Prepare for 0.1.0 release #1
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release Pipeline | |
| on: | |
| push: | |
| tags: | |
| - 'v*' | |
| workflow_dispatch: | |
| inputs: | |
| version: | |
| description: 'Version to release (e.g., v1.0.0)' | |
| required: true | |
| type: string | |
| jobs: | |
| prepare-release: | |
| name: Prepare Release | |
| runs-on: ubuntu-latest | |
| outputs: | |
| version: ${{ steps.get-version.outputs.version }} | |
| changelog: ${{ steps.get-changelog.outputs.changelog }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Get version | |
| id: get-version | |
| run: | | |
| if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then | |
| VERSION="${{ github.event.inputs.version }}" | |
| else | |
| VERSION=${GITHUB_REF#refs/tags/} | |
| fi | |
| echo "version=${VERSION}" >> $GITHUB_OUTPUT | |
| - name: Get changelog | |
| id: get-changelog | |
| run: | | |
| # Extract changelog for this version | |
| if [[ -f docs/CHANGELOG.md ]]; then | |
| # Get content between version headers | |
| CHANGELOG=$(sed -n '/^## \[${{ steps.get-version.outputs.version }}\]/,/^## \[/p' docs/CHANGELOG.md | sed '$d') | |
| if [[ -z "$CHANGELOG" ]]; then | |
| CHANGELOG="See commit history for changes." | |
| fi | |
| else | |
| CHANGELOG="See commit history for changes." | |
| fi | |
| echo "changelog<<EOF" >> $GITHUB_OUTPUT | |
| echo "$CHANGELOG" >> $GITHUB_OUTPUT | |
| echo "EOF" >> $GITHUB_OUTPUT | |
| build-and-test: | |
| name: Build and Test | |
| runs-on: ubuntu-latest | |
| needs: prepare-release | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python 3.11 | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.11" | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -e .[dev] | |
| - name: Run full test suite | |
| run: | | |
| pytest --cov=src --cov-report=xml tests/ | |
| - name: Run type checking | |
| run: | | |
| mypy src/ --strict | |
| - name: Run linting | |
| run: | | |
| ruff check src/ tests/ | |
| ruff format --check src/ tests/ | |
| - name: Build package | |
| run: | | |
| python -m build | |
| - name: Test package installation | |
| run: | | |
| pip install dist/*.whl | |
| aletheia-probe --help | |
| - name: Archive build artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: release-artifacts | |
| path: | | |
| dist/ | |
| coverage.xml | |
| security-scan: | |
| name: Security Scan for Release | |
| runs-on: ubuntu-latest | |
| needs: prepare-release | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python 3.11 | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.11" | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -e .[dev] bandit safety | |
| - name: Run security scans | |
| run: | | |
| bandit -r src/ -ll | |
| safety check | |
| create-release: | |
| name: Create GitHub Release | |
| runs-on: ubuntu-latest | |
| needs: [prepare-release, build-and-test, security-scan] | |
| permissions: | |
| contents: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Download build artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: release-artifacts | |
| path: ./artifacts | |
| - name: Create Release | |
| uses: softprops/action-gh-release@v1 | |
| with: | |
| tag_name: ${{ needs.prepare-release.outputs.version }} | |
| name: Release ${{ needs.prepare-release.outputs.version }} | |
| body: ${{ needs.prepare-release.outputs.changelog }} | |
| files: | | |
| ./artifacts/dist/* | |
| draft: false | |
| prerelease: ${{ contains(needs.prepare-release.outputs.version, '-') }} | |
| publish-pypi: | |
| name: Publish to PyPI | |
| runs-on: ubuntu-latest | |
| needs: [prepare-release, create-release] | |
| environment: production | |
| permissions: | |
| id-token: write # For trusted publishing | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python 3.11 | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.11" | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install build twine | |
| - name: Build package | |
| run: | | |
| python -m build | |
| - name: Publish to PyPI | |
| uses: pypa/gh-action-pypi-publish@release/v1 | |
| # Disabled until docker is completely supported | |
| # publish-docker: | |
| # name: Publish Docker Image | |
| # runs-on: ubuntu-latest | |
| # needs: [prepare-release, create-release] | |
| # permissions: | |
| # contents: read | |
| # packages: write | |
| # | |
| # steps: | |
| # - uses: actions/checkout@v4 | |
| # | |
| # - name: Set up Docker Buildx | |
| # uses: docker/setup-buildx-action@v3 | |
| # | |
| # - name: Log in to GitHub Container Registry | |
| # uses: docker/login-action@v3 | |
| # with: | |
| # registry: ghcr.io | |
| # username: ${{ github.actor }} | |
| # password: ${{ secrets.GITHUB_TOKEN }} | |
| # | |
| # - name: Extract metadata | |
| # id: meta | |
| # uses: docker/metadata-action@v5 | |
| # with: | |
| # images: ghcr.io/${{ github.repository }} | |
| # tags: | | |
| # type=ref,event=tag | |
| # type=semver,pattern={{version}} | |
| # type=semver,pattern={{major}}.{{minor}} | |
| # type=raw,value=latest,enable={{is_default_branch}} | |
| # | |
| # - name: Build and push Docker image | |
| # uses: docker/build-push-action@v5 | |
| # with: | |
| # context: . | |
| # platforms: linux/amd64,linux/arm64 | |
| # push: true | |
| # tags: ${{ steps.meta.outputs.tags }} | |
| # labels: ${{ steps.meta.outputs.labels }} | |
| # cache-from: type=gha | |
| # cache-to: type=gha,mode=max |