chore: rework CI and release configuration (#33)

agriyakhetarpal · web-flow · commit f5606df44b4d · 2024-09-19T18:22:07.000+05:30
## Description In this PR: - We shall now use GitHub Releases in favour of tags to create our distribution artifacts - The wheel build and push jobs have been moved to a separate workflow - The GHA Artifact Attestations feature is used to verify build provenance - Additionally, the `check_integration_test.sh` trigger was moved to the workflow file itself. This is a slight rework of our workflow(s) ahead of the 0.29 release planned in #31.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -1,4 +1,4 @@
-name: main
+name: CI
 
 on:
   push:
@@ -9,33 +9,6 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-
-      - name: Setup Python
-        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
-        with:
-          python-version: "3.12"
-
-      - name: Set up Node.js
-        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
-        with:
-          node-version: "20"
-
-      - name: Build
-        run: |
-          python -m pip install build
-          python -m build .
-
-      - name: Store the distribution packages
-        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
-        with:
-          name: python-package-distributions
-          path: dist/
-          if-no-files-found: error
-
   test:
     runs-on: ubuntu-latest
     steps:
@@ -78,7 +51,18 @@ jobs:
 
       - id: check-integration-test-trigger
         name: Check integration test trigger
-        run: bash tools/check_integration_test_trigger.sh
+        shell: bash
+        run: |
+          set -e -x
+
+          COMMIT_MSG=$(git log --no-merges -1 --oneline)
+
+          # The integration tests will be triggered on push or on pull_request when the commit
+          # message contains "[integration]"
+          if [[ "$GITHUB_EVENT_NAME" == push ||
+                "$COMMIT_MSG" =~ \[integration\] ]]; then
+              echo "trigger=true" >> "$GITHUB_OUTPUT"
+          fi
 
   integration-test:
     runs-on: ubuntu-latest
@@ -119,24 +103,3 @@ jobs:
         run: |
           cd integration_tests
           make test-recipe
-
-  publish:
-    name: Publish to PyPI
-    needs:
-      - build
-    runs-on: ubuntu-latest
-    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
-    environment:
-      name: pypi
-      url: https://pypi.org/p/pyodide-build
-    permissions:
-      id-token: write # IMPORTANT: mandatory for trusted publishing
-    steps:
-      - name: Download all the dists
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
-        with:
-          path: dist/
-          merge-multiple: true
-
-      - name: Publish distribution 📦 to PyPI
-        uses: pypa/gh-action-pypi-publish@0ab0b79471669eb3a4d647e625009c62f9f3b241 # v1.10.1
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,58 @@
+name: CD
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+  schedule:
+    - cron: "0 3 * * 1"
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Setup Python
+        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
+        with:
+          python-version: "3.12"
+
+      - name: Build
+        run: |
+          python -m pip install build
+          python -m build .
+
+      - name: Store the distribution packages
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        with:
+          name: python-package-distributions
+          path: dist/
+          if-no-files-found: error
+
+  publish:
+    name: Publish to PyPI
+    needs: [build]
+    runs-on: ubuntu-latest
+    if: github.event_name == 'release' && github.event.action == 'published'
+    environment:
+      name: pypi
+      url: https://pypi.org/p/pyodide-build
+    permissions:
+      id-token: write # IMPORTANT: mandatory for trusted publishing
+      attestations: write
+      contents: read
+    steps:
+      - name: Download all the dists
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          path: dist/
+          merge-multiple: true
+
+      - name: Generate artifact attestations
+        uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
+        with:
+          subject-path: "dist/*"
+
+      - name: Publish distribution 📦 to PyPI
+        uses: pypa/gh-action-pypi-publish@0ab0b79471669eb3a4d647e625009c62f9f3b241 # v1.10.1
diff --git a/tools/check_integration_test_trigger.sh b/tools/check_integration_test_trigger.sh
