open-resource-broker/.github/workflows/dev-pypi.yml at 755d6b2ba90d6dcf06fc2c7e27cc5ba8663bbb12 · awslabs/open-resource-broker · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
name: TestPyPI Publishing

# SECURITY NOTE: This workflow uses PyPI Trusted Publishing (OIDC)
# No API tokens required - authentication is handled automatically via GitHub's OIDC token
#
# This workflow publishes to TestPyPI ONLY for development testing.
# Production releases to PyPI are handled by prod-release.yml
#
# Prerequisites:
# 1. Configure trusted publisher on TestPyPI: https://test.pypi.org/manage/account/publishing/
# 2. See docs/deployment/pypi-setup.md for detailed setup instructions

env:
  # Comment trigger words for package publishing
  PUBLISH_TRIGGERS: "/package"

on:
  push:
    branches: [main]
    paths:
      - 'src/**'
      - 'pyproject.toml'
      - 'requirements*.txt'
      - 'uv.lock'
  workflow_run:
    workflows: ["Quality Checks", "Unit Tests"]
    types: [completed]
    branches: [main]
  workflow_dispatch:
    inputs:
      force:
        description: 'Force publish even if version exists'
        required: false
        default: false
        type: boolean

concurrency:
  group: "pypi-publishing"
  cancel-in-progress: false

jobs:
  config:
    name: Get Configuration
    runs-on: ubuntu-latest
    if: github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success'
    outputs:
      default-python-version: ${{ steps.config.outputs.default-python-version }}
      package-version: ${{ steps.config.outputs.package-version }}
      pypi-name: ${{ steps.config.outputs.pypi-name }}
    steps:
    - name: Checkout code
      uses: actions/checkout@v6

    - name: Get project configuration
      id: config
      uses: ./.github/actions/get-config

  publish:
    name: Build and Publish Package
    runs-on: ubuntu-latest
    needs: [config]
    environment:
      name: testpypi
      url: https://test.pypi.org/p/${{ needs.config.outputs.pypi-name }}
    permissions:
      id-token: write  # IMPORTANT: mandatory for trusted publishing
      contents: read   # needed to checkout code

    steps:
    - name: Checkout code
      uses: actions/checkout@v6
      with:
        ref: ${{ github.sha }}

    - name: Determine version and target
      run: |
        {
          echo "VERSION=${{ needs.config.outputs.package-version }}"
          echo "TARGET=testpypi"
        } >> "$GITHUB_ENV"
        echo "Publishing to: TestPyPI with version: $VERSION"

    - name: Setup Python and UV
      uses: ./.github/actions/setup-uv-cached
      with:
        cache-key: deps-${{ needs.config.outputs.default-python-version }}-${{ hashFiles('.project.yml', 'pyproject.toml', 'requirements*.txt') }}
        fail-on-cache-miss: false

    - name: Build package
      run: |
        make build-with-version

    - name: Check package
      run: |
        make test-install-only

    - name: Publish to Test PyPI
      uses: pypa/gh-action-pypi-publish@release/v1
      with:
        repository-url: https://test.pypi.org/legacy/
        verbose: true
        skip-existing: true

    - name: Create deployment summary
      run: |
        {
          echo "## Package Published Successfully"
          echo ""
          echo "**Environment:** Test PyPI"
          echo "**Installation:** \`pip install --index-url https://test.pypi.org/simple/ ${{ needs.config.outputs.pypi-name }}\`"
          echo ""
          echo "**Version:** $VERSION"
          echo "**Commands:**"
          echo "- \`orb --help\`"
        } >> "$GITHUB_STEP_SUMMARY"

  generate-sbom:
    name: Generate SBOM
    runs-on: ubuntu-latest
    needs: [config, publish]

    permissions:
      contents: write
      actions: write
      security-events: write

    steps:
    - name: Checkout code
      uses: actions/checkout@v6

    - name: Setup Python and UV
      uses: ./.github/actions/setup-uv-cached
      with:
        cache-key: deps-${{ needs.config.outputs.default-python-version }}-${{ hashFiles('.project.yml', 'pyproject.toml', 'requirements*.txt') }}
        fail-on-cache-miss: false

    - name: Generate SBOM files
      run: |
        make ci-build-sbom

    - name: Upload SBOM artifacts
      uses: actions/upload-artifact@v7
      with:
        name: reports-sbom-${{ needs.config.outputs.package-version }}
        path: |
          python-sbom-cyclonedx.json
          python-sbom-spdx.json
        retention-days: 180

    - name: Upload SBOM to GitHub dependency graph
      uses: advanced-security/spdx-dependency-submission-action@v0.1.1
      if: always()
      with:
        filePath: "."
        filePattern: "python-sbom-spdx.json"
      continue-on-error: true