feat: GitHub Action for building, testing, releasing, and publishing

- Also add testing dependencies in poetry.

.github/workflows/python-app.yaml

@@ -0,0 +1,176 @@
+# This workflow installs Python dependencies, runs tests, builds a release.
+# For tagged pushes, it also creates a release, uploads build artifacts to the
+# GitHub release, and publishes it to PyPI.
+# Originally from:
+# https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python
+
+name: 'Build, test, release, upload, and publish Python app'
+
+on:
+  push:
+    branches: ['main']
+  pull_request:
+    branches: ['main']
+
+# Declare default permissions as read only.
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-22.04
+
+    outputs:
+      changelog-body: '${{ steps.changelog.outputs.content }}'
+      commit-tag: '${{ steps.envs.outputs.commit-tag }}'
+      dist-artifact-name: '${{ steps.envs.outputs.artifact-name }}'
+
+    steps:
+      - name: 'Harden runner'
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          disable-sudo: true
+          egress-policy: audit
+          allowed-endpoints: >
+            api.github.com:443
+            files.pythonhosted.org:443
+            github.com:443
+            pypi.org:443
+
+      - name: 'Checkout repository'
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+          persist-credentials: false
+
+      - name: 'Install Poetry'
+        run: 'pipx install poetry'
+
+      - name: 'Set up Python'
+        id: setup-python
+        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
+        with:
+          python-version: '>=3.9 <3.13'
+          cache: 'poetry'
+
+      - name: 'Get tag-based commit name'
+        id: envs
+        run: |
+          TAG=$(git describe --tags) && echo "commit-tag=$TAG" | tee -a "$GITHUB_OUTPUT" >>"$GITHUB_ENV"
+          echo 'python-version=${{ steps.setup-python.outputs.python-version }}' >>"$GITHUB_ENV"
+          echo 'artifact-name=dist-reliabot-${{ env.commit-tag }}-${{ env.python-version }}' >>"$GITHUB_OUTPUT"
+        shell: bash
+
+      - name: 'Build distribution packages'
+        run: 'poetry build'
+
+      - name: 'Generate release notes'
+        id: changelog
+        uses: orhun/git-cliff-action@8b17108aad4d9362649a5dae020746c2a767c90d # v3.0.2
+        with:
+          args: '--latest'
+          config: release.toml
+        env:
+          OUTPUT: dist/release-notes.md
+
+      - name: 'Upload distribution package as an artifact'
+        id: upload-artifact
+        # if: "startsWith(github.ref, 'refs/tags/') && github.repository == 'dupuy/reliabot'"
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        with:
+          if-no-files-found: error
+          name: '${{ steps.envs.outputs.artifact-name }}'
+          overwrite: true
+          path: 'dist/*'
+          retention-days: 14
+
+  test:
+    runs-on: ubuntu-22.04
+
+    strategy:
+      matrix:
+        fail-fast: [true]
+        max-concurrency: [5]
+        python-version:
+          - '3.8'
+          - '3.9'
+          - '3.10'
+          - '3.11'
+          - '3.12'
+
+    steps:
+      - name: 'Harden runner'
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          disable-sudo: true
+          egress-policy: audit
+          allowed-endpoints: >
+            files.pythonhosted.org:443
+            github.com:443
+            pypi.org:443
+
+      - name: 'Checkout repository'
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 1
+          fetch-tags: false
+          persist-credentials: false
+
+      - name: 'Install Poetry'
+        run: 'pipx install poetry'
+
+      - name: 'Set up Python'
+        id: setup-python
+        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
+        with:
+          python-version: '${{ matrix.python-version }}'
+          cache: 'poetry'
+
+      - name: 'Install dependencies'
+        run: 'poetry install --extras re2-wheels --with testing'
+
+      - name: 'Run tests with coverage'
+        run: 'poetry run tox -e py'
+
+  release:
+    runs-on: ubuntu-22.04
+
+    # if: "startsWith(github.ref, 'refs/tags/') && github.repository == 'dupuy/reliabot'"
+
+    needs:
+      - build
+      - test
+
+    permissions:
+      contents: write
+
+    steps:
+      - name: 'Harden runner'
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          disable-sudo: true
+          egress-policy: audit
+          allowed-endpoints: >
+            api.github.com:443
+            uploads.github.com:443
+
+      - name: 'Download release artifacts'
+        uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
+        with:
+          name: '${{ needs.build.outputs.dist-artifact-name }}'
+          path: dist/
+
+      - name: 'Create pre-release and upload artifacts'
+        # if: "${{ contains(github.ref, '-') }}"
+        if: "${{ contains(needs.build.outputs.commit-tag, '-') }}"
+        uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
+        with:
+          allowUpdates: true
+          artifactErrorsFailBuild: true
+          artifacts: dist/*
+          body: '${{ needs.build.outputs.changelog-body }}'
+          draft: true
+          name: 'Pre-release ${{ needs.build.outputs.commit-tag }}'
+          prerelease: true
+          tag: '${{ github.ref }}'

pyproject.toml

@@ -155,6 +155,12 @@ python = "^3.8"  # 3.8 end-of-life 2024-10
 pyre2 = { version = "^0.3.6", optional = true }
 pyre2-updated = { version = "^0.3.8", optional = true }
 
+[tool.poetry.group.testing]
+optional = true
+
+[tool.poetry.group.testing.dependencies]
+tox = "^4.13.0"
+
 [tool.poetry.extras]
 re2 = ["pyre2"]
 re2-wheels = ["pyre2-updated"]