-
Notifications
You must be signed in to change notification settings - Fork 292
121 lines (106 loc) · 3.76 KB
/
cd.yml
File metadata and controls
121 lines (106 loc) · 3.76 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
name: CD
concurrency: cd
on:
push:
tags:
- v*
permissions: {}
jobs:
test:
uses: ./.github/workflows/_test.yml
build:
name: Build
runs-on: ubuntu-latest
needs: test
steps:
- name: Checkout release tag
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
ref: ${{ github.event.workflow_run.head_branch }}
- name: Set up Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: '3.x'
- name: Install build dependency
run: python3 -m pip install --constraint requirements/build.txt build
- name: Build binary wheel, source tarball and changelog
run: |
python3 -m build --sdist --wheel --outdir dist/ .
awk "/## $GITHUB_REF_NAME/{flag=1; next} /## v/{flag=0} flag" docs/CHANGELOG.md > changelog
- name: Store build artifacts
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
with:
name: build-artifacts
path: |
dist
changelog
candidate_release:
name: Release candidate on Github for review
runs-on: ubuntu-latest
needs: build
permissions:
contents: write # to modify GitHub releases
outputs:
release_id: ${{ steps.gh-release.outputs.result }}
steps:
- name: Fetch build artifacts
uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
with:
name: build-artifacts
- id: gh-release
name: Publish GitHub release draft
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
fs = require('fs')
res = await github.rest.repos.createRelease({
owner: context.repo.owner,
repo: context.repo.repo,
name: process.env.REF_NAME + '-rc',
tag_name: process.env.REF,
body: fs.readFileSync('changelog', 'utf8'),
});
fs.readdirSync('dist/').forEach(file => {
github.rest.repos.uploadReleaseAsset({
owner: context.repo.owner,
repo: context.repo.repo,
release_id: res.data.id,
name: file,
data: fs.readFileSync('dist/' + file),
});
});
return res.data.id
env:
REF_NAME: ${{ github.ref_name }}
REF: ${{ github.ref }}
release:
name: Release
runs-on: ubuntu-latest
needs: candidate_release
environment: release
permissions:
contents: write # to modify GitHub releases
id-token: write # to authenticate as Trusted Publisher to pypi.org
steps:
- name: Fetch build artifacts
uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
with:
name: build-artifacts
- name: Publish binary wheel and source tarball on PyPI
# Only attempt pypi upload in upstream repository
if: github.repository == 'theupdateframework/python-tuf'
uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
- name: Finalize GitHub release
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
github.rest.repos.updateRelease({
owner: context.repo.owner,
repo: context.repo.repo,
release_id: process.env.RELEASE_ID,
name: process.env.REF_NAME,
})
env:
REF_NAME: ${{ github.ref_name }}
RELEASE_ID: ${{ needs.candidate_release.outputs.release_id }}