[DO NOT MERGE] CI test tweaks #20
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish release | ||
| on: | ||
| workflow_dispatch: | ||
| inputs: | ||
| environment: | ||
| type: environment | ||
| push: | ||
| branches: [ "ci/*", "ci-*" ] | ||
| jobs: | ||
| ci: | ||
| name: Run CI pipeline | ||
| uses: MatthiasValvekens/pyHanko/.github/workflows/build-pipeline.yml@ci/slsa | ||
|
Check failure on line 13 in .github/workflows/release.yml
|
||
| permissions: | ||
| actions: read | ||
| contents: read | ||
| extract-params: | ||
| name: Determine release parameters | ||
| runs-on: ubuntu-latest | ||
| permissions: {} | ||
| outputs: | ||
| publish-env: ${{ steps.setenv.outputs.envname }} | ||
| release-version: ${{ steps.getversion.outputs.version }} | ||
| steps: | ||
| - id: setenv | ||
| run: | | ||
| if [[ $GITHUB_EVENT_NAME == 'release' ]]; then | ||
| echo envname=release >> "$GITHUB_OUTPUT" | ||
| elif [[ $GITHUB_EVENT_NAME == 'push' ]]; then | ||
| # at times it may be convenient to temporarily turn on release-on-push | ||
| # for testing purposes, so leaving this line in helps make that smoother | ||
| echo envname=test-release >> "$GITHUB_OUTPUT" | ||
| elif [[ $GITHUB_EVENT_NAME == 'workflow_dispatch' ]]; then | ||
| echo "envname=${{ inputs.environment }}" >> "$GITHUB_OUTPUT" | ||
| else | ||
| echo "Cannot run release workflow for trigger event $GITHUB_EVENT_NAME" | ||
| exit 1 | ||
| fi | ||
| cat "$GITHUB_OUTPUT" | ||
| - uses: actions/checkout@v3 | ||
| - name: Get version information | ||
| id: getversion | ||
| run: | | ||
| set -eo pipefail | ||
| grep __version__ < pyhanko/version.py \ | ||
| | sed "s/__version__ = '\(.*\)'/version=\1/" >> "$GITHUB_OUTPUT" | ||
| - name: Generate release body | ||
| run: | | ||
| sed "s/:VERSION/$VERSION/g" < .github/gh-release-template.md > release.md | ||
| cat release.md | ||
| env: | ||
| VERSION: ${{ steps.getversion.outputs.version }} | ||
| - name: Upload release body | ||
| uses: actions/upload-artifact@v3 | ||
| with: | ||
| name: release-body | ||
| path: release.md | ||
| provenance: | ||
| name: Generate SLSA provenance data | ||
| needs: [ci] | ||
| permissions: | ||
| actions: read | ||
| id-token: write | ||
| contents: write # https://github.com/slsa-framework/slsa-github-generator/issues/2044 :( | ||
| uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | ||
| with: | ||
| base64-subjects: ${{ needs.ci.outputs.hashes }} | ||
| upload-assets: false | ||
| provenance-name: provenance.intoto.jsonl | ||
| publish: | ||
| name: Publish release artifacts | ||
| needs: [ci, extract-params, provenance] | ||
| runs-on: ubuntu-latest | ||
| environment: ${{ needs.extract-params.outputs.publish-env }} | ||
| permissions: | ||
| # we use PyPI's trusted publisher model -> expose identity token | ||
| id-token: write | ||
| # we want to add sigstore's artifacts to the release on GitHub | ||
| contents: write | ||
| discussions: write | ||
| steps: | ||
| - name: Download dist artifacts | ||
| uses: actions/download-artifact@v3 | ||
| with: | ||
| name: pyhanko-dist | ||
| path: dist/ | ||
| - name: Download provenance data | ||
| uses: actions/download-artifact@v3 | ||
| with: | ||
| name: provenance.intoto.jsonl | ||
| path: provenance/ | ||
| - name: Download release body | ||
| uses: actions/download-artifact@v3 | ||
| with: | ||
| name: release-body | ||
| path: release-body | ||
| - name: Upload to PyPI | ||
| uses: pypa/gh-action-pypi-publish@release/v1 | ||
| with: | ||
| repository-url: ${{ vars.REPOSITORY_URL }} | ||
| - name: Sign with sigstore | ||
| uses: sigstore/[email protected] | ||
| with: | ||
| inputs: ./dist/* | ||
| # useful to inspect workflow artifacts in test runs | ||
| upload-signing-artifacts: true | ||
| # Append only the .sigstore bundle, | ||
| # the .sig suffix conflicts with my own GPG signatures | ||
| bundle-only: true | ||
| - name: Create GitHub release | ||
| if: needs.extract-params.outputs.publish-env == 'release' && startsWith(github.ref, 'refs/tags/') | ||
| uses: softprops/action-gh-release@v1 | ||
| with: | ||
| files: | | ||
| dist/*.whl | ||
| dist/*.tar.gz | ||
| dist/*.sigstore | ||
| provenance/provenance.intoto.jsonl | ||
| body_path: release-body/release.md | ||
| fail_on_unmatched_files: true | ||
| discussion_category_name: Announcements | ||
| prerelease: true | ||
| name: pyHanko ${{ needs.extract-params.outputs.release-version }} beta | ||
