://docs.github.com/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect
# https://docs.github.com/actions/deployment/targeting-different-environments/using-environments-for-deployment
#
# If trusted publishing is not configured yet:
#
# 1. In GitHub, create or review these protected environments:
# - testpypi
# - pypi
# URL:
# github.com/pyutils/line_profiler/settings/environments
#
# Some xcookie setups will expect a setup like:
#
# - testpypi:
# * environment name: testpypi
# * use for non-release pushes that publish to TestPyPI
# * usually no manual approval is needed
# * optionally restrict deployment branches if you only want
# TestPyPI publishes from selected branches
#
# - pypi:
# * environment name: pypi
# * use for real releases only
# * require manual approval / required reviewers
# * prevent self-review if your org supports it
# * restrict deployments to release branches / version tags
#
# - do not put TWINE_* secrets in these environments when using
# trusted publishing
#
# - if enable_gpg=true and ci_gpg_secret_transport=encrypted_repo:
# store CI_SECRET as an environment secret (not repo-wide)
# - if enable_gpg=true and ci_gpg_secret_transport=direct_ci:
# store GPG_SECRET_SIGNING_SUBKEY_B64, GPG_PUBLIC_KEY_B64, and
# GPG_OWNER_TRUST_B64 as environment secrets; no CI_SECRET needed
#
# 2. In PyPI, add a trusted publisher for this project:
# owner: pyutils
# repository: line_profiler
# workflow filename: release.yml
# environment: pypi
# Project publishing page:
# https://pypi.org/manage/project/line-profiler/settings/publishing/
# Account publishing page:
# https://pypi.org/manage/account/publishing/
#
# 3. In TestPyPI, add a trusted publisher for this project:
# owner: pyutils
# repository: line_profiler
# workflow filename: release.yml
# environment: testpypi
# Project publishing page:
# https://test.pypi.org/manage/project/line-profiler/settings/publishing/
# Account publishing page:
# https://test.pypi.org/manage/account/publishing/
#
# Notes:
# - Keep the workflow filename stable after registration.
# - The PyPI/TestPyPI project pages may not exist until the project
# exists there; use the account publishing pages for pending publishers.
# - Trusted publishing removes TWINE_* secrets.
# - When enable_gpg=true and ci_gpg_secret_transport="encrypted_repo":
# CI_SECRET is still required (environment-scoped to pypi/testpypi).
# - When enable_gpg=true and ci_gpg_secret_transport="direct_ci":
# GPG_SECRET_SIGNING_SUBKEY_B64, GPG_PUBLIC_KEY_B64, and GPG_OWNER_TRUST_B64
# are required (environment-scoped to pypi/testpypi). No CI_SECRET.