meta-package-manager/.github/workflows/release.yaml at f5eeed5c1fc70f577e0e7213ed3ab72852c731b4 · kdeldycke/meta-package-manager · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
---
name: 🚀 Build & release
"on":
  workflow_dispatch:
  push:
    branches:
      - main

jobs:

  build:
    uses: kdeldycke/repomatic/.github/workflows/_release-build.yaml@9b9fa8a1d838c1f28bb9d0bb82fa67084b8a2ca7 # v6.26.0

  publish-pypi:
    name: 🐍 Publish to PyPI (${{ matrix.short_sha }})
    needs: build
    # Gate decoupled from the run's overall result: always() lets this job run even when an unrelated job (like binary
    # tests in the engine lane) failed the run, and package_built confirms the wheel actually built, so a cleanly-built
    # wheel still publishes. Both signals come from the build lane (_release-build.yaml).
    if: >-
      always()
      && needs.build.outputs.package_built == 'true'
      && needs.build.outputs.release_commits_matrix
    strategy:
      # GitHub evaluates `strategy.matrix` during job setup even when `if:` will skip the job. On a non-release push
      # the build lane emits an empty string for `release_commits_matrix` (not "null": see its output description for
      # why). A bare `fromJSON('')` aborts the whole run with "Unexpected value ''", so we fall back to an empty
      # `{"include":[]}` matrix, which expands the job to zero runs and skips it cleanly.
      matrix: ${{ fromJSON(needs.build.outputs.release_commits_matrix || '{"include":[]}') }}
    runs-on: ubuntu-slim
    permissions:
      id-token: write
      # Lets the admonition step below edit the published release notes.
      contents: write
    steps:
      - uses: kdeldycke/repomatic/.github/actions/publish-pypi@9b9fa8a1d838c1f28bb9d0bb82fa67084b8a2ca7 # v6.26.0
        with:
          artifact-name: ${{ github.event.repository.name }}-${{ matrix.short_sha }}
      # Backfill the "available on PyPI" admonition onto the release notes after a successful OIDC upload. The engine
      # lane publishes the GitHub release without it (it cannot yet know the PyPI outcome). continue-on-error keeps a
      # notes-edit hiccup from failing an upload that already succeeded.
      - name: Add PyPI admonition to release notes
        continue-on-error: true
        env:
          GH_TOKEN: ${{ secrets.REPOMATIC_PAT || github.token }}
          CURRENT_VERSION: ${{ matrix.current_version }}
          RELEASE_NOTES: ${{ needs.build.outputs.release_notes_with_admonition }}
        run: >
          gh release edit "v${CURRENT_VERSION}"
          --notes-file -
          --repo "${{ github.repository }}" <<< "${RELEASE_NOTES}"

  release:
    uses: kdeldycke/repomatic/.github/workflows/_release-engine.yaml@9b9fa8a1d838c1f28bb9d0bb82fa67084b8a2ca7 # v6.26.0
    needs: build
    secrets:
      REPOMATIC_PAT: ${{ secrets.REPOMATIC_PAT }}
      VIRUSTOTAL_API_KEY: ${{ secrets.VIRUSTOTAL_API_KEY }}

  # Prepare a Guix package definition after the release job. Unlike Homebrew, Scoop,
  # NixOS, and AUR, the Guix definition is maintained in this repo (see packaging/guix/).
  # Guix packages live on Codeberg and require reviewed PRs, so this job only updates the
  # local definition and opens a PR.
  guix:
    name: 🐂 Guix
    needs: release
    runs-on: ubuntu-24.04
    permissions:
      contents: write
      pull-requests: write
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Check for new release
        id: check
        run: |
          latest=$(
            curl --silent --fail \
              https://api.github.com/repos/kdeldycke/meta-package-manager/releases/latest \
            | python3 -c "import json, sys; print(json.load(sys.stdin)['tag_name'].lstrip('v'))"
          )
          current=$(
            grep --only-matching --perl-regexp '\(version "\K[^"]+' \
              packaging/guix/meta-package-manager.scm
          )
          if [ "${latest}" = "${current}" ]; then
            echo "Latest release ${latest} already matches definition. Skipping."
            echo "skip=true" >> "${GITHUB_OUTPUT}"
          else
            echo "New release found: ${latest} (definition has ${current})."
            echo "skip=false" >> "${GITHUB_OUTPUT}"
            echo "version=${latest}" >> "${GITHUB_OUTPUT}"
          fi
      - name: Update package definition to latest release
        if: steps.check.outputs.skip != 'true'
        run: python3 packaging/guix/update.py
      - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
        if: steps.check.outputs.skip != 'true'
      - name: Render PR body
        if: steps.check.outputs.skip != 'true'
        env:
          VERSION: ${{ steps.check.outputs.version }}
        run: >
          uvx --no-progress 'repomatic==6.25.1' pr-body
          --template-file .github/pr-templates/update-package-spec.md
          --template-arg channel=Guix
          --template-arg version="${VERSION}"
          --template-arg spec_path=packaging/guix/
          --output body.md
      - name: Open PR with updated packaging files
        if: steps.check.outputs.skip != 'true'
        env:
          VERSION: ${{ steps.check.outputs.version }}
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          branch="guix/release"
          git config user.name "github-actions[bot]"
          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
          git checkout -B "${branch}"
          git add --update packaging/guix/
          git commit --message "Update Guix package definition to v${VERSION}"
          git push --force --set-upstream origin "${branch}"
          existing=$(gh pr list --head "${branch}" --state open --json number --jq '.[0].number')
          if [ -n "${existing}" ]; then
            gh pr edit "${existing}" \
              --title "Update Guix package definition to v${VERSION}" \
              --body-file body.md \
              --add-label "📦 manager: guix"
          else
            gh pr create \
              --title "Update Guix package definition to v${VERSION}" \
              --body-file body.md \
              --label "📦 manager: guix"
          fi

  # Prepare a Nix package definition after the release job. Unlike Homebrew, Scoop,
  # and AUR, the Nix definition is maintained in this repo (see packaging/nix/) while
  # NixOS/nixpkgs#506145 is pending review. This job only updates the local definition
  # and opens a PR.
  nix:
    name: ❄️ Nix
    needs: release
    runs-on: ubuntu-24.04
    permissions:
      contents: write
      pull-requests: write
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: cachix/install-nix-action@v31
      - name: Check for new release
        id: check
        run: |
          latest=$(
            curl --silent --fail \
              https://api.github.com/repos/kdeldycke/meta-package-manager/releases/latest \
            | python3 -c "import json, sys; print(json.load(sys.stdin)['tag_name'].lstrip('v'))"
          )
          current=$(
            grep --only-matching --perl-regexp 'version = "\K[^"]+' \
              packaging/nix/package.nix \
            | head --lines=1
          )
          if [ "${latest}" = "${current}" ]; then
            echo "Latest release ${latest} already matches definition. Skipping."
            echo "skip=true" >> "${GITHUB_OUTPUT}"
          else
            echo "New release found: ${latest} (definition has ${current})."
            echo "skip=false" >> "${GITHUB_OUTPUT}"
            echo "version=${latest}" >> "${GITHUB_OUTPUT}"
          fi
      - name: Update package definition to latest release
        if: steps.check.outputs.skip != 'true'
        run: python3 packaging/nix/update.py
      - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
        if: steps.check.outputs.skip != 'true'
      - name: Render PR body
        if: steps.check.outputs.skip != 'true'
        env:
          VERSION: ${{ steps.check.outputs.version }}
        run: >
          uvx --no-progress 'repomatic==6.25.1' pr-body
          --template-file .github/pr-templates/update-package-spec.md
          --template-arg channel=Nix
          --template-arg version="${VERSION}"
          --template-arg spec_path=packaging/nix/
          --output body.md
      - name: Open PR with updated packaging files
        if: steps.check.outputs.skip != 'true'
        env:
          VERSION: ${{ steps.check.outputs.version }}
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          branch="nix/release"
          git config user.name "github-actions[bot]"
          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
          git checkout -B "${branch}"
          git add --update packaging/nix/
          git commit --message "Update Nix package definition to v${VERSION}"
          git push --force --set-upstream origin "${branch}"
          existing=$(gh pr list --head "${branch}" --state open --json number --jq '.[0].number')
          if [ -n "${existing}" ]; then
            gh pr edit "${existing}" \
              --title "Update Nix package definition to v${VERSION}" \
              --body-file body.md \
              --add-label "📦 manager: nix"
          else
            gh pr create \
              --title "Update Nix package definition to v${VERSION}" \
              --body-file body.md \
              --label "📦 manager: nix"
          fi