-
Notifications
You must be signed in to change notification settings - Fork 294
121 lines (106 loc) · 3.76 KB
/
cd.yml
File metadata and controls
121 lines (106 loc) · 3.76 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
name: CD
concurrency: cd
on:
push:
tags:
- v*
permissions: {}
jobs:
test:
uses: ./.github/workflows/_test.yml
build:
name: Build
runs-on: ubuntu-latest
needs: test
steps:
- name: Checkout release tag
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
ref: ${{ github.event.workflow_run.head_branch }}
- name: Set up Python
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
with:
python-version: '3.x'
- name: Install build dependency
run: python3 -m pip install --constraint requirements/build.txt build
- name: Build binary wheel, source tarball and changelog
run: |
python3 -m build --sdist --wheel --outdir dist/ .
awk "/## $GITHUB_REF_NAME/{flag=1; next} /## v/{flag=0} flag" docs/CHANGELOG.md > changelog
- name: Store build artifacts
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: build-artifacts
path: |
dist
changelog
candidate_release:
name: Release candidate on Github for review
runs-on: ubuntu-latest
needs: build
permissions:
contents: write # to modify GitHub releases
outputs:
release_id: ${{ steps.gh-release.outputs.result }}
steps:
- name: Fetch build artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: build-artifacts
- id: gh-release
name: Publish GitHub release draft
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
fs = require('fs')
res = await github.rest.repos.createRelease({
owner: context.repo.owner,
repo: context.repo.repo,
name: process.env.REF_NAME + '-rc',
tag_name: process.env.REF,
body: fs.readFileSync('changelog', 'utf8'),
});
fs.readdirSync('dist/').forEach(file => {
github.rest.repos.uploadReleaseAsset({
owner: context.repo.owner,
repo: context.repo.repo,
release_id: res.data.id,
name: file,
data: fs.readFileSync('dist/' + file),
});
});
return res.data.id
env:
REF_NAME: ${{ github.ref_name }}
REF: ${{ github.ref }}
release:
name: Release
runs-on: ubuntu-latest
needs: candidate_release
environment: release
permissions:
contents: write # to modify GitHub releases
id-token: write # to authenticate as Trusted Publisher to pypi.org
steps:
- name: Fetch build artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: build-artifacts
- name: Publish binary wheel and source tarball on PyPI
# Only attempt pypi upload in upstream repository
if: github.repository == 'theupdateframework/python-tuf'
uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
- name: Finalize GitHub release
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
github.rest.repos.updateRelease({
owner: context.repo.owner,
repo: context.repo.repo,
release_id: process.env.RELEASE_ID,
name: process.env.REF_NAME,
})
env:
REF_NAME: ${{ github.ref_name }}
RELEASE_ID: ${{ needs.candidate_release.outputs.release_id }}