feat: GitHub Actions workflow for testing, releasing, and publishing

.github/workflows/codeql.yaml

@@ -21,7 +21,7 @@ permissions:
 jobs:
   analyze:
     name: 'Analyze'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     permissions:
       actions: read
       contents: read

.github/workflows/dependency-review.yaml

@@ -16,7 +16,7 @@ permissions:
 
 jobs:
   dependency-review:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - name: 'Harden runner'
         uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0

.github/workflows/ossf-scorecard.yaml

@@ -20,7 +20,7 @@ permissions: read-all
 jobs:
   analysis:
     name: 'Scorecard analysis'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     permissions:
       # Needed to upload the results to code-scanning dashboard.
       security-events: write

.github/workflows/python-app.yaml

@@ -0,0 +1,311 @@
+# This workflow installs Python dependencies, runs tests, builds a release.
+# For tagged pushes, it also creates a release, uploads build artifacts to the
+# GitHub release, and publishes it to PyPI.
+# Originally from:
+# https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python
+
+name: 'Build, test, release, upload, and publish Python app'
+
+env:
+  OUTPUT: dist/release-notes.md
+on:
+  push:
+    branches: ['main']
+  pull_request:
+    branches: ['main']
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-22.04
+
+    outputs:
+      commit-tag: '${{ steps.envs.outputs.commit-tag }}'
+      dist-artifact-name: '${{ steps.envs.outputs.artifact-name }}'
+
+    steps:
+      - name: 'Harden runner'
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          disable-sudo: true
+          egress-policy: audit
+          allowed-endpoints: >
+            api.github.com:443
+            files.pythonhosted.org:443
+            github.com:443
+            pypi.org:443
+
+      - name: 'Checkout repository'
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+          persist-credentials: false
+
+      - name: 'Install Poetry'
+        run: 'pipx install poetry'
+
+      - name: 'Set up Python'
+        id: setup-python
+        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
+        with:
+          python-version: '>=3.9 <3.13'
+          cache: 'poetry'
+
+      - name: 'Get tag-based commit name'
+        id: envs
+        run: |
+          TAG=$(git describe --tags) && echo "commit-tag=$TAG" | tee -a "$GITHUB_OUTPUT" >>"$GITHUB_ENV"
+          echo 'python-version=${{ steps.setup-python.outputs.python-version }}' >>"$GITHUB_ENV"
+          echo 'artifact-name=dist-reliabot-${{ env.commit-tag }}-${{ env.python-version }}' >>"$GITHUB_OUTPUT"
+        shell: bash
+
+      - name: 'Build distribution packages'
+        run: 'poetry build'
+
+      - name: 'Generate release notes'
+        if: "${{ startsWith(github.ref, 'refs/tags/') }}"
+        uses: orhun/git-cliff-action@8b17108aad4d9362649a5dae020746c2a767c90d # v3.0.2
+        with:
+          args: '--latest'
+          config: release.toml
+
+      - name: 'Generate "unreleased" notes'
+        if: "${{ ! startsWith(github.ref, 'refs/tags/') }}"
+        uses: orhun/git-cliff-action@8b17108aad4d9362649a5dae020746c2a767c90d # v3.0.2
+        with:
+          args: '--unreleased'
+          config: release.toml
+
+      - name: 'Upload distribution package as an artifact'
+        id: upload-artifact
+        if: github.repository == 'dupuy/reliabot'
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        with:
+          if-no-files-found: error
+          name: '${{ steps.envs.outputs.artifact-name }}'
+          overwrite: true
+          path: 'dist/*'
+          retention-days: 14
+
+  test:
+    runs-on: ubuntu-22.04
+
+    strategy:
+      matrix:
+        fail-fast: [true]
+        max-concurrency: [5]
+        python-version:
+          - '3.8'
+          - '3.9'
+          - '3.10'
+          - '3.11'
+          - '3.12'
+
+    steps:
+      - name: 'Harden runner'
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          disable-sudo: true
+          egress-policy: audit
+          allowed-endpoints: >
+            files.pythonhosted.org:443
+            github.com:443
+            pypi.org:443
+
+      - name: 'Checkout repository'
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 1
+          fetch-tags: false
+          persist-credentials: false
+
+      - name: 'Install Poetry'
+        run: 'pipx install poetry'
+
+      - name: 'Set up Python'
+        id: setup-python
+        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
+        with:
+          python-version: '${{ matrix.python-version }}'
+          cache: 'poetry'
+
+      - name: 'Install dependencies'
+        run: 'poetry install --extras re2-wheels --with testing'
+
+      - name: 'Run tests with coverage'
+        run: 'poetry run tox -e py'
+
+  draft-release:
+    runs-on: ubuntu-22.04
+
+    if: github.repository == 'dupuy/reliabot'
+    needs:
+      - build
+      - test
+    outputs:
+      commit-tag: '${{ needs.build.outputs.commit-tag }}'
+      dist-artifact-name: '${{ needs.build.outputs.dist-artifact-name }}'
+    permissions:
+      contents: write
+
+    steps:
+      - name: 'Harden runner'
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          disable-sudo: true
+          egress-policy: audit
+          allowed-endpoints: >
+            api.github.com:443
+            uploads.github.com:443
+
+      - name: 'Download release artifacts'
+        uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
+        with:
+          name: '${{ needs.build.outputs.dist-artifact-name }}'
+          path: dist/
+
+      - name: 'Create draft pre-release and upload artifacts'
+        if: "${{ contains(needs.build.outputs.commit-tag, '-') }}"
+        uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
+        with:
+          allowUpdates: true
+          artifactErrorsFailBuild: true
+          artifacts: dist/*
+          bodyFile: '${{ env.OUTPUT }}'
+          draft: true
+          name: 'Pre-release ${{ needs.build.outputs.commit-tag }}'
+          prerelease: true
+          tag: '${{ github.ref }}'
+          updateOnlyUnreleased: true
+
+      - name: 'Create draft release and upload artifacts'
+        if: "${{ ! contains(needs.build.outputs.commit-tag, '-') }}"
+        uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
+        with:
+          allowUpdates: true
+          artifactErrorsFailBuild: true
+          artifacts: dist/*
+          bodyFile: '${{ env.OUTPUT }}'
+          draft: true
+          name: 'Release ${{ needs.build.outputs.commit-tag }}'
+          prerelease: false
+          tag: '${{ github.ref }}'
+          updateOnlyUnreleased: true
+
+  test-publish:
+    runs-on: ubuntu-22.04
+
+    if: "${{ github.repository == 'dupuy/reliabot' && contains(github.ref, '-') }}"
+    needs:
+      - build # does not require 'test' matrix to pass
+    environment:
+      name: test-pypi
+      url: https://test.pypi.org/p/reliabot
+    permissions:
+      id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
+
+    steps:
+      - name: 'Harden runner'
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          disable-sudo: true
+          egress-policy: audit
+          allowed-endpoints: >
+            upload.pypi.org:443
+
+      - name: 'Download release artifacts'
+        uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
+        with:
+          name: '${{ needs.build.outputs.dist-artifact-name }}'
+          path: dist/
+
+      - name: 'Publish pre-release to TestPyPI'
+        uses: pypa/gh-action-pypi-publish@e53eb8b103ffcb59469888563dc324e3c8ba6f06 # v1.8.2
+
+  publish:
+    runs-on: ubuntu-22.04
+
+    if: "${{ github.repository == 'dupuy/reliabot' && startsWith(github.ref, 'refs/tags/') && ! contains(github.ref, '-') }}"
+    needs:
+      - draft-release
+      - test
+    environment:
+      name: pypi
+      url: https://pypi.org/p/reliabot
+    permissions:
+      id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
+
+    steps:
+      - name: 'Harden runner'
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          disable-sudo: true
+          egress-policy: audit
+          allowed-endpoints: >
+            upload.pypi.org:443
+
+      - name: 'Download release artifacts'
+        uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
+        with:
+          name: '${{ needs.draft-release.outputs.dist-artifact-name }}'
+          path: dist/
+
+      - name: 'Publish release to PyPI'
+        uses: pypa/gh-action-pypi-publish@e53eb8b103ffcb59469888563dc324e3c8ba6f06 # v1.8.2
+
+  test-release:
+    runs-on: ubuntu-22.04
+
+    needs:
+      - draft-release
+      - test-publish
+
+    steps:
+      - name: 'Harden runner'
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          disable-sudo: true
+          egress-policy: audit
+          allowed-endpoints: >
+            api.github.com:443
+
+      - name: 'Publish GitHub (pre-)release'
+        uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
+        with:
+          allowUpdates: true
+          draft: false
+          omitBodyDuringUpdate: true
+          omitNameDuringUpdate: true
+          prerelease: true
+          replacesArtifacts: false
+          tag: '${{ github.ref }}'
+
+  release:
+    runs-on: ubuntu-22.04
+
+    needs:
+      - draft-release
+      - publish
+
+    steps:
+      - name: 'Harden runner'
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          disable-sudo: true
+          egress-policy: audit
+          allowed-endpoints: >
+            api.github.com:443
+
+      - name: 'Publish GitHub release'
+        uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
+        with:
+          allowUpdates: true
+          draft: false
+          omitBodyDuringUpdate: true
+          omitNameDuringUpdate: true
+          prerelease: false
+          replacesArtifacts: false
+          tag: '${{ github.ref }}'
+          updateOnlyUnreleased: true

.github/workflows/stale.yaml

@@ -15,7 +15,7 @@ permissions:
 
 jobs:
   stale:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     permissions:
       issues: write
       pull-requests: write