parsons/.github/workflows/release.yml at fc4e4b7e15657cb832fad81f0a2ffa8b6ac8ab38 · move-coop/parsons · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
name: Build, test, & publish

on:
  workflow_dispatch:
  pull_request:
  push:
    branches:
      - main
      - major-release
  release:
    types:
      - published

permissions: read-all

jobs:
  build:
    runs-on: ubuntu-latest

    env:
      CACHE_GLOBS: |
        **/pyproject.toml
        **/requirements*.txt
        **/setup.py
        **/uv.lock

    steps:
      - uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b
        with:
          disable-sudo: true
          egress-policy: audit

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

      - uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098
        with:
          python-version: 3.13
          activate-environment: true
          cache-dependency-glob: ${{ env.CACHE_GLOBS }}

      - run: >-
          uv sync
          --upgrade
          --all-extras

      - run: >-
          uv build
          --sdist

      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
        with:
          name: parsons-dist
          path: dist/

  test:
    needs: build

    strategy:
      fail-fast: false
      matrix:
        python-version:
          - '3.10'
          - '3.11'
          - '3.12'
          - '3.13'
        os:
          - ubuntu-latest
          - windows-latest
          - macos-latest

    runs-on: ${{ matrix.os }}

    steps:
      - uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b
        with:
          disable-sudo: true
          egress-policy: audit

      - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3
        with:
          name: parsons-dist
          path: dist

      - shell: bash
        run: |
          file=$(find ./dist -name 'parsons-*.tar.gz' | head -1)

          # Extract to a temp directory first
          mkdir -p temp_extract
          tar -xzf "$file" -C temp_extract

          # Find and move requirements files to root
          find temp_extract -name 'requirements.txt' -exec cp {} . \; 2>/dev/null || true

          # Clean up
          rm -rf temp_extract

      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
        with:
            python-version: ${{ matrix.python-version }}
            cache: pip

      - shell: bash
        run: |
          file=$(find ./dist -name 'parsons-*.tar.gz' | head -1)
          pip install "$file"

  publish:
    if: github.repository_owner == 'move-coop' && github.event_name == 'release' && github.event.action == 'published'
    needs: test

    runs-on: ubuntu-latest
    environment: release

    permissions:
      id-token: write # IMPORTANT: this permission is mandatory for trusted publishing

    steps:
      - uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b
        with:
          disable-sudo: true
          egress-policy: audit

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

      - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3
        with:
          name: parsons-dist
          path: dist

      - uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e
        with:
          verify-metadata: true
          skip-existing: true
          packages-dir: dist
          verbose: true