From e0929481c81c5887e60e934312bf62309bf0b797 Mon Sep 17 00:00:00 2001 From: Richard Levasseur Date: Wed, 15 Oct 2025 18:35:31 -0700 Subject: [PATCH] chore: switch to use publish-to-bcr workflow --- .github/workflows/publish.yml | 35 +++++++++++++++++++++++ .github/workflows/release.yml | 52 +++++++++++++++++++++++------------ 2 files changed, 69 insertions(+), 18 deletions(-) create mode 100644 .github/workflows/publish.yml diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 0000000000..f03e02168f --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,35 @@ +# See https://github.com/bazel-contrib/publish-to-bcr +name: Publish to BCR + +on: + # Run the publish workflow after a successful release + # Can be triggered from the release.yaml workflow + workflow_call: + inputs: + tag_name: + required: true + type: string + secrets: + BCR_PUBLISH_TOKEN: + required: true + # In case of problems, let release engineers retry by manually dispatching + # the workflow from the GitHub UI + workflow_dispatch: + inputs: + tag_name: + required: true + type: string + +jobs: + publish: + uses: bazel-contrib/publish-to-bcr/.github/workflows/publish.yaml@v1.0.0 + with: + draft: false + tag_name: ${{ inputs.tag_name }} + # GitHub repository which is a fork of the upstream where the Pull Request will be opened. + registry_fork: bazel-contrib/bazel-central-registry + attest: false + permissions: + contents: write + secrets: + publish_token: ${{ secrets.BCR_PUBLISH_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7a25c6eca0..0ed4992ccd 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -35,21 +35,37 @@ jobs: uses: actions/checkout@v5 - name: Create release archive and notes run: .github/workflows/create_archive_and_notes.sh - - name: Publish wheel dist - if: github.event_name == 'push' || github.event.inputs.publish_to_pypi - env: - # This special value tells pypi that the user identity is supplied within the token - TWINE_USERNAME: __token__ - # Note, the PYPI_API_TOKEN is for the rules-python pypi user, added by @rickylev on - # https://github.com/bazel-contrib/rules_python/settings/secrets/actions - TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }} - run: bazel run --stamp --embed_label=${{ github.ref_name }} //python/runfiles:wheel.publish - - name: Release - uses: softprops/action-gh-release@v2 - with: - # Use GH feature to populate the changelog automatically - generate_release_notes: true - body_path: release_notes.txt - prerelease: ${{ contains(github.ref, '-rc') }} - fail_on_unmatched_files: true - files: rules_python-*.tar.gz + + release: + name: Release + uses: softprops/action-gh-release@v2 + with: + # Use GH feature to populate the changelog automatically + generate_release_notes: true + body_path: release_notes.txt + prerelease: ${{ contains(github.ref, '-rc') }} + fail_on_unmatched_files: true + files: rules_python-*.tar.gz + + publish_bcr: + name: Publish to BCR + needs: release + uses: .github/workflows/publish.yaml + with: + tag_name: ${{ github.ref_name }} + secrets: + BCR_PUBLISH_TOKEN: ${{ secrets.BCR_PUBLISH_TOKEN }} + + publish_pypi: + # We just want publish_pypi last, since once uploaded, it can't be changed. + name: Publish runfiles to PyPI + needs: publish_bcr + runs-on: ubuntu-latest + if: github.event_name == 'push' || github.event.inputs.publish_to_pypi + env: + # This special value tells pypi that the user identity is supplied within the token + TWINE_USERNAME: __token__ + # Note, the PYPI_API_TOKEN is for the rules-python pypi user, added by @rickylev on + # https://github.com/bazel-contrib/rules_python/settings/secrets/actions + TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }} + run: bazel run --stamp --embed_label=${{ github.ref_name }} //python/runfiles:wheel.publish