-
Notifications
You must be signed in to change notification settings - Fork 275
113 lines (99 loc) · 3.58 KB
/
cd.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
name: CD
concurrency: cd
on:
push:
tags:
- v*
permissions: {}
jobs:
test:
uses: ./.github/workflows/_test.yml
build:
name: Build
runs-on: ubuntu-latest
needs: test
steps:
- name: Checkout release tag
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.event.workflow_run.head_branch }}
- name: Set up Python
uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
python-version: '3.x'
- name: Install build dependency
run: python3 -m pip install --constraint requirements/build.txt build
- name: Build binary wheel, source tarball and changelog
run: |
PIP_CONSTRAINT=requirements/build.txt python3 -m build --sdist --wheel --outdir dist/ .
awk "/## $GITHUB_REF_NAME/{flag=1; next} /## v/{flag=0} flag" docs/CHANGELOG.md > changelog
- name: Store build artifacts
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: build-artifacts
path: |
dist
changelog
candidate_release:
name: Release candidate on Github for review
runs-on: ubuntu-latest
needs: build
permissions:
contents: write # to modify GitHub releases
outputs:
release_id: ${{ steps.gh-release.outputs.result }}
steps:
- name: Fetch build artifacts
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: build-artifacts
- id: gh-release
name: Publish GitHub release draft
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
fs = require('fs')
res = await github.rest.repos.createRelease({
owner: context.repo.owner,
repo: context.repo.repo,
name: '${{ github.ref_name }}-rc',
tag_name: '${{ github.ref }}',
body: fs.readFileSync('changelog', 'utf8'),
});
fs.readdirSync('dist/').forEach(file => {
github.rest.repos.uploadReleaseAsset({
owner: context.repo.owner,
repo: context.repo.repo,
release_id: res.data.id,
name: file,
data: fs.readFileSync('dist/' + file),
});
});
return res.data.id
release:
name: Release
runs-on: ubuntu-latest
needs: candidate_release
environment: release
permissions:
contents: write # to modify GitHub releases
id-token: write # to authenticate as Trusted Publisher to pypi.org
steps:
- name: Fetch build artifacts
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: build-artifacts
- name: Publish binary wheel and source tarball on PyPI
# Only attempt pypi upload in upstream repository
if: github.repository == 'theupdateframework/python-tuf'
uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
- name: Finalize GitHub release
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
github.rest.repos.updateRelease({
owner: context.repo.owner,
repo: context.repo.repo,
release_id: '${{ needs.candidate_release.outputs.release_id }}',
name: '${{ github.ref_name }}',
})