|
15 | 15 | # Allows you to run this workflow manually from the Actions tab |
16 | 16 | workflow_dispatch: |
17 | 17 |
|
| 18 | +# default: least privileged permissions across all jobs |
| 19 | +permissions: |
| 20 | + contents: read |
| 21 | + |
18 | 22 | jobs: |
19 | | - deploy: |
20 | | - if: "!contains(github.event.head_commit.message, 'skip ci')" |
21 | | - name: Deploy and Publish |
| 23 | + release: |
22 | 24 | runs-on: ubuntu-latest |
| 25 | + concurrency: |
| 26 | + group: ${{ github.workflow }}-release-${{ github.ref_name }} |
| 27 | + cancel-in-progress: false |
| 28 | + |
| 29 | + permissions: |
| 30 | + contents: write |
23 | 31 |
|
24 | 32 | steps: |
25 | | - - uses: actions/checkout@v2 |
26 | | - with: |
27 | | - persist-credentials: false |
| 33 | + # Note: We checkout the repository at the branch that triggered the workflow. |
| 34 | + # Python Semantic Release will automatically convert shallow clones to full clones |
| 35 | + # if needed to ensure proper history evaluation. However, we forcefully reset the |
| 36 | + # branch to the workflow sha because it is possible that the branch was updated |
| 37 | + # while the workflow was running, which prevents accidentally releasing un-evaluated |
| 38 | + # changes. |
| 39 | + - name: Setup | Checkout Repository on Release Branch |
| 40 | + uses: actions/checkout@v6 |
| 41 | + with: |
| 42 | + ref: ${{ github.ref_name }} |
| 43 | + |
| 44 | + - name: Setup | Force release branch to be at workflow sha |
| 45 | + run: | |
| 46 | + git reset --hard ${{ github.sha }} |
28 | 47 |
|
29 | | - - name: Set up Python |
30 | | - uses: actions/setup-python@v2 |
31 | | - with: |
32 | | - python-version: '3.11' |
| 48 | + - name: Action | Semantic Version Release |
| 49 | + id: release |
| 50 | + # Adjust tag with desired version if applicable. |
| 51 | + uses: python-semantic-release/python-semantic-release@v10.5.3 |
| 52 | + with: |
| 53 | + github_token: ${{ secrets.GITHUB_TOKEN }} |
| 54 | + git_committer_name: "github-actions" |
| 55 | + git_committer_email: "actions@users.noreply.github.com" |
33 | 56 |
|
34 | | - - name: Setup Node |
35 | | - uses: actions/setup-node@v2 |
36 | | - with: |
37 | | - node-version: 20 |
| 57 | + - name: Publish | Upload to GitHub Release Assets |
| 58 | + uses: python-semantic-release/publish-action@v10.5.3 |
| 59 | + if: steps.release.outputs.released == 'true' |
| 60 | + with: |
| 61 | + github_token: ${{ secrets.GITHUB_TOKEN }} |
| 62 | + tag: ${{ steps.release.outputs.tag }} |
38 | 63 |
|
39 | | - - name: Install Semantic Release dependencies |
40 | | - run: | |
41 | | - sudo apt-get install bumpversion |
42 | | - npm install -g semantic-release |
43 | | - npm install -g @semantic-release/changelog |
44 | | - npm install -g @semantic-release/exec |
45 | | - npm install -g @semantic-release/git |
46 | | - npm install -g @semantic-release/github |
47 | | - npm install -g @semantic-release/commit-analyzer |
48 | | - npm install -g @semantic-release/release-notes-generator |
| 64 | + - name: Upload | Distribution Artifacts |
| 65 | + uses: actions/upload-artifact@v5 |
| 66 | + with: |
| 67 | + name: distribution-artifacts |
| 68 | + path: dist/ |
| 69 | + if-no-files-found: error |
49 | 70 |
|
50 | | - - name: Publish js docs |
51 | | - if: ${{ github.event.workflow_run.conclusion == 'success' }} |
52 | | - env: |
53 | | - GH_TOKEN: ${{ secrets.GH_TOKEN }} |
54 | | - GHA_BRANCH: ${{ github.ref }} # non PR only need to get last part |
55 | | - GHA_COMMIT: ${{ github.sha }} |
56 | | - run: | |
57 | | - sudo apt-get install python3-sphinx |
58 | | - docs/publish_gha.sh |
| 71 | + outputs: |
| 72 | + released: ${{ steps.release.outputs.released || 'false' }} |
59 | 73 |
|
60 | | - - name: Publish to Git Releases and Tags |
61 | | - if: ${{ github.event.workflow_run.conclusion == 'success' }} |
62 | | - env: |
63 | | - GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} |
64 | | - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} |
65 | | - run: npx semantic-release #--dry-run --branches 9388_gha Uncomment for testing purposes |
| 74 | + deploy: |
| 75 | + # 1. Separate out the deploy step from the publish step to run each step at |
| 76 | + # the least amount of token privilege |
| 77 | + # 2. Also, deployments can fail, and its better to have a separate job if you need to retry |
| 78 | + # and it won't require reversing the release. |
| 79 | + runs-on: ubuntu-latest |
| 80 | + needs: release |
| 81 | + if: ${{ needs.release.outputs.released == 'true' }} |
66 | 82 |
|
67 | | - - name: Build binary wheel and a source tarball |
68 | | - run: | |
69 | | - pip3 install setuptools wheel twine build |
70 | | - python setup.py sdist |
| 83 | + permissions: |
| 84 | + contents: read |
| 85 | + id-token: write # IMPORTANT: mandatory for trusted publishing |
| 86 | + |
| 87 | + steps: |
| 88 | + - name: Download all the dists |
| 89 | + uses: actions/download-artifact@v6 |
| 90 | + with: |
| 91 | + name: distribution-artifacts |
| 92 | + path: dist/ |
71 | 93 |
|
72 | | - - name: Publish package distributions to PyPI |
73 | | - uses: pypa/gh-action-pypi-publish@release/v1 |
74 | | - with: |
75 | | - password: ${{ secrets.PYPI_TOKEN }} |
| 94 | + - name: Publish distribution 📦 to PyPI |
| 95 | + uses: pypa/gh-action-pypi-publish@release/v1 |
0 commit comments