Merge pull request #2630 from lukpueh/release-v5 #27
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CD | |
| concurrency: cd | |
| on: | |
| push: | |
| tags: | |
| - v* | |
| permissions: {} | |
| jobs: | |
| test: | |
| uses: ./.github/workflows/_test.yml | |
| build: | |
| name: Build | |
| runs-on: ubuntu-latest | |
| needs: test | |
| steps: | |
| - name: Checkout release tag | |
| uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 | |
| with: | |
| ref: ${{ github.event.workflow_run.head_branch }} | |
| - name: Set up Python | |
| uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 | |
| with: | |
| python-version: '3.x' | |
| - name: Install build dependency | |
| run: python3 -m pip install --constraint requirements/build.txt build | |
| - name: Build binary wheel, source tarball and changelog | |
| run: | | |
| PIP_CONSTRAINT=requirements/build.txt python3 -m build --sdist --wheel --outdir dist/ . | |
| awk "/## $GITHUB_REF_NAME/{flag=1; next} /## v/{flag=0} flag" docs/CHANGELOG.md > changelog | |
| - name: Store build artifacts | |
| uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 | |
| with: | |
| name: build-artifacts | |
| path: | | |
| dist | |
| changelog | |
| candidate_release: | |
| name: Release candidate on Github for review | |
| runs-on: ubuntu-latest | |
| needs: build | |
| permissions: | |
| contents: write # to modify GitHub releases | |
| outputs: | |
| release_id: ${{ steps.gh-release.outputs.result }} | |
| steps: | |
| - name: Fetch build artifacts | |
| uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 | |
| with: | |
| name: build-artifacts | |
| - id: gh-release | |
| name: Publish GitHub release draft | |
| uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
| with: | |
| script: | | |
| fs = require('fs') | |
| res = await github.rest.repos.createRelease({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| name: '${{ github.ref_name }}-rc', | |
| tag_name: '${{ github.ref }}', | |
| body: fs.readFileSync('changelog', 'utf8'), | |
| }); | |
| fs.readdirSync('dist/').forEach(file => { | |
| github.rest.repos.uploadReleaseAsset({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| release_id: res.data.id, | |
| name: file, | |
| data: fs.readFileSync('dist/' + file), | |
| }); | |
| }); | |
| return res.data.id | |
| release: | |
| name: Release | |
| runs-on: ubuntu-latest | |
| needs: candidate_release | |
| environment: release | |
| permissions: | |
| contents: write # to modify GitHub releases | |
| id-token: write # to authenticate as Trusted Publisher to pypi.org | |
| steps: | |
| - name: Fetch build artifacts | |
| uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 | |
| with: | |
| name: build-artifacts | |
| - name: Publish binary wheel and source tarball on PyPI | |
| # Only attempt pypi upload in upstream repository | |
| if: github.repository == 'theupdateframework/python-tuf' | |
| uses: pypa/gh-action-pypi-publish@81e9d935c883d0b210363ab89cf05f3894778450 # v1.8.14 | |
| - name: Finalize GitHub release | |
| uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
| with: | |
| script: | | |
| github.rest.repos.updateRelease({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| release_id: '${{ needs.candidate_release.outputs.release_id }}', | |
| name: '${{ github.ref_name }}', | |
| }) |