extra-platforms/.github/workflows/release.yaml at main · kdeldycke/extra-platforms · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
---
name: 🚀 Build & release
"on":
  workflow_dispatch:
  push:
    branches:
      - main

jobs:

  build:
    uses: kdeldycke/repomatic/.github/workflows/_release-build.yaml@90400f1be5e7a4df843b83a02dd1672cfbaccfb6 # v6.27.0

  publish-pypi:
    name: 🐍 Publish to PyPI (${{ matrix.short_sha }})
    needs: build
    # Gate decoupled from the run's overall result: always() lets this job run even when an unrelated job (like binary
    # tests in the engine lane) failed the run, and package_built confirms the wheel actually built, so a cleanly-built
    # wheel still publishes. Both signals come from the build lane (_release-build.yaml).
    if: >-
      always()
      && needs.build.outputs.package_built == 'true'
      && needs.build.outputs.release_commits_matrix
    strategy:
      # GitHub evaluates `strategy.matrix` during job setup even when `if:` will skip the job. On a non-release push
      # the build lane emits an empty string for `release_commits_matrix` (not "null": see its output description for
      # why). A bare `fromJSON('')` aborts the whole run with "Unexpected value ''", so we fall back to an empty
      # `{"include":[]}` matrix, which expands the job to zero runs and skips it cleanly.
      matrix: ${{ fromJSON(needs.build.outputs.release_commits_matrix || '{"include":[]}') }}
    runs-on: ubuntu-slim
    permissions:
      id-token: write
      # Lets the admonition step below edit the published release notes.
      contents: write
    steps:
      - uses: kdeldycke/repomatic/.github/actions/publish-pypi@90400f1be5e7a4df843b83a02dd1672cfbaccfb6 # v6.27.0
        with:
          artifact-name: ${{ github.event.repository.name }}-${{ matrix.short_sha }}
      # Backfill the "available on PyPI" admonition onto the release notes after a successful OIDC upload. The engine
      # lane publishes the GitHub release without it (it cannot yet know the PyPI outcome). continue-on-error keeps a
      # notes-edit hiccup from failing an upload that already succeeded.
      - name: Add PyPI admonition to release notes
        continue-on-error: true
        env:
          GH_TOKEN: ${{ secrets.REPOMATIC_PAT || github.token }}
          CURRENT_VERSION: ${{ matrix.current_version }}
          RELEASE_NOTES: ${{ needs.build.outputs.release_notes_with_admonition }}
        run: >
          gh release edit "v${CURRENT_VERSION}"
          --notes-file -
          --repo "${{ github.repository }}" <<< "${RELEASE_NOTES}"

  release:
    uses: kdeldycke/repomatic/.github/workflows/_release-engine.yaml@90400f1be5e7a4df843b83a02dd1672cfbaccfb6 # v6.27.0
    needs: build
    secrets:
      REPOMATIC_PAT: ${{ secrets.REPOMATIC_PAT }}
      VIRUSTOTAL_API_KEY: ${{ secrets.VIRUSTOTAL_API_KEY }}