-
Notifications
You must be signed in to change notification settings - Fork 10
169 lines (146 loc) · 5.62 KB
/
Copy pathdev-pypi.yml
File metadata and controls
169 lines (146 loc) · 5.62 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
name: TestPyPI Publishing
# SECURITY NOTE: This workflow uses PyPI Trusted Publishing (OIDC)
# No API tokens required - authentication is handled automatically via GitHub's OIDC token
#
# This workflow publishes to TestPyPI ONLY for development testing.
# Production releases to PyPI are handled by prod-release.yml
#
# Prerequisites:
# 1. Configure trusted publisher on TestPyPI: https://test.pypi.org/manage/account/publishing/
# 2. See docs/deployment/pypi-setup.md for detailed setup instructions
env:
# Comment trigger words for package publishing
PUBLISH_TRIGGERS: "/package"
on:
# Trigger only after Unit Tests pass so TestPyPI always receives a package
# that has passed the quality gate. Using a single sentinel workflow avoids
# the double-fire that occurs when multiple entries in the workflows list
# complete independently on the same push — both would fire and the second
# publish attempt would fail with "version already exists".
# Unit Tests is the right sentinel: it is the comprehensive per-push gate
# and its completion implies the Quality Checks gate ran first (via needs).
workflow_run:
workflows: ["Unit Tests"]
types: [completed]
branches: [main]
workflow_dispatch:
inputs:
force:
description: 'Force publish even if version exists'
required: false
default: false
type: boolean
concurrency:
group: "pypi-publishing"
cancel-in-progress: false
jobs:
config:
name: Get Configuration
runs-on: ubuntu-latest
timeout-minutes: 10
if: github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success'
outputs:
default-python-version: ${{ steps.config.outputs.default-python-version }}
package-version: ${{ steps.config.outputs.package-version }}
pypi-name: ${{ steps.config.outputs.pypi-name }}
steps:
- name: Checkout code
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Get project configuration
id: config
uses: ./.github/actions/get-config
publish:
name: Build and Publish Package
runs-on: ubuntu-latest
timeout-minutes: 30
needs: [config]
environment:
name: testpypi
url: https://test.pypi.org/p/${{ needs.config.outputs.pypi-name }}
permissions:
id-token: write # IMPORTANT: mandatory for trusted publishing
contents: read # needed to checkout code
steps:
- name: Checkout code
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: ${{ github.sha }}
- name: Determine version and target
run: |
{
echo "VERSION=${{ needs.config.outputs.package-version }}"
echo "TARGET=testpypi"
} >> "$GITHUB_ENV"
echo "Publishing to: TestPyPI with version: $VERSION"
- name: Setup Python and UV
uses: ./.github/actions/setup-uv-cached
with:
cache-key: deps-${{ needs.config.outputs.default-python-version }}-${{ hashFiles('.project.yml', 'pyproject.toml', 'requirements*.txt') }}
fail-on-cache-miss: false
- name: Setup Bun (for UI static bundle)
uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f4b11 # v2
with:
bun-version: "1.2.15" # pinned; update intentionally to avoid surprise breakage
- name: Build UI static bundle
run: make ui-build
- name: Build package
run: |
make build-with-version
- name: Check package
run: |
make test-install-only
- name: Publish to Test PyPI
uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1
with:
repository-url: https://test.pypi.org/legacy/
verbose: true
skip-existing: true
packages-dir: dist/
- name: Create deployment summary
run: |
{
echo "## Packages Published Successfully"
echo ""
echo "**Environment:** Test PyPI"
echo "**Installation (orb-py):** \`pip install --index-url https://test.pypi.org/simple/ ${{ needs.config.outputs.pypi-name }}\`"
echo "**Installation (k8s-legacy extra):** \`pip install --index-url https://test.pypi.org/simple/ ${{ needs.config.outputs.pypi-name }}[k8s-legacy]\`"
echo ""
echo "**Version:** $VERSION"
echo "**Commands:**"
echo "- \`orb --help\`"
} >> "$GITHUB_STEP_SUMMARY"
generate-sbom:
name: Generate SBOM
runs-on: ubuntu-latest
timeout-minutes: 20
needs: [config, publish]
permissions:
contents: write
actions: write
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Setup Python and UV
uses: ./.github/actions/setup-uv-cached
with:
cache-key: deps-${{ needs.config.outputs.default-python-version }}-${{ hashFiles('.project.yml', 'pyproject.toml', 'requirements*.txt') }}
fail-on-cache-miss: false
- name: Generate SBOM files
run: |
make ci-build-sbom
- name: Upload SBOM artifacts
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: reports-sbom-${{ needs.config.outputs.package-version }}
path: |
python-sbom-cyclonedx.json
python-sbom-spdx.json
retention-days: 180
- name: Upload SBOM to GitHub dependency graph
uses: advanced-security/spdx-dependency-submission-action@169d22427d74f3faf93504e70b03eede8dab272a # v0.2.0
if: always()
with:
filePath: "."
filePattern: "python-sbom-spdx.json"
continue-on-error: true