From d1ff745e6fbba703e3d73c44bce625359af03a77 Mon Sep 17 00:00:00 2001 From: Pete Gadomski Date: Tue, 11 Nov 2025 16:55:17 -0700 Subject: [PATCH] feat: use trusted publishing for all releasing --- .github/workflows/crates-io.yml | 18 ++++++++ .github/workflows/npm.yml | 52 ++++++++++++++++++++++ .github/workflows/{python.yml => pypi.yml} | 5 ++- RELEASING.md | 10 ++--- 4 files changed, 76 insertions(+), 9 deletions(-) create mode 100644 .github/workflows/crates-io.yml create mode 100644 .github/workflows/npm.yml rename .github/workflows/{python.yml => pypi.yml} (98%) diff --git a/.github/workflows/crates-io.yml b/.github/workflows/crates-io.yml new file mode 100644 index 0000000..58ffa9a --- /dev/null +++ b/.github/workflows/crates-io.yml @@ -0,0 +1,18 @@ +name: Publish to crates.io +on: + push: + tags: ["v*"] + +jobs: + publish: + runs-on: ubuntu-latest + environment: crates-io + permissions: + id-token: write + steps: + - uses: actions/checkout@v5 + - uses: rust-lang/crates-io-auth-action@v1 + id: auth + - run: cargo publish + env: + CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }} diff --git a/.github/workflows/npm.yml b/.github/workflows/npm.yml new file mode 100644 index 0000000..7b55790 --- /dev/null +++ b/.github/workflows/npm.yml @@ -0,0 +1,52 @@ +name: npm + +on: + push: + tags: + - "v*" + +jobs: + build: + name: Build WASM package + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v5 + - uses: Swatinem/rust-cache@v2 + - name: Install wasm-pack + uses: jetli/wasm-pack-action@v0.4.0 + with: + version: "latest" + - name: Build WASM for npm + run: wasm-pack build --target web --out-dir pkg wasm + - name: Upload package + uses: actions/upload-artifact@v5 + with: + name: npm-package + path: wasm/pkg + + publish: + name: Publish to npm + runs-on: ubuntu-latest + needs: build + permissions: + id-token: write + contents: read + attestations: write + environment: + name: npm + url: https://www.npmjs.com/package/cql2-wasm + steps: + - uses: actions/download-artifact@v6 + with: + name: npm-package + path: package + - uses: actions/setup-node@v4 + with: + node-version: "20" + - name: Generate artifact attestation + uses: actions/attest-build-provenance@v3 + with: + subject-path: "package/*" + - name: Publish to npm + working-directory: package + run: npm publish --provenance --access public diff --git a/.github/workflows/python.yml b/.github/workflows/pypi.yml similarity index 98% rename from .github/workflows/python.yml rename to .github/workflows/pypi.yml index 7a4da26..4535559 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/pypi.yml @@ -148,6 +148,9 @@ jobs: id-token: write contents: write attestations: write + environment: + name: pypi + url: https://pypi.org/project/cql2/ steps: - uses: actions/download-artifact@v6 - name: Generate artifact attestation @@ -157,8 +160,6 @@ jobs: - name: Publish to PyPI if: startsWith(github.ref, 'refs/tags/') uses: PyO3/maturin-action@v1 - env: - MATURIN_PYPI_TOKEN: ${{ secrets.PYPI_API_TOKEN }} with: command: upload args: --non-interactive --skip-existing wheels-*/* diff --git a/RELEASING.md b/RELEASING.md index 52a7aac..7f00b3b 100644 --- a/RELEASING.md +++ b/RELEASING.md @@ -1,15 +1,11 @@ # Releasing -Setup: - -- Install [cargo-release](https://github.com/crate-ci/cargo-release): `cargo install cargo-release` - -Then: - 1. Create a new branch: `release/vX.Y.Z` 2. Update the version in `Cargo.toml` 3. Update the CHANGELOG 4. Update each README 5. Open a PR 6. Once approved, merge the PR -7. `cargo release -p cql2 --execute`, then `cargo release -p cql2-cli --execute` +7. `git tag -s vX.Y.Z` +8. `git push origin vX.Y.Z` +9. Create a new [release](https://github.com/developmentseed/cql2-rs/releases) for your tag