-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathrelease.yml
More file actions
137 lines (121 loc) · 5.26 KB
/
Copy pathrelease.yml
File metadata and controls
137 lines (121 loc) · 5.26 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
name: Release
on:
push:
branches:
- main
# Limit token permissions for security
permissions: read-all
jobs:
github-release:
if: "!startsWith(github.event.head_commit.message, 'build: 🔖 update version')"
runs-on: ubuntu-latest
# To generate releases, this job needs write access to the repository contents.
permissions:
contents: write
# Can only release one version at a time, so need to stop any other jobs that
# are also trying to release, to prevent conflicts.
concurrency:
group: release-group
cancel-in-progress: true
# Used by the publishing job
outputs:
has_changes: ${{ steps.check_changes.outputs.has_changes }}
current_version: ${{ steps.create_release.outputs.current_version }}
steps:
# This is a useful security step to check for unexpected outbound calls from the runner,
# which could indicate a compromised token or runner.
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
with:
egress-policy: audit
# Using this security pattern for GitHub Apps is recommended by GitHub and ensures that
# the token is only available for a short time and has limited permissions. Check out
# <https://guidebook.seedcase-project.org/operations/security> for more details.
- uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
id: app-token
with:
client-id: ${{ vars.UPDATE_VERSION_APP_ID }}
private-key: ${{ secrets.UPDATE_VERSION_TOKEN }}
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
# Only need the last commit from the repo.
fetch-depth: 0
# Requires the token in order to push changes to the repo for the release.
token: ${{ steps.app-token.outputs.token }}
# Set this for the bot user who will make the release commit.
- name: Set bot user
run: |
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
- name: Install Cocogitto
uses: cocogitto/cocogitto-action@9a9fe03b31c47444290c0d7f9b1ee1b44ee13f20 # v4.1.0
with:
command: check
# Install uv to use git-cliff and rumdl
- name: Set up uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with:
enable-cache: true
- name: Check if there are releasable changes
continue-on-error: true
id: check_changes
run: |
# Determine if a bump is possible.
if [[ $(cog bump --auto --dry-run --config .config/cog.toml) != No* ]]; then
echo "has_changes=true" >> $GITHUB_OUTPUT
else
echo "has_changes=false" >> $GITHUB_OUTPUT
fi
- name: Create tag and update changelog
if: steps.check_changes.outputs.has_changes == 'true'
run: |
cog bump --auto --config .config/cog.toml
- name: Create GitHub release
id: create_release
if: steps.check_changes.outputs.has_changes == 'true'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
version=$(cog get-version)
# Remove logging from git-cliff.
RUST_LOG='none' uvx git-cliff --latest --output RELEASE_NOTES.md --strip all
gh release create "${version}" \
--title "Release ${version}" \
--notes-file RELEASE_NOTES.md
echo "current_version=${version}" >> $GITHUB_OUTPUT
pypi-publish:
name: Publish to PyPI
runs-on: ubuntu-latest
# Only give permissions for this job.
permissions:
# IMPORTANT: Mandatory for trusted publishing.
id-token: write
environment:
name: pypi
needs:
- github-release
if: ${{ needs.github-release.outputs.has_changes }}
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
# Need to explicitly get the current version, otherwise it defaults to current commit
# (which is not the same as the release/version commit).
ref: ${{ needs.github-release.outputs.current_version }}
# This workflow and the publish workflows are based on:
# - https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/
# - https://www.andrlik.org/dispatches/til-use-uv-for-build-and-publish-github-actions/
# - https://github.com/astral-sh/trusted-publishing-examples
- name: Set up uv
uses: astral-sh/setup-uv@bd01e18f51369d5a26f1651c3cb451d3417e3bba # v6.3.1
- name: Build distributions
# Builds dists from source and stores them in the dist/ directory.
run: uv build
- name: Publish 📦 to PyPI
# Only publish if the option is explicitly set in the calling workflow.
run: uv publish --trusted-publishing always