Prod Release for pantos-io/client-cli - 1.1.2 #4
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release Workflow | |
| run-name: ${{ (github.event.release.prerelease && 'Beta') || 'Prod'}} Release for ${{ github.repository }} - ${{ github.event.release.tag_name }} | |
| on: | |
| release: | |
| # Triggered on Pre-Releases and Releases | |
| types: [released, prereleased] | |
| # Only allow one release at the time | |
| concurrency: | |
| group: deploy-${{ github.repository }}-release-${{ github.event.release.prerelease }} | |
| jobs: | |
| define-environment: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| version: ${{ steps.get-environment.outputs.version }} | |
| steps: | |
| - uses: step-security/harden-runner@v2 | |
| with: | |
| disable-sudo: true | |
| egress-policy: audit | |
| - name: Configure Environment | |
| id: get-environment | |
| run: | | |
| wget -O /usr/local/bin/semver https://raw.githubusercontent.com/fsaintjacques/semver-tool/master/src/semver | |
| chmod +x /usr/local/bin/semver | |
| if [[ $(semver validate ${{ github.event.release.tag_name }}) == "invalid" ]]; then | |
| echo "::error title=Invalid Release::Release must be tagged with a valid SemVer version" | |
| exit 1 | |
| fi | |
| echo "version=$(semver get release ${{ github.event.release.tag_name }})" >> $GITHUB_OUTPUT | |
| build: | |
| name: Build Package | |
| needs: define-environment | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: step-security/harden-runner@v2 | |
| with: | |
| disable-sudo: true | |
| egress-policy: audit | |
| - uses: actions/checkout@v4 | |
| - uses: pantos-io/ci-workflows/.github/actions/install-poetry@v1 | |
| - name: Build package | |
| run: | | |
| make check-version VERSION=${{ needs.define-environment.outputs.version }} | |
| make build | |
| - name: Freeze dependencies | |
| run: | | |
| poetry self add poetry-plugin-freeze | |
| poetry freeze-wheel | |
| # Copy the file "METADATA" from the wheel to "PKG-INFO" in the sdist | |
| # Unzip wheel and sdist | |
| mkdir tmp | |
| cp dist/*.whl tmp/wheel.zip | |
| unzip tmp/wheel.zip -d tmp/wheel/ | |
| # Untar sdist | |
| mkdir tmp/sdist | |
| tar -xzf dist/*.tar.gz -C tmp/sdist/ | |
| # Copy the file | |
| cp tmp/wheel/*.dist-info/METADATA tmp/sdist/*/PKG-INFO | |
| # Tar the sdist again | |
| tar -czf dist/$(ls dist | grep .tar.gz) -C tmp/sdist/ . | |
| # Remove the temporary directories | |
| rm -rf tmp | |
| - name: Upload build artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: build | |
| path: dist | |
| publish-pypi: | |
| name: Publish to PyPi | |
| needs: [define-environment, build] | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: pypi | |
| url: https://pypi.org/project/pantos-${{ github.repository }}/${{ needs.define-environment.outputs.version }} | |
| permissions: | |
| id-token: write # IMPORTANT: this permission is mandatory for trusted publishing | |
| steps: | |
| - uses: step-security/harden-runner@v2 | |
| with: | |
| disable-sudo: true | |
| egress-policy: audit | |
| - name: Download build artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: build | |
| path: dist | |
| - name: Publish package distributions to PyPi | |
| uses: pypa/gh-action-pypi-publish@release/v1 | |
| with: | |
| print-hash: true | |
| repository-url: 'https://upload.pypi.org/legacy/' | |
| add-assets: | |
| name: Add Assets to the ${{ github.event.release.tag_name }} Release | |
| needs: build | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| id-token: write | |
| steps: | |
| - uses: step-security/harden-runner@v2 | |
| with: | |
| disable-sudo: true | |
| egress-policy: audit | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: build | |
| path: dist | |
| - name: List directory | |
| run: | | |
| mkdir -p release | |
| cp dist/*.whl release/ | |
| - uses: sigstore/gh-action-sigstore-python@v2.1.1 | |
| with: | |
| inputs: release/* | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: signed-build | |
| path: release/*.whl | |
| - name: Upload release assets | |
| uses: svenstaro/upload-release-action@v2 | |
| with: | |
| file: "./release/*" | |
| file_glob: true | |
| overwrite: true | |
| repo_token: ${{ secrets.GITHUB_TOKEN }} | |
| tag: ${{ github.event.release.tag_name }} | |
| - uses: robinraju/release-downloader@v1.9 | |
| name: Download tarball | |
| with: | |
| tag: ${{ github.event.release.tag_name }} | |
| tarBall: true | |
| zipBall: true | |
| fileName: '*' | |
| out-file-path: external-release | |
| preRelease: ${{ github.event.release.prerelease }} | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| repository: ${{ github.repository }} | |
| - name: List directory | |
| run: | | |
| ls -lha external-release | |
| # Remove all the files in external-release that are also present in release | |
| for file in $(ls release); do | |
| rm -f external-release/$file | |
| done | |
| - uses: sigstore/gh-action-sigstore-python@v2.1.1 | |
| with: | |
| inputs: external-release/* | |
| - name: Upload signed source code | |
| uses: ncipollo/release-action@v1 | |
| with: | |
| artifacts: "./external-release/*" | |
| artifactErrorsFailBuild: true | |
| allowUpdates: true | |
| tag: ${{ github.event.release.tag_name }} | |
| token: ${{ secrets.GITHUB_TOKEN }} | |