From 7be0d6489c3ba19d02bec89cec31670cea33cfac Mon Sep 17 00:00:00 2001 From: tr4nt0r <4445816+tr4nt0r@users.noreply.github.com> Date: Tue, 10 Jun 2025 13:46:38 +0200 Subject: [PATCH] Update release workflow --- .github/workflows/build.yml | 75 +++++++++++++++++++++++++++++++++++ .github/workflows/publish.yml | 38 ------------------ 2 files changed, 75 insertions(+), 38 deletions(-) create mode 100644 .github/workflows/build.yml delete mode 100644 .github/workflows/publish.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..2b06458 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,75 @@ +name: Build + +on: [push, pull_request] + +jobs: + test: + strategy: + matrix: + os: [windows-latest, ubuntu-latest, macos-latest] + runs-on: ${{ matrix.os }} + steps: + - uses: actions/checkout@v4 + - name: Install dependencies + run: pipx install hatch + - name: Lint and typecheck + run: | + hatch run lint-check + - name: Test + run: | + hatch test --all + + - uses: codecov/codecov-action@v5 + with: + token: ${{ secrets.CODECOV_TOKEN }} + fail_ci_if_error: true + verbose: true + + release: + runs-on: ubuntu-latest + environment: release + needs: test + if: startsWith(github.ref, 'refs/tags/') + permissions: + contents: write + id-token: write + + steps: + - uses: actions/checkout@v4 + - name: Install dependencies + shell: bash + run: pipx install hatch + - name: mint API token + id: mint-token + run: | + # retrieve the ambient OIDC token + resp=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \ + "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=pypi") + oidc_token=$(jq -r '.value' <<< "${resp}") + + # exchange the OIDC token for an API token + resp=$(curl -X POST https://pypi.org/_/oidc/mint-token -d "{\"token\": \"${oidc_token}\"}") + api_token=$(jq -r '.token' <<< "${resp}") + + # mask the newly minted API token, so that we don't accidentally leak it + echo "::add-mask::${api_token}" + + # see the next step in the workflow for an example of using this step output + echo "api-token=${api_token}" >> "${GITHUB_OUTPUT}" + - name: Build and publish on PyPI + env: + HATCH_INDEX_USER: __token__ + HATCH_INDEX_AUTH: ${{ steps.mint-token.outputs.api-token }} + run: | + hatch build + hatch publish + - name: Create release + uses: ncipollo/release-action@v1 + with: + draft: true + body: ${{ github.event.head_commit.message }} + allowUpdates: true + omitBodyDuringUpdate: true + updateOnlyUnreleased: true + artifacts: dist/*.whl,dist/*.tar.gz + token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml deleted file mode 100644 index f9c4eb8..0000000 --- a/.github/workflows/publish.yml +++ /dev/null @@ -1,38 +0,0 @@ -name: Publish Python 🐍 distributions 📦 to PyPI and TestPyPI - -on: push - -jobs: - build-n-publish: - name: Build and publish Python 🐍 distributions 📦 to PyPI and TestPyPI - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@master - - name: Set up Python 3.10 - uses: actions/setup-python@v3 - with: - python-version: "3.10" - - name: Install pypa/build - run: >- - python -m - pip install - build - --user - - name: Build a binary wheel and a source tarball - run: >- - python -m - build - --sdist - --wheel - --outdir dist/ - . - - name: Publish distribution 📦 to Test PyPI - uses: pypa/gh-action-pypi-publish@master - with: - password: ${{ secrets.TEST_PYPI_API_TOKEN }} - repository_url: https://test.pypi.org/legacy/ - - name: Publish distribution 📦 to PyPI - if: startsWith(github.ref, 'refs/tags') - uses: pypa/gh-action-pypi-publish@master - with: - password: ${{ secrets.PYPI_API_TOKEN }} \ No newline at end of file