Skip to content

chore: do not upload attestation for pushes to main branch #3

chore: do not upload attestation for pushes to main branch

chore: do not upload attestation for pushes to main branch #3

Workflow file for this run

name: Publish
on:
push:
branches:
# we publish to Test PyPO on pushes to the main branch
- "main"
tags:
- "v*"
env:
REGISTRY: 'ghcr.io'
IMAGE_NAME: ${{ github.repository }}
PYTHON_VERSION: '3.12'
POETRY_VERSION: '1.8.4'
permissions:
contents: read
concurrency:
group: publish-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: false
jobs:
prepare:
if: github.repository == 'eclipse-csi/otterdog'
runs-on: ubuntu-22.04
outputs:
release-tag: ${{ steps.context.outputs.RELEASE_TAG }}
release-version: ${{ steps.context.outputs.RELEASE_VERSION }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: "Setup context"
id: context
shell: bash
run: |
if [[ "${{ github.ref }}" =~ ^refs/heads/.* ]]; then
echo "RELEASE_TAG=${{ github.ref_name }}" >> $GITHUB_OUTPUT
# extract the current version from the pyproject.toml and replace .devN with -SNAPSHOT
VERSION=$(grep -m 1 version pyproject.toml | tr -s ' ' | tr -d '"' | tr -d "'" | cut -d' ' -f3 | sed 's/.dev[0-9]*/-SNAPSHOT/')
echo "RELEASE_VERSION=$VERSION" >> $GITHUB_OUTPUT
else
echo "RELEASE_TAG=${{ github.ref_name }}" >> $GITHUB_OUTPUT
VERSION=$(echo ${{ github.ref_name }} | sed 's/v//')
echo "RELEASE_VERSION=$VERSION" >> $GITHUB_OUTPUT
fi
build-and-push-image:
runs-on: ubuntu-22.04
needs: ['prepare']
permissions:
packages: write
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ needs.release.outputs.release-tag }}
- name: "Log in to the Container registry"
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: "Extract metadata (tags, labels) for Docker"
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
tags: |
${{ needs.prepare.outputs.release-version }}
labels: |
org.opencontainers.image.version=${{ needs.prepare.outputs.release-version }}
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
- name: "Build and push Docker image"
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
with:
context: .
file: docker/Dockerfile
push: true
tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.prepare.outputs.release-version }}
labels: ${{ steps.meta.outputs.labels }}
build-dist:
runs-on: ubuntu-22.04
needs: ["prepare"]
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ needs.prepare.outputs.release-tag }}
- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
python-version: ${{ env.PYTHON_VERSION }}
- uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1
with:
virtualenvs-in-project: true
version: ${{ env.POETRY_VERSION }}
- name: "Install dependencies"
run: poetry install --only=main
- name: "Build package"
run: poetry build
- name: "Generate hashes"
id: hash
run: |
cd dist && echo "hashes=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
- name: "Upload dist"
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: "dist"
path: "dist/"
if-no-files-found: error
retention-days: 5
provenance:
needs: ['prepare', 'build-dist']
permissions:
actions: read
contents: write
id-token: write # Needed to access the workflow's OIDC identity.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 # ignore: pin
with:
base64-subjects: "${{ needs.build-dist.outputs.hashes }}"
upload-assets: true
github-publish:
if: startsWith(github.ref, 'refs/tags/')
runs-on: ubuntu-22.04
needs: ['prepare', 'build-dist', 'provenance']
permissions:
contents: write
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: "Download dists"
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: "dist"
path: "dist/"
- name: "Extract release notes"
id: extract-release-notes
uses: ffurrer2/extract-release-notes@9989ccec43d726ef05aa1cd7b2854fb96b6df6ab # v2.2.0
with:
release_notes_file: RELEASE_NOTES.md
- name: "Create GitHub release"
uses: softprops/action-gh-release@e7a8f85e1c67a31e6ed99a94b41bd0b71bbee6b8 # v2.0.9
with:
name: "Otterdog ${{ needs.prepare.outputs.release-tag }}"
tag_name: "${{ needs.prepare.outputs.release-tag }}"
body_path: RELEASE_NOTES.md
draft: false
prerelease: false
generate_release_notes: false
make_latest: true
files: dist/*
pypi-publish:
name: "Publish to PyPI"
if: startsWith(github.ref, 'refs/tags/')
runs-on: ubuntu-22.04
needs: ['build-dist', 'provenance']
environment:
name: pypi
url: https://pypi.org/p/otterdog
permissions:
id-token: write
steps:
- name: "Download dists"
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: "dist"
path: "dist/"
- name: "Publish dists to PyPI"
uses: pypa/gh-action-pypi-publish@fb13cb306901256ace3dab689990e13a5550ffaa # v1.11.0
with:
attestations: true
test-pypi-publish:
name: "Publish to Test PyPI"
if: startsWith(github.ref, 'refs/heads/')
runs-on: ubuntu-22.04
needs: ['build-dist', 'provenance']
environment:
name: test-pypi
permissions:
id-token: write
steps:
- name: "Download dists"
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: "dist"
path: "dist/"
- name: "Publish dists to Test PyPI"
uses: pypa/gh-action-pypi-publish@fb13cb306901256ace3dab689990e13a5550ffaa # v1.11.0
with:
repository-url: https://test.pypi.org/legacy/
attestations: true