Skip to content

Merge pull request #305 from tpvasconcelos/contrib #325

Merge pull request #305 from tpvasconcelos/contrib

Merge pull request #305 from tpvasconcelos/contrib #325

Workflow file for this run

# This workflow automates the build, publish, and release process for the Python 🐍 package 📦
#
# It builds both source (sdist) and binary (wheel) distributions,
# on every tag push to the main branch, or pull request event.
#
# If the event is a push to the main branch, the distributions
# are published to TestPyPI. This should be a good indicator
# that the build and publishing process is always working
# correctly, as opposed to only finding out when we try
# to actually publish a new release to the real PyPI.
#
# Only when a new tag push, the distributions are then published to
# the "real" PyPI, and a new GitHub Release is created containing
# the latest release notes and Sigstore-certified distributions.
#
name: Release workflow 🚀
on:
push:
branches: [ main ]
tags: [ '*' ]
pull_request:
types: [ opened, synchronize, reopened ]
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.issue.number || github.ref }}
cancel-in-progress: true
jobs:
build:
name: Build distributions
runs-on: ubuntu-latest
timeout-minutes: 6
steps:
- uses: actions/checkout@v4
with:
# TODO: This can be very expensive for large repos. Is there a better way to do this?
# Fetch all history and tags for setuptools_scm to work
fetch-depth: 0
- uses: ./.github/actions/setup-python
with:
python-version: "3.9"
requirements: tox
- name: Build source (sdist) and binary (wheel) distributions
run: tox -e build-dists
- uses: actions/upload-artifact@v4
with:
name: python-package-distributions
path: dist/
publish-to-testpypi:
name: Publish distribution to TestPyPI
if: github.ref == 'refs/heads/main'
needs:
- build
runs-on: ubuntu-latest
timeout-minutes: 2
environment:
name: testpypi
url: https://test.pypi.org/p/ridgeplot
permissions:
id-token: write # IMPORTANT: mandatory for trusted publishing
steps:
- uses: actions/download-artifact@v4
with:
name: python-package-distributions
path: dist/
- uses: pypa/gh-action-pypi-publish@release/v1
with:
repository-url: https://test.pypi.org/legacy/
verbose: true
print-hash: true
publish-to-pypi:
name: Publish distribution to PyPI
if: startsWith(github.ref, 'refs/tags/')
needs:
- build
runs-on: ubuntu-latest
timeout-minutes: 2
environment:
name: pypi
url: https://pypi.org/p/ridgeplot
permissions:
id-token: write # IMPORTANT: mandatory for trusted publishing
steps:
- uses: actions/download-artifact@v4
with:
name: python-package-distributions
path: dist/
- uses: pypa/gh-action-pypi-publish@release/v1
with:
verbose: true
print-hash: true
github-release:
name: Publish a GitHub Release
needs:
- publish-to-pypi
runs-on: ubuntu-latest
timeout-minutes: 2
permissions:
contents: write # IMPORTANT: mandatory for making GitHub Releases
id-token: write # IMPORTANT: mandatory for sigstore
steps:
# Generate the release notes
- uses: actions/checkout@v4
with:
# TODO: This can be very expensive for large repos. Is there a better way to do this?
# Fetch all history and tags for setuptools_scm to work
fetch-depth: 0
- uses: ./.github/actions/setup-python
with:
python-version: "3.9"
requirements: tox
- name: Generate release notes
run: tox -e release-notes
# Sign the package distributions with Sigstore
# https://github.com/marketplace/actions/gh-action-sigstore-python
- uses: actions/download-artifact@v4
with:
name: python-package-distributions
path: dist/
- name: Sign the dists with Sigstore
uses: sigstore/gh-action-sigstore-python@v3.0.0
with:
inputs: >-
./dist/*.tar.gz
./dist/*.whl
- name: Create GitHub Release
uses: softprops/action-gh-release@v2
with:
body_path: LATEST_RELEASE_NOTES.md
# `dist/` contains the built distributions, and the
# Sigstore-produced signatures and certificates.
files: dist/**