Update build_and_release.yml workflows

Signed-off-by: Tsuyoshi Hombashi <tsuyoshi.hombashi@gmail.com>
thombashi · May 2, 2024 · d28d33c · d28d33c
1 parent 197e0bc
commit d28d33c
Showing 1 changed file with 84 additions and 11 deletions.
diff --git a/.github/workflows/build_and_release.yml b/.github/workflows/build_and_release.yml
@@ -11,7 +11,7 @@ concurrency:
   cancel-in-progress: true
 
 permissions:
-  contents: write
+  contents: read
 
 env:
   BIN_NAME: tcconfig
@@ -20,7 +20,7 @@ env:
   SHA_TEXT_FILE: sha256_tcconfig.txt
 
 jobs:
-  build-and-release:
+  build-deb-package:
     runs-on: ${{ matrix.os }}
     timeout-minutes: 20
 
@@ -60,18 +60,62 @@ jobs:
           if-no-files-found: error
           retention-days: 1
 
-      - name: Release
-        if: startsWith(github.ref, 'refs/tags/')
-        uses: softprops/action-gh-release@v2
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  build-wheel-package:
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+
+    steps:
+      - uses: actions/checkout@v4
         with:
-          files: ${{ env.DIST_DIR_NAME }}/${{ env.BIN_NAME }}_*
+          fetch-depth: 0
+          fetch-tags: true
 
-  calc-hash:
-    needs: [build-and-release]
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+          cache: pip
+          cache-dependency-path: |
+            setup.py
+            **/*requirements.txt
+            tox.ini
+
+      - run: make setup-ci
+
+      - run: make build
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: wheel
+          path: ${{ env.DIST_DIR_NAME }}/*
+
+  publish-package:
+    needs: [build-wheel-package, build-deb-package]
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    environment:
+      name: pypi
+      url: https://pypi.org/p/tcconfig
+    permissions:
+      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
+
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: wheel
+          path: ${{ env.DIST_DIR_NAME }}
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          skip-existing: true
+
+  calc-hash-and-sign:
+    needs: [publish-package]
     runs-on: ubuntu-latest
     timeout-minutes: 20
+    permissions:
+      id-token: write
+      contents: write
 
     steps:
       - uses: actions/checkout@v4
@@ -86,9 +130,22 @@ jobs:
           name: binaries-ubuntu-22.04
           path: ${{ env.DIST_DIR_NAME }}
 
+      - uses: actions/download-artifact@v4
+        with:
+          name: wheel
+          path: ${{ env.DIST_DIR_NAME }}
+
       - name: Setup environment variables
         run: echo "TCCONFIG_VERSION=$(grep -Po "(?<=__version__ = \")\d+\.\d+\.\d+(?=\")" tcconfig/__version__.py)" >> $GITHUB_ENV
 
+      - name: Sign the dists with Sigstore
+        uses: sigstore/gh-action-sigstore-python@v2.1.1
+        with:
+          inputs: >-
+            ${{ env.DIST_DIR_NAME }}/*.tar.gz
+            ${{ env.DIST_DIR_NAME }}/*.whl
+            ${{ env.DIST_DIR_NAME }}/${{ env.BIN_NAME }}_*.deb
+
       - name: Calculate checksums of binary assets
         run: |
           set -x
@@ -110,7 +167,23 @@ jobs:
           if-no-files-found: error
           retention-days: 1
 
-      - name: Release
+      - name: List files
+        run: |
+          set -x
+
+          ls -l ${{ env.DIST_DIR_NAME }}
+          ls -l ${{ env.DIST_DIR_NAME }}/${{ env.BIN_NAME }}_*
+          ls -l ${{ env.SHA_DIR }}/${{ env.SHA_TEXT_FILE }}
+
+      - name: Release binaries
+        if: startsWith(github.ref, 'refs/tags/')
+        uses: softprops/action-gh-release@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          files: ${{ env.DIST_DIR_NAME }}/${{ env.BIN_NAME }}_*
+
+      - name: Release checksums
         if: startsWith(github.ref, 'refs/tags/')
         uses: softprops/action-gh-release@v2
         env: