Skip to content

chore(release): v3.0.1 — unified production release across EmbeddedOS… #7

chore(release): v3.0.1 — unified production release across EmbeddedOS…

chore(release): v3.0.1 — unified production release across EmbeddedOS… #7

Workflow file for this run

name: Release
on:
push:
tags:
- "v*.*.*"
- "v*.*.*-*"
permissions:
contents: write
packages: write
id-token: write
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: false
jobs:
validate:
name: Validate
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Install & Test
run: |
pip install -e ".[dev]"
ruff check src/ tests/
pytest --cov=edb --cov-report=xml tests/
coverage report --fail-under=70
docker:
name: Docker Build & Push (multi-arch)
runs-on: ubuntu-latest
needs: validate
steps:
- uses: actions/checkout@v4
- name: Extract version
id: version
run: |
TAG=${GITHUB_REF#refs/tags/}
echo "tag=$TAG" >> $GITHUB_OUTPUT
echo "version=${TAG#v}" >> $GITHUB_OUTPUT
- name: Lowercase repo name
id: repo
run: echo "name=$(echo '${{ github.repository }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
- name: Set up QEMU (for arm64 emulation)
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push (linux/amd64,linux/arm64)
uses: docker/build-push-action@v6
with:
context: .
push: true
platforms: linux/amd64,linux/arm64
tags: |
ghcr.io/${{ steps.repo.outputs.name }}:${{ steps.version.outputs.version }}
ghcr.io/${{ steps.repo.outputs.name }}:latest
cache-from: type=gha
cache-to: type=gha,mode=max
pypi:
name: Publish to PyPI (OIDC trusted publishing)
runs-on: ubuntu-latest
needs: validate
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Build dist
run: |
pip install build
python -m build
- name: Check dist
run: |
pip install twine
twine check dist/*
- name: Publish to PyPI (trusted publishing)
uses: pypa/gh-action-pypi-publish@release/v1
with:
skip-existing: true
npm:
name: Publish to npm (frontend)
runs-on: ubuntu-latest
needs: validate
steps:
- uses: actions/checkout@v4
- name: Detect package.json
id: detect
run: |
if [ -f package.json ]; then
echo "has_npm=true" >> $GITHUB_OUTPUT
else
echo "has_npm=false" >> $GITHUB_OUTPUT
echo "::notice::No package.json found, skipping npm publish"
fi
- uses: actions/setup-node@v4
if: steps.detect.outputs.has_npm == 'true'
with:
node-version: '20.x'
registry-url: 'https://registry.npmjs.org'
- name: Install dependencies
if: steps.detect.outputs.has_npm == 'true'
run: npm ci
- name: Build
if: steps.detect.outputs.has_npm == 'true'
run: npm run build
- name: Publish (skip if NPM_TOKEN missing)
if: steps.detect.outputs.has_npm == 'true' && env.NODE_AUTH_TOKEN != ''
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
run: npm publish
release:
name: Create Release
runs-on: ubuntu-latest
needs: [validate, docker, pypi]
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Extract version
id: version
run: |
TAG=${GITHUB_REF#refs/tags/}
echo "tag=$TAG" >> $GITHUB_OUTPUT
echo "version=${TAG#v}" >> $GITHUB_OUTPUT
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Build dist
run: |
pip install build
python -m build
- name: Generate checksums
run: |
cd dist
sha256sum * > SHA256SUMS.txt
mv SHA256SUMS.txt ..
- name: Generate CycloneDX SBOM
uses: anchore/sbom-action@v0
with:
path: .
format: cyclonedx-json
output-file: sbom.cdx.json
artifact-name: sbom.cdx.json
- name: Generate SPDX SBOM
uses: anchore/sbom-action@v0
with:
path: .
format: spdx-json
output-file: sbom.spdx.json
artifact-name: sbom.spdx.json
- name: Install cosign
uses: sigstore/cosign-installer@v3
- name: Sign artifacts
run: |
set -e
for f in dist/*; do
[ -f "$f" ] || continue
cosign sign-blob --yes --bundle "${f}.sig.bundle" "$f"
done
- name: Create GitHub Release
uses: softprops/action-gh-release@v2
with:
tag_name: ${{ steps.version.outputs.tag }}
name: "eDB ${{ steps.version.outputs.tag }}"
generate_release_notes: true
fail_on_unmatched_files: false
body: |
## eDB ${{ steps.version.outputs.tag }}
Python wheels + sdist published to PyPI (OIDC trusted publishing).
Multi-arch Docker image published to ghcr.io.
### Integrity & supply-chain
- `SHA256SUMS.txt`
- `sbom.cdx.json` — CycloneDX SBOM
- `sbom.spdx.json` — SPDX SBOM
- `*.sig.bundle` — Sigstore cosign keyless signatures
files: |
dist/*
dist/*.sig.bundle
SHA256SUMS.txt
sbom.cdx.json
sbom.spdx.json
prerelease: ${{ contains(steps.version.outputs.tag, 'rc') || contains(steps.version.outputs.tag, 'beta') }}