Skip to content
Build, test, release, upload, and publish Python app

chore(deps): bump pypa/gh-action-pypi-publish 1.8.12 to 1.8.14 (#72) #39

Sign in to view logs

chore(deps): bump pypa/gh-action-pypi-publish 1.8.12 to 1.8.14 (#72)

chore(deps): bump pypa/gh-action-pypi-publish 1.8.12 to 1.8.14 (#72) #39

Workflow file for this run

.github/workflows/python-app.yaml at e3b3c3e
# This workflow installs Python dependencies, runs tests, builds a release.
# For tagged pushes, it also creates a release, uploads build artifacts to the
# GitHub release, and publishes it to PyPI.
# Originally from:
# https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python
name: 'Build, test, release, upload, and publish Python app'
env:
OUTPUT: dist/release-notes.md
on:
push:
branches: ['main']
pull_request:
branches: ['main']
permissions:
contents: read
jobs:
build:
runs-on: ubuntu-22.04
outputs:
commit-tag: '${{ steps.envs.outputs.commit-tag }}'
dist-artifact-name: '${{ steps.envs.outputs.artifact-name }}'
steps:
- name: 'Harden runner'
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
disable-sudo: true
egress-policy: audit
allowed-endpoints: >
api.github.com:443
files.pythonhosted.org:443
github.com:443
pypi.org:443
- name: 'Checkout repository'
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
fetch-tags: true
persist-credentials: false
- name: 'Install Poetry'
run: 'pipx install poetry'
- name: 'Set up Python'
id: setup-python
uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
with:
python-version: '>=3.9 <3.13'
cache: 'poetry'
- name: 'Get tag-based commit name'
id: envs
run: |
TAG=$(git describe --tags) && echo "commit-tag=$TAG" | tee -a "$GITHUB_OUTPUT" >>"$GITHUB_ENV"
echo 'python-version=${{ steps.setup-python.outputs.python-version }}' >>"$GITHUB_ENV"
echo 'artifact-name=dist-reliabot-${{ env.commit-tag }}-${{ env.python-version }}' >>"$GITHUB_OUTPUT"
shell: bash
- name: 'Build distribution packages'
run: 'poetry build'
- name: 'Generate release notes'
if: "${{ startsWith(github.ref, 'refs/tags/') }}"
uses: orhun/git-cliff-action@8b17108aad4d9362649a5dae020746c2a767c90d # v3.0.2
with:
args: '--latest'
config: release.toml
- name: 'Generate "unreleased" notes'
if: "${{ ! startsWith(github.ref, 'refs/tags/') }}"
uses: orhun/git-cliff-action@8b17108aad4d9362649a5dae020746c2a767c90d # v3.0.2
with:
args: '--unreleased'
config: release.toml
- name: 'Upload distribution package as an artifact'
id: upload-artifact
if: github.repository == 'dupuy/reliabot'
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
if-no-files-found: error
name: '${{ steps.envs.outputs.artifact-name }}'
overwrite: true
path: 'dist/*'
retention-days: 14
test:
runs-on: ubuntu-22.04
strategy:
matrix:
fail-fast: [true]
max-concurrency: [5]
python-version:
- '3.8'
- '3.9'
- '3.10'
- '3.11'
- '3.12'
steps:
- name: 'Harden runner'
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
disable-sudo: true
egress-policy: audit
allowed-endpoints: >
files.pythonhosted.org:443
github.com:443
pypi.org:443
- name: 'Checkout repository'
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 1
fetch-tags: false
persist-credentials: false
- name: 'Install Poetry'
run: 'pipx install poetry'
- name: 'Set up Python'
id: setup-python
uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
with:
python-version: '${{ matrix.python-version }}'
cache: 'poetry'
- name: 'Install dependencies'
run: 'poetry install --extras re2-wheels --with testing'
- name: 'Run tests with coverage'
run: 'poetry run tox -e py'
draft-release:
runs-on: ubuntu-22.04
if: github.repository == 'dupuy/reliabot'
needs:
- build
- test
outputs:
commit-tag: '${{ needs.build.outputs.commit-tag }}'
dist-artifact-name: '${{ needs.build.outputs.dist-artifact-name }}'
permissions:
contents: write
steps:
- name: 'Harden runner'
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
disable-sudo: true
egress-policy: audit
allowed-endpoints: >
api.github.com:443
uploads.github.com:443
- name: 'Download release artifacts'
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: '${{ needs.build.outputs.dist-artifact-name }}'
path: dist/
- name: 'Create draft pre-release and upload artifacts'
if: "${{ contains(needs.build.outputs.commit-tag, '-') }}"
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
with:
allowUpdates: true
artifactErrorsFailBuild: true
artifacts: dist/*
bodyFile: '${{ env.OUTPUT }}'
draft: true
name: 'Pre-release ${{ needs.build.outputs.commit-tag }}'
prerelease: true
tag: '${{ github.ref }}'
updateOnlyUnreleased: true
- name: 'Create draft release and upload artifacts'
if: "${{ ! contains(needs.build.outputs.commit-tag, '-') }}"
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
with:
allowUpdates: true
artifactErrorsFailBuild: true
artifacts: dist/*
bodyFile: '${{ env.OUTPUT }}'
draft: true
name: 'Release ${{ needs.build.outputs.commit-tag }}'
prerelease: false
tag: '${{ github.ref }}'
updateOnlyUnreleased: true
test-publish:
runs-on: ubuntu-22.04
if: "${{ github.repository == 'dupuy/reliabot' && contains(github.ref, '-') }}"
needs:
- build # does not require 'test' matrix to pass
environment:
name: test-pypi
url: https://test.pypi.org/p/reliabot
permissions:
id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
steps:
- name: 'Harden runner'
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
disable-sudo: true
egress-policy: audit
allowed-endpoints: >
upload.pypi.org:443
- name: 'Download release artifacts'
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: '${{ needs.build.outputs.dist-artifact-name }}'
path: dist/
- name: 'Publish pre-release to TestPyPI'
uses: pypa/gh-action-pypi-publish@81e9d935c883d0b210363ab89cf05f3894778450 # v1.8.14
publish:
runs-on: ubuntu-22.04
if: "${{ github.repository == 'dupuy/reliabot' && startsWith(github.ref, 'refs/tags/') && ! contains(github.ref, '-') }}"
needs:
- draft-release
- test
environment:
name: pypi
url: https://pypi.org/p/reliabot
permissions:
id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
steps:
- name: 'Harden runner'
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
disable-sudo: true
egress-policy: audit
allowed-endpoints: >
upload.pypi.org:443
- name: 'Download release artifacts'
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: '${{ needs.draft-release.outputs.dist-artifact-name }}'
path: dist/
- name: 'Publish release to PyPI'
uses: pypa/gh-action-pypi-publish@81e9d935c883d0b210363ab89cf05f3894778450 # v1.8.14
test-release:
runs-on: ubuntu-22.04
needs:
- draft-release
- test-publish
steps:
- name: 'Harden runner'
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
disable-sudo: true
egress-policy: audit
allowed-endpoints: >
api.github.com:443
- name: 'Publish GitHub (pre-)release'
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
with:
allowUpdates: true
draft: false
omitBodyDuringUpdate: true
omitNameDuringUpdate: true
prerelease: true
replacesArtifacts: false
tag: '${{ github.ref }}'
release:
runs-on: ubuntu-22.04
needs:
- draft-release
- publish
steps:
- name: 'Harden runner'
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
disable-sudo: true
egress-policy: audit
allowed-endpoints: >
api.github.com:443
- name: 'Publish GitHub release'
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
with:
allowUpdates: true
draft: false
omitBodyDuringUpdate: true
omitNameDuringUpdate: true
prerelease: false
replacesArtifacts: false
tag: '${{ github.ref }}'
updateOnlyUnreleased: true