chore(release): v3.0.1 — unified production release across EmbeddedOS… #7
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| tags: | |
| - "v*.*.*" | |
| - "v*.*.*-*" | |
| permissions: | |
| contents: write | |
| packages: write | |
| id-token: write | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: false | |
| jobs: | |
| validate: | |
| name: Validate | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| - name: Install & Test | |
| run: | | |
| pip install -e ".[dev]" | |
| ruff check src/ tests/ | |
| pytest --cov=edb --cov-report=xml tests/ | |
| coverage report --fail-under=70 | |
| docker: | |
| name: Docker Build & Push (multi-arch) | |
| runs-on: ubuntu-latest | |
| needs: validate | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Extract version | |
| id: version | |
| run: | | |
| TAG=${GITHUB_REF#refs/tags/} | |
| echo "tag=$TAG" >> $GITHUB_OUTPUT | |
| echo "version=${TAG#v}" >> $GITHUB_OUTPUT | |
| - name: Lowercase repo name | |
| id: repo | |
| run: echo "name=$(echo '${{ github.repository }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT | |
| - name: Set up QEMU (for arm64 emulation) | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to GHCR | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build and push (linux/amd64,linux/arm64) | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| push: true | |
| platforms: linux/amd64,linux/arm64 | |
| tags: | | |
| ghcr.io/${{ steps.repo.outputs.name }}:${{ steps.version.outputs.version }} | |
| ghcr.io/${{ steps.repo.outputs.name }}:latest | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| pypi: | |
| name: Publish to PyPI (OIDC trusted publishing) | |
| runs-on: ubuntu-latest | |
| needs: validate | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| - name: Build dist | |
| run: | | |
| pip install build | |
| python -m build | |
| - name: Check dist | |
| run: | | |
| pip install twine | |
| twine check dist/* | |
| - name: Publish to PyPI (trusted publishing) | |
| uses: pypa/gh-action-pypi-publish@release/v1 | |
| with: | |
| skip-existing: true | |
| npm: | |
| name: Publish to npm (frontend) | |
| runs-on: ubuntu-latest | |
| needs: validate | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Detect package.json | |
| id: detect | |
| run: | | |
| if [ -f package.json ]; then | |
| echo "has_npm=true" >> $GITHUB_OUTPUT | |
| else | |
| echo "has_npm=false" >> $GITHUB_OUTPUT | |
| echo "::notice::No package.json found, skipping npm publish" | |
| fi | |
| - uses: actions/setup-node@v4 | |
| if: steps.detect.outputs.has_npm == 'true' | |
| with: | |
| node-version: '20.x' | |
| registry-url: 'https://registry.npmjs.org' | |
| - name: Install dependencies | |
| if: steps.detect.outputs.has_npm == 'true' | |
| run: npm ci | |
| - name: Build | |
| if: steps.detect.outputs.has_npm == 'true' | |
| run: npm run build | |
| - name: Publish (skip if NPM_TOKEN missing) | |
| if: steps.detect.outputs.has_npm == 'true' && env.NODE_AUTH_TOKEN != '' | |
| env: | |
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | |
| run: npm publish | |
| release: | |
| name: Create Release | |
| runs-on: ubuntu-latest | |
| needs: [validate, docker, pypi] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Extract version | |
| id: version | |
| run: | | |
| TAG=${GITHUB_REF#refs/tags/} | |
| echo "tag=$TAG" >> $GITHUB_OUTPUT | |
| echo "version=${TAG#v}" >> $GITHUB_OUTPUT | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| - name: Build dist | |
| run: | | |
| pip install build | |
| python -m build | |
| - name: Generate checksums | |
| run: | | |
| cd dist | |
| sha256sum * > SHA256SUMS.txt | |
| mv SHA256SUMS.txt .. | |
| - name: Generate CycloneDX SBOM | |
| uses: anchore/sbom-action@v0 | |
| with: | |
| path: . | |
| format: cyclonedx-json | |
| output-file: sbom.cdx.json | |
| artifact-name: sbom.cdx.json | |
| - name: Generate SPDX SBOM | |
| uses: anchore/sbom-action@v0 | |
| with: | |
| path: . | |
| format: spdx-json | |
| output-file: sbom.spdx.json | |
| artifact-name: sbom.spdx.json | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@v3 | |
| - name: Sign artifacts | |
| run: | | |
| set -e | |
| for f in dist/*; do | |
| [ -f "$f" ] || continue | |
| cosign sign-blob --yes --bundle "${f}.sig.bundle" "$f" | |
| done | |
| - name: Create GitHub Release | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| tag_name: ${{ steps.version.outputs.tag }} | |
| name: "eDB ${{ steps.version.outputs.tag }}" | |
| generate_release_notes: true | |
| fail_on_unmatched_files: false | |
| body: | | |
| ## eDB ${{ steps.version.outputs.tag }} | |
| Python wheels + sdist published to PyPI (OIDC trusted publishing). | |
| Multi-arch Docker image published to ghcr.io. | |
| ### Integrity & supply-chain | |
| - `SHA256SUMS.txt` | |
| - `sbom.cdx.json` — CycloneDX SBOM | |
| - `sbom.spdx.json` — SPDX SBOM | |
| - `*.sig.bundle` — Sigstore cosign keyless signatures | |
| files: | | |
| dist/* | |
| dist/*.sig.bundle | |
| SHA256SUMS.txt | |
| sbom.cdx.json | |
| sbom.spdx.json | |
| prerelease: ${{ contains(steps.version.outputs.tag, 'rc') || contains(steps.version.outputs.tag, 'beta') }} |