Skip to content
Version and Build

Merge pull request #336 from nasa/dependabot/uv/nbconvert-7.17.1 #9

Sign in to view logs

Merge pull request #336 from nasa/dependabot/uv/nbconvert-7.17.1

Merge pull request #336 from nasa/dependabot/uv/nbconvert-7.17.1 #9

Workflow file for this run

.github/workflows/version-and-build.yml at 6eafcd6
name: Version and Build
on:
# Only run on protected branches (not feature/issue/docs branches)
push:
branches: [develop, main, 'release/**', 'hotfix/**']
workflow_dispatch:
inputs:
force_bump:
description: 'Force version bump even if not a PR merge'
required: false
type: boolean
default: false
env:
PYTHON_VERSION: "3.12"
jobs:
# Run integration tests on protected branches (unit tests already ran in PR)
integration_tests:
# Only run on develop and release branches
if: |
github.ref == 'refs/heads/develop' ||
startsWith(github.ref, 'refs/heads/release/')
uses: ./.github/workflows/integration-tests.yml
secrets:
codecov_token: ${{ secrets.CODECOV_TOKEN }}
DEK_EDL_USER: ${{ secrets.DEK_EDL_USER }}
DEK_EDL_PASSWORD: ${{ secrets.DEK_EDL_PASSWORD }}
# Main build job
build:
needs: [integration_tests]
# Run this job even if integration_tests was skipped (for branches like main that don't run them)
# but require success if integration tests did run
if: always() && (needs.integration_tests.result == 'success' || needs.integration_tests.result == 'skipped')
runs-on: ubuntu-latest
timeout-minutes: 20
permissions:
contents: write
packages: write
outputs:
version: ${{ steps.version.outputs.version }}
venue: ${{ steps.version.outputs.venue }}
should_publish: ${{ steps.version.outputs.publish }}
steps:
- name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0 # Need history for auto-bump script
- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Set up uv
uses: astral-sh/setup-uv@v7
with:
enable-cache: true
cache-dependency-path: "pyproject.toml"
- name: Install bump-my-version
run: uv pip install --system bump-my-version
- name: Configure git
run: |
git config user.name "stitchee-bot"
git config user.email "stitchee@noreply.github.com"
- name: Check if this is a PR merge
id: check_merge
run: |
# Check if the commit message indicates a PR merge
COMMIT_MSG=$(git log -1 --pretty=%B)
if [[ "$COMMIT_MSG" =~ ^Merge\ pull\ request ]] || [[ "${{ inputs.force_bump }}" == "true" ]]; then
echo "is_merge=true" >> $GITHUB_OUTPUT
echo "✅ This is a PR merge commit or force_bump=true"
else
echo "is_merge=false" >> $GITHUB_OUTPUT
echo "ℹ️ This is a direct push (not a PR merge), skipping version bump"
fi
- name: Bump version
id: version
run: |
if [[ "${{ steps.check_merge.outputs.is_merge }}" == "true" ]]; then
BRANCH="${GITHUB_REF#refs/heads/}"
bash scripts/version_bump.sh "$BRANCH"
else
# Not a PR merge, just capture current version without bumping
CURRENT=$(bump-my-version show current_version)
BRANCH="${GITHUB_REF#refs/heads/}"
# Determine venue based on branch
case "$BRANCH" in
develop) VENUE=sit ;;
main) VENUE=ops ;;
release/*) VENUE=uat ;;
hotfix/*) VENUE=ops ;;
*) VENUE=dev ;;
esac
echo "version=$CURRENT" >> $GITHUB_OUTPUT
echo "venue=$VENUE" >> $GITHUB_OUTPUT
echo "publish=false" >> $GITHUB_OUTPUT
echo "already_committed=true" >> $GITHUB_OUTPUT
echo "📌 Current version: $CURRENT (no bump)"
fi
- name: Commit version bump
if: |
steps.check_merge.outputs.is_merge == 'true' &&
steps.version.outputs.already_committed == 'false' && (
github.ref == 'refs/heads/develop' ||
github.ref == 'refs/heads/main' ||
startsWith(github.ref, 'refs/heads/release/') ||
startsWith(github.ref, 'refs/heads/hotfix/')
)
run: |
if [[ -n $(git status -s) ]]; then
git commit -am "Bump version to ${{ steps.version.outputs.version }} [skip ci]"
git push || {
echo "❌ Failed to push to remote"
exit 1
}
echo "✅ Version bumped and committed"
else
echo "ℹ️ No version changes to commit"
fi
- name: Create Git tag
if: |
steps.check_merge.outputs.is_merge == 'true' && (
github.ref == 'refs/heads/develop' ||
github.ref == 'refs/heads/main' ||
startsWith(github.ref, 'refs/heads/release/')
)
run: |
VERSION="${{ steps.version.outputs.version }}"
git tag -a "$VERSION" -m "Version $VERSION"
git push origin "$VERSION"
echo "✅ Tagged $VERSION"
- name: Install dependencies
run: uv sync --extra dev --extra harmony --frozen
- name: Build package
run: uv build
- name: Upload Python artifact
uses: actions/upload-artifact@v7
with:
name: python-artifact
path: dist/*
- name: Publish to Test PyPI
if: steps.check_merge.outputs.is_merge == 'true' && steps.version.outputs.publish == 'true'
env:
UV_PUBLISH_TOKEN: ${{ secrets.PYPI_TOKEN_TESTPYPI }}
run: uv publish --publish-url https://test.pypi.org/legacy/
# Monitor security status in Snyk dashboard (after successful merge)
snyk-monitor:
needs: build
if: |
github.ref == 'refs/heads/develop' ||
github.ref == 'refs/heads/main' ||
startsWith(github.ref, 'refs/heads/release/')
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Install uv
uses: astral-sh/setup-uv@v7
with:
enable-cache: true
cache-dependency-path: "pyproject.toml"
- name: Install dependencies
run: uv sync --extra dev --extra harmony --frozen
- name: Update Snyk monitoring dashboard
uses: snyk/actions/python@master
continue-on-error: true # Don't block if monitoring fails
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
command: monitor
args: >
--org=${{ secrets.SNYK_ORG_ID }}
--project-name=${{ github.repository }}
--project-tags=branch=${{ github.ref_name }},venue=${{ needs.build.outputs.venue }}
# Build and push Docker images for develop and release branches
docker:
needs: build
if: |
github.ref == 'refs/heads/develop' ||
startsWith(github.ref, 'refs/heads/release/')
uses: ./.github/workflows/docker-build.yml
with:
version: ${{ needs.build.outputs.version }}
venue: ${{ needs.build.outputs.venue }}
push: true