django-render-static/.github/workflows/release.yml at main · bckohan/django-render-static · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150

name: Publish Release

permissions: read-all

concurrency:
  # stop previous release runs if tag is recreated
  group: release-${{ github.ref }}
  cancel-in-progress: true

on:
  push:
    tags:
      - 'v[0-9]*.[0-9]*.[0-9]*'  # only publish on version tags (e.g. v1.0.0)

jobs:

  lint:
    permissions:
      contents: read
      actions: write
    uses: ./.github/workflows/lint.yml

  test:
    permissions:
      contents: read
      actions: write
      id-token: write
    uses: ./.github/workflows/test.yml

  build:
    name: Build Package
    runs-on: ubuntu-latest
    permissions:
      contents: read
      actions: write
    outputs:
      PACKAGE_NAME: ${{ steps.set-package.outputs.package_name }}
      RELEASE_VERSION: ${{ steps.set-package.outputs.release_version }}
    steps:
    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
      with:
        persist-credentials: false
    - name: Set up Python
      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
      with:
        python-version: "3.14"
        allow-prereleases: true
    - name: Install uv
      uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b
      with:
        enable-cache: false
        restore-cache: false
        save-cache: false
    - name: Setup Just
      uses: extractions/setup-just@53165ef7e734c5c07cb06b3c8e7b647c5aa16db3
    - name: Verify Tag
      run: |
        TAG_NAME=${GITHUB_REF#refs/tags/}
        echo "Verifying tag $TAG_NAME..."
        # if a tag was deleted and recreated we may have the old one cached
        # be sure that we're publishing the current tag!
        git fetch --force origin refs/tags/$TAG_NAME:refs/tags/$TAG_NAME

        # verify signature
        curl -sL "https://github.com/${GITHUB_ACTOR}.gpg" | gpg --import
        git tag -v "$TAG_NAME"

        # verify version
        RELEASE_VERSION=$(just validate_version $TAG_NAME)

        # export the release version
        echo "RELEASE_VERSION=${RELEASE_VERSION}" >> $GITHUB_ENV
    - name: Build the binary wheel and a source tarball
      run: just build
    - name: Store the distribution packages
      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
      with:
        name: python-package-distributions
        path: dist/
    - name: Set Package Name
      id: set-package
      run:
        PACKAGE_NAME=$(python -c "import tomllib; print(tomllib.load(open('pyproject.toml', 'rb'))['project']['name'])")
        echo "PACKAGE_NAME=${PACKAGE_NAME}" >> $GITHUB_ENV

  publish-to-pypi:
    name: Publish to PyPI
    needs:
      - lint
      - test
      - build
    runs-on: ubuntu-latest
    environment:
      name: pypi
      url: https://pypi.org/p/${{ needs.build.outputs.PACKAGE_NAME }}
    permissions:
      id-token: write  # IMPORTANT: mandatory for trusted publishing
    steps:
    - name: Download all the dists
      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
      with:
        name: python-package-distributions
        path: dist/
    - name: Publish distribution to PyPI
      uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b

  github-release:
    name: Publish GitHub Release
    runs-on: ubuntu-latest
    needs:
      - lint
      - test
      - build
    permissions:
      contents: write  # IMPORTANT: mandatory for making GitHub Releases
      id-token: write  # IMPORTANT: mandatory for sigstore

    steps:
    - name: Download all the dists
      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
      with:
        name: python-package-distributions
        path: dist/
    - name: Sign the dists with Sigstore
      uses: sigstore/gh-action-sigstore-python@04cffa1d795717b140764e8b640de88853c92acc
      with:
        inputs: >-
          ./dist/*.tar.gz
          ./dist/*.whl
    - name: Create GitHub Release
      env:
        GITHUB_TOKEN: ${{ github.token }}
        GITHUB_REF_NAME: ${{ github.ref_name }}
        GITHUB_REPOSITORY: ${{ github.repository }}
      run: >-
        gh release create
        "$GITHUB_REF_NAME"
        --repo "$GITHUB_REPOSITORY"
        --generate-notes
        --prerelease
    - name: Upload artifact signatures to GitHub Release
      env:
        GITHUB_TOKEN: ${{ github.token }}
        GITHUB_REF_NAME: ${{ github.ref_name }}
        GITHUB_REPOSITORY: ${{ github.repository }}
      run: >-
        gh release upload
        "$GITHUB_REF_NAME" dist/**
        --repo "$GITHUB_REPOSITORY"