Skip to content

Commit

Permalink
feat: GitHub Action for building, testing, releasing, and publishing
Browse files Browse the repository at this point in the history 
- Add git-cliff configuration for release notes
- Add testing dependencies in poetry.
- Also pin Ubuntu versions for other workflows
  • Loading branch information
@dupuy
dupuy committed Mar 7, 2024
1 parent 2ee9326 commit 072f3ac
Show file tree
Hide file tree
Showing 8 changed files with 567 additions and 6 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/codeql.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ permissions:
jobs:
analyze:
name: 'Analyze'
runs-on: ubuntu-latest
runs-on: ubuntu-22.04
permissions:
actions: read
contents: read
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/dependency-review.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ permissions:

jobs:
dependency-review:
runs-on: ubuntu-latest
runs-on: ubuntu-22.04
steps:
- name: 'Harden runner'
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/ossf-scorecard.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ permissions: read-all
jobs:
analysis:
name: 'Scorecard analysis'
runs-on: ubuntu-latest
runs-on: ubuntu-22.04
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
Expand Down
287 changes: 287 additions & 0 deletions .github/workflows/python-app.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,287 @@
# This workflow installs Python dependencies, runs tests, builds a release.
# For tagged pushes, it also creates a release, uploads build artifacts to the
# GitHub release, and publishes it to PyPI.
# Originally from:
# https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python

name: 'Build, test, release, upload, and publish Python app'

env:
OUTPUT: dist/release-notes.md
on:
push:
branches: ['main']
pull_request:
branches: ['main']
permissions:
contents: read

jobs:
build:
runs-on: ubuntu-22.04

outputs:
commit-tag: '${{ steps.envs.outputs.commit-tag }}'
dist-artifact-name: '${{ steps.envs.outputs.artifact-name }}'

steps:
- name: 'Harden runner'
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
disable-sudo: true
egress-policy: audit
allowed-endpoints: >
api.github.com:443
files.pythonhosted.org:443
github.com:443
pypi.org:443
- name: 'Checkout repository'
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
fetch-tags: true
persist-credentials: false

- name: 'Install Poetry'
run: 'pipx install poetry'

- name: 'Set up Python'
id: setup-python
uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
with:
python-version: '>=3.9 <3.13'
cache: 'poetry'

- name: 'Get tag-based commit name'
id: envs
run: |
TAG=$(git describe --tags) && echo "commit-tag=$TAG" | tee -a "$GITHUB_OUTPUT" >>"$GITHUB_ENV"
echo 'python-version=${{ steps.setup-python.outputs.python-version }}' >>"$GITHUB_ENV"
echo 'artifact-name=dist-reliabot-${{ env.commit-tag }}-${{ env.python-version }}' >>"$GITHUB_OUTPUT"
shell: bash

- name: 'Build distribution packages'
run: 'poetry build'

- name: 'Generate release notes'
if: "${{ startsWith(github.ref, 'refs/tags/') }}"
uses: orhun/git-cliff-action@8b17108aad4d9362649a5dae020746c2a767c90d # v3.0.2
with:
args: '--latest'
config: release.toml

- name: 'Generate "unreleased" notes'
if: "${{ ! startsWith(github.ref, 'refs/tags/') }}"
uses: orhun/git-cliff-action@8b17108aad4d9362649a5dae020746c2a767c90d # v3.0.2
with:
args: '--unreleased'
config: release.toml

- name: 'Upload distribution package as an artifact'
id: upload-artifact
# if: "startsWith(github.ref, 'refs/tags/') && github.repository == 'dupuy/reliabot'"
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
if-no-files-found: error
name: '${{ steps.envs.outputs.artifact-name }}'
overwrite: true
path: 'dist/*'
retention-days: 14

test:
runs-on: ubuntu-22.04

strategy:
matrix:
fail-fast: [true]
max-concurrency: [5]
python-version:
- '3.8'
- '3.9'
- '3.10'
- '3.11'
- '3.12'

steps:
- name: 'Harden runner'
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
disable-sudo: true
egress-policy: audit
allowed-endpoints: >
files.pythonhosted.org:443
github.com:443
pypi.org:443
- name: 'Checkout repository'
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 1
fetch-tags: false
persist-credentials: false

- name: 'Install Poetry'
run: 'pipx install poetry'

- name: 'Set up Python'
id: setup-python
uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
with:
python-version: '${{ matrix.python-version }}'
cache: 'poetry'

- name: 'Install dependencies'
run: 'poetry install --extras re2-wheels --with testing'

- name: 'Run tests with coverage'
run: 'poetry run tox -e py'

draft-release:
runs-on: ubuntu-22.04

# if: "startsWith(github.ref, 'refs/tags/') && github.repository == 'dupuy/reliabot'"
needs:
- build
- test
outputs:
commit-tag: '${{ needs.build.outputs.commit-tag }}'
dist-artifact-name: '${{ needs.build.outputs.dist-artifact-name }}'
permissions:
contents: write

steps:
- name: 'Harden runner'
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
disable-sudo: true
egress-policy: audit
allowed-endpoints: >
api.github.com:443
uploads.github.com:443
- name: 'Download release artifacts'
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: '${{ needs.build.outputs.dist-artifact-name }}'
path: dist/

- name: 'Create draft pre-release and upload artifacts'
if: "${{ contains(needs.build.outputs.commit-tag, '-') }}"
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
with:
allowUpdates: true
artifactErrorsFailBuild: true
artifacts: dist/*
bodyFile: '${{ env.OUTPUT }}'
draft: true
name: 'Pre-release ${{ needs.build.outputs.commit-tag }}'
prerelease: true
tag: '${{ github.ref }}'
updateOnlyUnreleased: true

- name: 'Create draft release and upload artifacts'
if: "${{ ! contains(needs.build.outputs.commit-tag, '-') }}"
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
with:
allowUpdates: true
artifactErrorsFailBuild: true
artifacts: dist/*
bodyFile: '${{ env.OUTPUT }}'
draft: true
name: 'Release ${{ needs.build.outputs.commit-tag }}'
prerelease: false
tag: '${{ github.ref }}'
updateOnlyUnreleased: true

test-publish:
runs-on: ubuntu-22.04

# if: "startsWith(github.ref, 'refs/tags/') && github.repository == 'dupuy/reliabot'"
if: "${{ contains(needs.build.outputs.commit-tag, '-') }}"
needs:
- build # does not require 'test' matrix to pass
environment:
name: test-pypi
url: https://test.pypi.org/p/reliabot
permissions:
id-token: write # IMPORTANT: this permission is mandatory for trusted publishing

steps:
- name: 'Download release artifacts'
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: '${{ needs.build.outputs.dist-artifact-name }}'
path: dist/

- name: 'Publish pre-release to TestPyPI'
uses: pypa/gh-action-pypi-publish@e53eb8b103ffcb59469888563dc324e3c8ba6f06 # v1.8.2

publish:
runs-on: ubuntu-22.04

# if: "startsWith(github.ref, 'refs/tags/') && github.repository == 'dupuy/reliabot'"
if: "${{ ! contains(needs.draft-release.outputs.commit-tag, '-') }}"
needs:
- draft-release
- test
environment:
name: pypi
url: https://pypi.org/p/reliabot
permissions:
id-token: write # IMPORTANT: this permission is mandatory for trusted publishing

steps:
- name: 'Download release artifacts'
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: '${{ needs.draft-release.outputs.dist-artifact-name }}'
path: dist/

- name: 'Publish release to PyPI'
uses: pypa/gh-action-pypi-publish@e53eb8b103ffcb59469888563dc324e3c8ba6f06 # v1.8.2

test-release:
runs-on: ubuntu-22.04

# if: "startsWith(github.ref, 'refs/tags/') && github.repository == 'dupuy/reliabot'"
# if: "${{ contains(github.ref, '-') }}"
if: "${{ contains(needs.draft-release.outputs.commit-tag, '-') }}"
needs:
- draft-release
- test-publish

steps:
- name: 'Publish GitHub (pre-)release'
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
with:
allowUpdates: true
draft: false
omitBodyDuringUpdate: true
omitNameDuringUpdate: true
prerelease: true
replacesArtifacts: false
tag: '${{ github.ref }}'

release:
runs-on: ubuntu-22.04

# if: "startsWith(github.ref, 'refs/tags/') && github.repository == 'dupuy/reliabot'"
# if: "${{ ! contains(github.ref, '-') }}"
if: "${{ ! contains(needs.draft-release.outputs.commit-tag, '-') }}"
needs:
- draft-release
- publish

steps:
- name: 'Publish GitHub release'
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
with:
allowUpdates: true
draft: false
omitBodyDuringUpdate: true
omitNameDuringUpdate: true
prerelease: false
replacesArtifacts: false
tag: '${{ github.ref }}'
updateOnlyUnreleased: true
2 changes: 1 addition & 1 deletion .github/workflows/stale.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ permissions:

jobs:
stale:
runs-on: ubuntu-latest
runs-on: ubuntu-22.04
permissions:
issues: write
pull-requests: write
Expand Down
Loading

0 comments on commit 072f3ac

Please sign in to comment.