Skip to content
Release

ci: add checks write permission to codeql workflow (#8) #8

Sign in to view logs

ci: add checks write permission to codeql workflow (#8)

ci: add checks write permission to codeql workflow (#8) #8

Workflow file for this run

.github/workflows/release-please.yml at d15c1de
name: Release
on:
push:
branches: [main]
workflow_dispatch:
inputs:
force_release:
description: 'Force release build (use existing tag)'
required: false
default: 'false'
type: choice
options:
- 'false'
- 'true'
release_tag:
description: 'Tag to release (e.g., cachekit-v0.1.0)'
required: false
type: string
permissions:
contents: write
pull-requests: write
jobs:
release-please:
name: Release Please
runs-on: ubuntu-latest
outputs:
release_created: ${{ steps.release.outputs.release_created }}
tag_name: ${{ steps.release.outputs.tag_name }}
version: ${{ steps.release.outputs.version }}
steps:
# Use GitHub App for token vending (avoids branch protection issues with GITHUB_TOKEN)
# If APP_ID/APP_PRIVATE_KEY not set, falls back to GITHUB_TOKEN
- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@v2
if: ${{ vars.USE_APP_TOKEN == 'true' }}
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
- name: Run release-please
id: release
uses: googleapis/release-please-action@v4
with:
manifest-file: .release-please-manifest.json
config-file: release-please-config.json
token: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}
build-wheels:
name: Build wheels (${{ matrix.target }})
needs: release-please
# Run if: release-please created a release OR manual dispatch with force_release
if: needs.release-please.outputs.release_created == 'true' || github.event.inputs.force_release == 'true'
strategy:
matrix:
include:
# Native builds - maturin auto-discovers Python interpreters
- os: ubuntu-latest
target: x86_64-unknown-linux-gnu
- os: macos-latest
target: x86_64-apple-darwin
- os: macos-latest
target: aarch64-apple-darwin
- os: windows-latest
target: x86_64-pc-windows-msvc
# Cross-compilation - must specify Python versions explicitly
# (cross containers don't have discoverable Python interpreters)
- os: ubuntu-latest
target: aarch64-unknown-linux-gnu
interpreter: -i python3.9 -i python3.10 -i python3.11 -i python3.12 -i python3.13
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
with:
# Use release-please tag or manual input tag
ref: ${{ needs.release-please.outputs.tag_name || github.event.inputs.release_tag }}
# Python setup required for native builds (macOS/Windows) to discover interpreters
# Linux uses Docker containers which have Python pre-installed
- name: Set up Python
if: matrix.os != 'ubuntu-latest'
uses: actions/setup-python@v5
with:
python-version: |
3.9
3.10
3.11
3.12
3.13
- uses: PyO3/maturin-action@v1
with:
target: ${{ matrix.target }}
args: --release --out dist ${{ matrix.interpreter }}
manylinux: auto
rust-toolchain: stable
- uses: actions/upload-artifact@v4
with:
name: wheels-${{ matrix.target }}
path: dist
build-sdist:
name: Build source distribution
needs: release-please
if: needs.release-please.outputs.release_created == 'true' || github.event.inputs.force_release == 'true'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
ref: ${{ needs.release-please.outputs.tag_name || github.event.inputs.release_tag }}
- uses: PyO3/maturin-action@v1
with:
command: sdist
args: --out dist
rust-toolchain: stable
- uses: actions/upload-artifact@v4
with:
name: sdist
path: dist
publish:
name: Publish to PyPI
needs: [release-please, build-wheels, build-sdist]
runs-on: ubuntu-latest
environment: release
permissions:
id-token: write
steps:
- uses: actions/download-artifact@v4
with:
pattern: wheels-*
merge-multiple: true
path: dist
- uses: actions/download-artifact@v4
with:
name: sdist
path: dist
- name: Publish to PyPI (Trusted Publishing)
uses: pypa/gh-action-pypi-publish@release/v1