chore(deps): bump pypa/gh-action-pypi-publish from 1.11.0 to 1.12.2 #280
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This workflow runs for pull requests and pushes (merge/squash/rebase or tags). | |
# The TESTS job always runs, installing Python Poetry dependencies, building a | |
# distribution and running tests on a matrix of Python versions. It also | |
# computes several outputs for use by other jobs, often in 'if' conditions. | |
# | |
# The first output (VERSION_TAG) describes the intended Reliabot version, which | |
# can be the current tag, but is usually a desired (pre-)release tag for this | |
# workflow to apply, or the "left over" version of the most recent release tag. | |
# All outputs are set as environment variables in the jobs that use them, but | |
# this one uses underscore '_' rather than hyphen '-' in its name so that shell | |
#'run' scripts can use it as an environment variable rather than as a '${{ }}' | |
# substitution that would be vulnerable to shell meta-characters in the value. | |
# Although TESTS uses `poetry version` to get this value from 'pyproject.toml', | |
# and poetry rejects metacharacters in the version, it's still worth having | |
# m shell-compatible name to protect against a compromised action or workflow | |
# exploiting this environment variable by overriding the poetry-computed value. | |
# | |
# THe TESTS job uses `git describe` to compute another variable (COMMIT_TAG) | |
# that is not an output. Its value can be the current VERSION_TAG ("v1.2.3") or | |
# a previous VERSION_TAG followed by '-', the number of commits made since, and | |
# a short commit hash, like this: 'v1.2.3-13-ca11ab1e'. The latter indicates an | |
# "interim" (untagged) commit, and can be distinguished from a pre-release tag | |
# like `v1.2.3-rc.5' by the presence of a second '-'. | |
# | |
# The TESTS job uses these two variables to determine the type of push (merge) | |
# or pull request the workflow is handling, and creates "pr-*" outputs for other | |
# jobs to use in 'if' conditions to enable execution of various job steps. | |
# | |
# * pr-commit :: COMMIT_TAG != VERSION_TAG | |
# * pr-release :: VERSION_TAG has no '-' | |
# * pr-tag :: COMMIT_TAG does not start with VERSION_TAG + '-' | |
# | |
# [The pr-tag test uses '-' to prevent 'v1.2.10' starts with 'v1.2.1' mistakes.] | |
# | |
# - Tag push: pr-commit=false pr-release=false pr-tag=false (take no action) | |
# - "Interim" PR: pr-commit=true pr-release=false pr-tag=false (no tag/release) | |
# - Pre-release: pr-commit=true pr-release=false pr-tag=true (tag + TestPyPI) | |
# - Release: pr-commit=true pr-release=true pr-tag=true (annotated + PyPI) | |
# | |
# [Only releases use annotated tags so `git describe` ignores pre-releases.] | |
# [Also note pr-tag=true implies pr-commit=true so latter test may be omitted.] | |
# | |
# The TESTS job also computes two other outputs to coordinate (upload/download) | |
# between the pull_request and push workflows, and the jobs within them: | |
# | |
# - artifact-name - GitHub artifact containing dist/ release for publishing | |
# - release-name - GitHub title of release or pre-release | |
# Since only the last matrix instance output is available, and there's no way to | |
# know which one that is, all matrix instances compute the outputs. | |
# | |
# All other jobs run only on one or the other of pull_request or push events: | |
# | |
# pull_request: build → draft-release, test-publish | |
# push: pre-release || ( publish → release ) | |
# The BUILD job creates a Python package release, release notes, and a full | |
# changelog, uploading them as artifacts for other pull_request and push jobs. | |
# The lifetime of these artifacts is linked to the "stale" workflow that closes | |
# inactive PRs. By closing PRs before their artifacts expire, the stale workflow | |
# prevents push workflow failures. The pull_request workflow runs on "reopen" | |
# or "ready for review" events, recreating expired artifacts before any "push". | |
# The DRAFT-RELEASE job creates a draft GitHub release (or pre-release, if the | |
# version tag contains a '-'). | |
# The TEST-PUBLISH job publishes the Python package from the uploaded build | |
# artifact to TestPyPI; it does this for both pre-release and release builds. | |
# The jobs that run on push events are different for pre-releases and releases: | |
# The PRE-RELEASE job removes the draft status from the GitHub release, and | |
# creates and pushes a corresponding non-annotated tag for the pre-release. | |
# | |
# The PUBLISH job runs for release versions and publishes the Python package | |
# from the uploaded build artifact to PyPI. It also creates and pushes an | |
# annotated tag for the release. | |
# The RELEASE job only removes the draft status from the GitHub release, | |
name: 'Test, build, release, upload, publish, and tag Python Poetry app' | |
env: | |
OUTPUT: dist/release-notes.md # from release.toml | |
on: | |
push: | |
branches: ['main'] | |
pull_request: | |
branches: ['main'] | |
types: | |
- opened | |
- ready_for_review | |
- reopened | |
- synchronize | |
permissions: | |
contents: read | |
jobs: | |
tests: | |
runs-on: ubuntu-22.04 | |
outputs: | |
VERSION_TAG: ${{ steps.computed.outputs.VERSION_TAG }} | |
artifact-name: ${{ steps.computed.outputs.artifact-name }} | |
pr-commit: ${{ steps.computed.outputs.pr-commit }} | |
pr-release: ${{ steps.computed.outputs.pr-release }} | |
pr-tag: ${{ steps.computed.outputs.pr-tag }} | |
release-name: ${{ steps.computed.outputs.release-name }} | |
strategy: | |
matrix: | |
fail-fast: [true] | |
max-concurrency: [5] | |
python-version: | |
- '3.8' | |
- '3.9' | |
- '3.10' | |
- '3.11' | |
- '3.12' | |
steps: | |
- name: 'Harden runner' | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
files.pythonhosted.org:443 | |
github.com:443 | |
pypi.org:443 | |
- name: 'Checkout repository' | |
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
with: | |
# The `git describe` COMMIT_TAG output requires these fetch-* options. | |
fetch-depth: 0 | |
fetch-tags: true | |
persist-credentials: false | |
- name: 'Install Poetry' | |
run: 'pipx install poetry' | |
- name: 'Compute outputs for other jobs' | |
id: computed | |
run: > | |
{ | |
COMMIT_TAG=$(git describe) && | |
echo "COMMIT_TAG=$COMMIT_TAG" >&2 ; | |
VERSION_TAG="v`poetry version --short | | |
sed -e 's/a/-alpha./' -e 's/b/-beta./' -e 's/rc/-rc./'`" && | |
echo "VERSION_TAG=$VERSION_TAG" ; | |
case "$COMMIT_TAG" in | |
*-[abr]*-[1-9]*-*) | |
exec >&2 | |
echo "The COMMIT_TAG that 'git describe' created is based on" ; | |
echo "a pre-release tag, which prevents proper generation" ; | |
echo "of new releases!" ; | |
echo "Make sure git describe is not using --tags, and use" ; | |
echo "'git show' to check if the pre-release base tag is" ; | |
echo "an annotated tag like release tags." | |
exit 1 ;; | |
${VERSION_TAG}) | |
echo "artifact-name=" ; | |
echo "pr-commit=false" ; echo "pr-tag=false" ; | |
echo "pr-release=false" ; echo "release-name=" ;; | |
${VERSION_TAG}-*) | |
echo "artifact-name=" ; | |
echo "pr-commit=true" ; echo "pr-tag=false" ; | |
echo "pr-release=false" ; echo "release-name=" ;; | |
*) | |
echo "artifact-name=dist-reliabot-$VERSION_TAG" ; | |
echo "pr-commit=true" ; echo "pr-tag=true" ; | |
case "$VERSION_TAG" in | |
*-*) | |
echo "pr-release=false" ; | |
echo "release-name=Pre-release $VERSION_TAG" ;; | |
*) | |
echo "pr-release=true" ; | |
echo "release-name=Release $VERSION_TAG" ;; | |
esac ; | |
esac ; | |
} | tee -a "$GITHUB_OUTPUT" | |
- name: 'Set up Python' | |
if: steps.computed.outputs.pr-commit == 'true' | |
uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 | |
with: | |
python-version: '${{ matrix.python-version }}' | |
cache: 'poetry' | |
- name: 'Install dependencies' | |
if: steps.computed.outputs.pr-commit == 'true' | |
run: 'poetry install --extras re2-wheels --with testing' | |
- name: 'Run tests with coverage' | |
if: steps.computed.outputs.pr-commit == 'true' | |
run: 'poetry run tox -e py' | |
build: | |
runs-on: ubuntu-22.04 | |
# No build for push events, which use artifacts from pull_request | |
if: github.event_name == 'pull_request' | |
env: | |
VERSION_TAG: ${{ needs.tests.outputs.VERSION_TAG }} | |
artifact-name: ${{ needs.tests.outputs.artifact-name }} | |
pr-commit: ${{ needs.tests.outputs.pr-commit }} | |
pr-release: ${{ needs.tests.outputs.pr-release }} | |
pr-tag: ${{ needs.tests.outputs.pr-tag }} | |
needs: | |
- tests | |
steps: | |
- name: 'Harden runner' | |
if: env.pr-commit == 'true' | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
api.github.com:443 | |
files.pythonhosted.org:443 | |
github.com:443 | |
pypi.org:443 | |
- name: 'Checkout repository' | |
if: env.pr-commit == 'true' | |
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
with: | |
# The `git-cliff` release notes action requires these fetch-* options. | |
fetch-depth: 0 | |
fetch-tags: true | |
persist-credentials: false | |
- name: 'Install Poetry' | |
if: env.pr-commit == 'true' | |
run: 'pipx install poetry' | |
- name: 'Set up Python' | |
if: env.pr-commit == 'true' | |
uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 | |
with: | |
python-version: '>=3.9 <3.13' | |
cache: 'poetry' | |
- name: 'Build distribution packages' | |
if: env.pr-commit == 'true' | |
run: 'poetry build' | |
- name: 'Generate release notes' | |
if: env.pr-tag == 'true' | |
uses: orhun/git-cliff-action@8b17108aad4d9362649a5dae020746c2a767c90d # v3.0.2 | |
with: | |
args: > | |
'--unreleased' | |
'--tag=${{ env.VERSION_TAG }}' | |
config: release.toml | |
- name: 'Generate "unreleased" notes' | |
if: env.pr-commit == 'true' && env.pr-tag == 'false' | |
uses: orhun/git-cliff-action@8b17108aad4d9362649a5dae020746c2a767c90d # v3.0.2 | |
with: | |
args: '--unreleased' | |
config: release.toml | |
- name: 'Upload distribution package as an artifact' | |
if: github.repository == 'dupuy/reliabot' && env.pr-tag == 'true' | |
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 | |
with: | |
if-no-files-found: error | |
name: '${{ env.artifact-name }}' | |
overwrite: true | |
path: 'dist/*' | |
retention-days: 90 # stale + close + 13 <= artifact retention (90 max) | |
draft-release: | |
runs-on: ubuntu-22.04 | |
# No draft for push; that uses artifact and draft release from pull_request. | |
if: > | |
github.event_name == 'pull_request' && | |
github.repository == 'dupuy/reliabot' | |
env: | |
VERSION_TAG: ${{ needs.tests.outputs.VERSION_TAG }} | |
artifact-name: ${{ needs.tests.outputs.artifact-name }} | |
pr-release: ${{ needs.tests.outputs.pr-release }} | |
pr-tag: ${{ needs.tests.outputs.pr-tag }} | |
release-name: ${{ needs.tests.outputs.release-name }} | |
needs: | |
- build | |
- tests | |
permissions: | |
contents: write | |
steps: | |
- name: 'Harden runner' | |
if: env.pr-tag == 'true' | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
api.github.com:443 | |
uploads.github.com:443 | |
- name: 'Download release artifacts' | |
if: env.pr-tag == 'true' | |
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 | |
with: | |
name: '${{ env.artifact-name }}' | |
path: dist/ | |
- name: 'Create draft release and upload artifacts' | |
if: env.pr-tag == 'true' | |
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 | |
with: | |
allowUpdates: true | |
artifactErrorsFailBuild: true | |
artifacts: dist/* | |
bodyFile: '${{ env.OUTPUT }}' | |
draft: true | |
name: '${{ env.release-name }}' | |
prerelease: "${{ env.pr-release && 'false' || 'true' }}" | |
tag: '${{ env.VERSION_TAG }}' | |
updateOnlyUnreleased: true | |
test-publish: | |
runs-on: ubuntu-22.04 | |
if: > | |
github.event_name == 'pull_request' && | |
github.repository == 'dupuy/reliabot' | |
env: | |
artifact-name: ${{ needs.tests.outputs.artifact-name }} | |
pr-tag: ${{ needs.tests.outputs.pr-tag }} | |
needs: | |
- build | |
- tests | |
environment: | |
name: test-pypi | |
url: https://test.pypi.org/p/reliabot | |
permissions: | |
id-token: write # IMPORTANT: trusted publishing requires this permission | |
steps: | |
- name: 'Harden runner' | |
if: env.pr-tag == 'true' | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
disable-sudo: true | |
egress-policy: audit | |
allowed-endpoints: > | |
upload.pypi.org:443 | |
- name: 'Download release artifacts' | |
if: env.pr-tag == 'true' | |
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 | |
with: | |
name: '${{ env.artifact-name }}' | |
path: dist/ | |
- name: 'Publish (pre-)release to TestPyPI' | |
if: env.pr-tag == 'true' | |
uses: pypa/gh-action-pypi-publish@15c56dba361d8335944d31a2ecd17d700fc7bcbc # v1.12.2 | |
publish: | |
runs-on: ubuntu-22.04 | |
if: github.event_name == 'push' && github.repository == 'dupuy/reliabot' | |
env: | |
VERSION_TAG: ${{ needs.tests.outputs.VERSION_TAG }} | |
artifact-name: ${{ needs.tests.outputs.artifact-name }} | |
pr-release: ${{ needs.tests.outputs.pr-release }} | |
environment: | |
name: pypi | |
url: https://pypi.org/p/reliabot | |
needs: | |
- tests | |
permissions: | |
contents: write # Needed for annotated tag push | |
id-token: write # IMPORTANT: trusted publishing requires this permission | |
steps: | |
- name: 'Harden runner' | |
if: env.pr-release == 'true' | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
disable-sudo: true | |
egress-policy: audit | |
allowed-endpoints: > | |
github.com:443 | |
upload.pypi.org:443 | |
- name: 'Checkout repository' | |
if: env.pr-release == 'true' | |
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
with: | |
# The Git repository is only necessary for tagging and pushing. | |
fetch-depth: 1 | |
fetch-tags: true | |
persist-credentials: true | |
- name: 'Download release artifacts' | |
if: env.pr-release == 'true' | |
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 | |
with: | |
name: '${{ env.artifact-name }}' | |
path: dist/ | |
- name: 'Create annotated tag for release' | |
if: env.pr-release == 'true' | |
run: | | |
git tag "$VERSION_TAG" -F "$OUTPUT" --cleanup=whitespace | |
git push --tags | |
- name: 'Publish release to PyPI' | |
if: env.pr-release == 'true' | |
uses: pypa/gh-action-pypi-publish@15c56dba361d8335944d31a2ecd17d700fc7bcbc # v1.12.2 | |
pre-release: | |
runs-on: ubuntu-22.04 | |
if: github.event_name == 'push' && github.repository == 'dupuy/reliabot' | |
env: | |
VERSION_TAG: ${{ needs.tests.outputs.VERSION_TAG }} | |
pr-release: ${{ needs.tests.outputs.pr-release }} | |
pr-tag: ${{ needs.tests.outputs.pr-tag }} | |
needs: | |
- tests | |
permissions: | |
contents: write | |
steps: | |
- name: 'Harden runner' | |
if: env.pr-release == 'false' && env.pr-tag == 'true' | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
api.github.com:443 | |
- name: 'Publish GitHub pre-release' | |
if: env.pr-release == 'false' && env.pr-tag == 'true' | |
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 | |
with: | |
allowUpdates: true | |
commit: '${{ github.ref }}' # This only generates a non-annotated tag. | |
draft: false | |
omitBodyDuringUpdate: true | |
omitNameDuringUpdate: true | |
prerelease: true | |
replacesArtifacts: false | |
tag: '${{ env.VERSION_TAG }}' | |
updateOnlyUnreleased: true | |
release: | |
runs-on: ubuntu-22.04 | |
if: github.event_name == 'push' && github.repository == 'dupuy/reliabot' | |
env: | |
VERSION_TAG: ${{ needs.tests.outputs.VERSION_TAG }} | |
pr-release: ${{ needs.tests.outputs.pr-release }} | |
pr-tag: ${{ needs.tests.outputs.pr-tag }} | |
needs: | |
- tests | |
permissions: | |
contents: write | |
steps: | |
- name: 'Harden runner' | |
if: env.pr-release == 'true' | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
api.github.com:443 | |
- name: 'Publish GitHub release' | |
if: env.pr-release == 'true' | |
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 | |
with: | |
allowUpdates: true | |
# Don't set commit, publish job creates an annotated tag. | |
draft: false | |
omitBodyDuringUpdate: true | |
omitNameDuringUpdate: true | |
prerelease: false | |
replacesArtifacts: false | |
tag: '${{ env.VERSION_TAG }}' | |
updateOnlyUnreleased: true |