Skip to content

Commit

Permalink
refactor build workflow
Browse files Browse the repository at this point in the history
This change separates the publish steps from the common build workflow.
This should make it easier to maintain these workflows going forward.
  • Loading branch information
jls5177 committed Nov 18, 2024
1 parent e1c8b84 commit d27420c
Show file tree
Hide file tree
Showing 2 changed files with 113 additions and 58 deletions.
76 changes: 18 additions & 58 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
@@ -1,25 +1,37 @@
name: Build

on: [push, pull_request]
on:
pull_request:
branches: [ "development" ]
push:
branches: [ "development" ]

permissions:
contents: read

jobs:
test:
runs-on: ubuntu-latest
strategy:
matrix:
python_version: ['3.10']

steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python_version }}
python-version: "3.12"
cache: "pip"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install hatch
hatch env create
- name: Cache Hatch
id: cache-hatch
uses: actions/cache@v3
with:
path: /home/runner/.local/share/hatch/env/virtual/
key: ${{ runner.os }}-hatch
- name: Build
run: hatch build
- name: Lint and typecheck
run: |
hatch fmt --check
Expand All @@ -31,55 +43,3 @@ jobs:
# token: ${{ secrets.CODECOV_TOKEN }}
# fail_ci_if_error: true
# verbose: true

release:
runs-on: ubuntu-latest
environment: release
needs: test
if: startsWith(github.ref, 'refs/tags/')
permissions:
contents: write
id-token: write

steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.9'
- name: Install dependencies
shell: bash
run: |
python -m pip install --upgrade pip
pip install hatch
- name: mint API token
id: mint-token
run: |
# retrieve the ambient OIDC token
resp=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
"$ACTIONS_ID_TOKEN_REQUEST_URL&audience=pypi")
oidc_token=$(jq -r '.value' <<< "${resp}")
# exchange the OIDC token for an API token
resp=$(curl -X POST https://pypi.org/_/oidc/mint-token -d "{\"token\": \"${oidc_token}\"}")
api_token=$(jq -r '.token' <<< "${resp}")
# mask the newly minted API token, so that we don't accidentally leak it
echo "::add-mask::${api_token}"
# see the next step in the workflow for an example of using this step output
echo "api-token=${api_token}" >> "${GITHUB_OUTPUT}"
- name: Build and publish on PyPI
env:
HATCH_INDEX_USER: __token__
HATCH_INDEX_AUTH: ${{ steps.mint-token.outputs.api-token }}
run: |
hatch build
hatch publish
- name: Create release
uses: ncipollo/release-action@v1
with:
draft: true
body: ${{ github.event.head_commit.message }}
artifacts: dist/*.whl,dist/*.tar.gz
token: ${{ secrets.GITHUB_TOKEN }}
95 changes: 95 additions & 0 deletions .github/workflows/publish.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
# This workflow will upload a Python Package using Hatch when a new tag is pushed to the repository.

name: Publish Python 🐍 distribution 📦 to PyPI

on:
push:
tags:
- '*'

jobs:
build:
name: Build distribution 📦
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.x"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install hatch
- name: Build a binary wheel and a source tarball
run: hatch build
- name: Store the distribution packages
uses: actions/upload-artifact@v4
with:
name: python-package-distributions
path: dist/

publish-to-pypi:
name: >-
Publish Python 🐍 distribution 📦 to PyPI
needs:
- build
runs-on: ubuntu-latest
environment:
name: pypi
url: https://pypi.org/p/pymctp
permissions:
id-token: write # IMPORTANT: mandatory for trusted publishing

steps:
- name: Download all the dists
uses: actions/download-artifact@v4
with:
name: python-package-distributions
path: dist/
- name: Publish distribution 📦 to PyPI
uses: pypa/gh-action-pypi-publish@release/v1

github-release:
name: >-
Sign the Python 🐍 distribution 📦 with Sigstore
and upload them to GitHub Release
needs:
- publish-to-pypi
runs-on: ubuntu-latest

permissions:
contents: write # IMPORTANT: mandatory for making GitHub Releases
id-token: write # IMPORTANT: mandatory for sigstore

steps:
- name: Download all the dists
uses: actions/download-artifact@v4
with:
name: python-package-distributions
path: dist/
- name: Sign the dists with Sigstore
uses: sigstore/gh-action-sigstore-python@v3.0.0
with:
inputs: >-
./dist/*.tar.gz
./dist/*.whl
- name: Create GitHub Release
env:
GITHUB_TOKEN: ${{ github.token }}
run: >-
gh release create
'${{ github.ref_name }}'
--repo '${{ github.repository }}'
--notes ""
- name: Upload artifact signatures to GitHub Release
env:
GITHUB_TOKEN: ${{ github.token }}
# Upload to GitHub Release using the `gh` CLI.
# `dist/` contains the built packages, and the
# sigstore-produced signatures and certificates.
run: >-
gh release upload
'${{ github.ref_name }}' dist/**
--repo '${{ github.repository }}'

0 comments on commit d27420c

Please sign in to comment.