chore(deps): update github/codeql-action action to v3.28.0 #28877
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copyright © Michal Čihař <[email protected]> | |
# | |
# SPDX-License-Identifier: GPL-3.0-or-later | |
name: Distribution | |
on: | |
push: | |
branches-ignore: | |
- deepsource-fix-** | |
- renovate/** | |
- weblate | |
tags: | |
- weblate-* | |
pull_request: | |
permissions: | |
contents: read | |
jobs: | |
dist: | |
runs-on: ubuntu-24.04 | |
name: Build packages | |
env: | |
PYTHONUNBUFFERED: 1 | |
PYTHONWARNINGS: default,ignore:unclosed:ResourceWarning | |
permissions: | |
# Needed for Sigstore | |
id-token: write | |
# Needed for attestations | |
attestations: write | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: astral-sh/setup-uv@v5 | |
- name: Setup Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.13' | |
- name: build | |
run: | | |
echo "::add-matcher::.github/matchers/setuptools.json" | |
uv build | |
echo "::remove-matcher owner=setuptools::" | |
- name: Sign the dists with Sigstore | |
if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags/weblate') | |
uses: sigstore/[email protected] | |
with: | |
inputs: dist/* | |
- name: Attest | |
if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags/weblate') | |
uses: actions/attest-build-provenance@v2 | |
with: | |
subject-path: dist/* | |
- uses: actions/upload-artifact@v4 | |
with: | |
path: dist/* | |
name: dist | |
lint: | |
runs-on: ubuntu-24.04 | |
name: Lint packages | |
env: | |
PYTHONUNBUFFERED: 1 | |
needs: | |
- dist | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install apt dependencies | |
run: sudo ./ci/apt-install | |
- name: Set up Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.13' | |
- uses: astral-sh/setup-uv@v5 | |
with: | |
enable-cache: true | |
cache-dependency-glob: '' | |
cache-suffix: '3.13' | |
- uses: actions/download-artifact@v4 | |
- name: Cleanup dist | |
# Remove files not supported on PyPI (eg. Sigstore signatures) | |
run: find dist -mindepth 1 -not -name '*.tar.gz' -not -name '*.whl' -delete | |
- name: list wheel | |
run: unzip -l dist/*.whl | |
- name: list sdist | |
run: tar tvf dist/*.tar.gz | |
- name: twine check | |
run: uvx twine check --strict dist/* | |
- name: pydistcheck | |
run: uvx pydistcheck --inspect dist/* | |
- name: pyroma | |
run: uvx pyroma dist/*.tar.gz | |
- name: check-wheel-contents | |
run: uvx check-wheel-contents dist/*.whl | |
- name: check-manifest | |
run: uvx check-manifest -v | |
- name: install | |
run: | | |
uv venv .venv-install | |
source .venv-install/bin/activate | |
uv pip install dist/*.whl | |
notes: | |
runs-on: ubuntu-24.04 | |
name: Build release notes | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: astral-sh/setup-uv@v5 | |
- name: Set up Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.13' | |
- name: Install apt dependencies | |
run: | | |
sudo apt update | |
sudo apt install -y graphviz pandoc | |
- name: Install Python dependencies | |
run: uv sync --no-sources --only-group docs --frozen | |
- name: Sphinx build | |
run: | | |
. .venv/bin/activate | |
./ci/run-docs | |
- name: Convert release notes | |
run: | | |
version=$(sed -n '/^VERSION =/ s/.*"\(.*\)"/\1/p' weblate/utils/version.py) | |
namever="weblate-$version" | |
sed "s/latest/$namever/" < scripts/release-notes-filter.lua > scripts/release-notes-filter.version.lua | |
mkdir dist | |
./scripts/extract-release-notes > "dist/Weblate-$version.html" | |
pandoc "dist/Weblate-$version.html" --write=gfm --wrap=none --lua-filter=scripts/release-notes-filter.version.lua -o "dist/Weblate-$version.md" | |
rm scripts/release-notes-filter.version.lua | |
- uses: actions/upload-artifact@v4 | |
with: | |
path: dist/* | |
name: notes | |
publish_pypi: | |
name: Publish to PyPI | |
if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags/weblate') | |
permissions: | |
# this permission is mandatory for trusted publishing | |
id-token: write | |
needs: | |
- notes | |
- dist | |
- lint | |
runs-on: ubuntu-24.04 | |
steps: | |
- uses: actions/download-artifact@v4 | |
- name: Cleanup dist | |
# Remove files not supported on PyPI (eg. Sigstore signatures) | |
run: find dist -mindepth 1 -not -name '*.tar.gz' -not -name '*.whl' -delete | |
- uses: astral-sh/setup-uv@v5 | |
- run: uv publish --trusted-publishing always | |
publish_github: | |
name: Publish to GitHub | |
if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags/weblate') | |
permissions: | |
# this permission is mandatory for creating a release | |
contents: write | |
needs: | |
- notes | |
- dist | |
- lint | |
runs-on: ubuntu-24.04 | |
steps: | |
- uses: actions/download-artifact@v4 | |
- name: Extract notes body | |
run: tail -n+3 notes/Weblate-*.md > notes.md | |
- name: Extract notes title | |
id: get-name | |
run: echo name=$(head -n1 notes/Weblate-*.md) > "$GITHUB_OUTPUT" | |
- uses: ncipollo/release-action@v1 | |
with: | |
artifacts: dist/* | |
bodyFile: notes.md | |
name: ${{ steps.get-name.outputs.name }} |