3333 previous_tag : ${{ steps.run.outputs.previous_tag }}
3434 msi_name : ${{ steps.run.outputs.msi_name }}
3535 artifact_id : ${{ steps.run.outputs.artifact_id }}
36+ validation_run_id : ${{ steps.gate.outputs.validation_run_id }}
37+ src_tree_hash : ${{ steps.gate.outputs.src_tree_hash }}
3638 steps :
3739 - uses : actions/checkout@v7
3840 with :
@@ -48,12 +50,19 @@ jobs:
4850
4951 - uses : ./.github/actions/install-commitizen
5052
53+ - name : Require a passing validation for the merged source
54+ id : gate
55+ run : python .github/workflows/scripts/jobs.py release_gate
56+ env :
57+ GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
58+ PR_NUMBER : ${{ github.event.pull_request.number }}
59+
5160 - name : Bump version, tag, and push
5261 id : run
5362 run : python .github/workflows/scripts/jobs.py init
5463
55- build_binaries :
56- name : Build binaries
64+ fetch_binaries :
65+ name : Fetch validated binaries
5766 needs : init
5867 if : ${{ needs.init.outputs.bumped == 'true' }}
5968 runs-on : windows-latest
@@ -68,15 +77,17 @@ jobs:
6877
6978 - uses : ./.github/actions/setup-python
7079
71- - name : Fetch latest tag
72- run : git fetch origin main
73- shell : pwsh
74-
75- - uses : ./.github/actions/install-build-deps
80+ - name : Download the validated binaries
81+ uses : actions/download-artifact@v4
82+ with :
83+ name : validated_${{ needs.init.outputs.src_tree_hash }}
84+ path : artifacts
85+ github-token : ${{ secrets.GITHUB_TOKEN }}
86+ run-id : ${{ needs.init.outputs.validation_run_id }}
7687
77- - name : Hash and collect artifacts
88+ - name : Read hashes from the validated artifact
7889 id : run
79- run : python .github/workflows/scripts/jobs.py build_binaries
90+ run : python .github/workflows/scripts/jobs.py read_validated_hashes
8091
8192 - uses : actions/upload-artifact@v4
8293 with :
8596 if-no-files-found : error
8697 retention-days : ${{ env.ARTIFACT_RETENTION_DAYS }}
8798
88- test_binaries :
89- name : Test binaries
90- needs : [init, build_binaries]
91- if : ${{ needs.init.outputs.bumped == 'true' }}
92- runs-on : windows-latest
93- timeout-minutes : 10
94- steps :
95- - uses : actions/checkout@v7
96- with :
97- ref : main
98-
99- - uses : ./.github/actions/setup-python
100-
101- - uses : actions/download-artifact@v4
102- with :
103- name : build_${{ needs.init.outputs.artifact_id }}
104- path : artifacts
105-
106- - uses : ./.github/actions/install-test-deps
107-
108- - run : python .github/workflows/scripts/jobs.py test_binaries
109-
11099 upload_binaries :
111100 name : Upload binaries to virustotal
112- needs : [init, build_binaries ]
101+ needs : [init, fetch_binaries ]
113102 if : ${{ needs.init.outputs.bumped == 'true' }}
114103 runs-on : windows-latest
115104 timeout-minutes : 10
@@ -135,7 +124,7 @@ jobs:
135124
136125changelog :
137126 name : Changelog
138- needs : [init, build_binaries ]
127+ needs : [init, fetch_binaries ]
139128 if : ${{ needs.init.outputs.bumped == 'true' }}
140129 runs-on : windows-latest
141130 timeout-minutes : 10
@@ -155,8 +144,8 @@ jobs:
155144 CURRENT_TAG : ${{ needs.init.outputs.current_tag }}
156145 PREVIOUS_TAG : ${{ needs.init.outputs.previous_tag }}
157146 MSI_NAME : ${{ needs.init.outputs.msi_name }}
158- MSI_HASH : ${{ needs.build_binaries .outputs.msi_hash }}
159- EXE_HASH : ${{ needs.build_binaries .outputs.exe_hash }}
147+ MSI_HASH : ${{ needs.fetch_binaries .outputs.msi_hash }}
148+ EXE_HASH : ${{ needs.fetch_binaries .outputs.exe_hash }}
160149
161150 - uses : actions/upload-artifact@v4
162151 with :
@@ -167,7 +156,7 @@ jobs:
167156
168157 publish_github :
169158 name : Publish to github
170- needs : [init, test_binaries , changelog]
159+ needs : [init, fetch_binaries , changelog]
171160 if : ${{ needs.init.outputs.bumped == 'true' }}
172161 runs-on : windows-latest
173162 timeout-minutes : 10
@@ -193,7 +182,7 @@ jobs:
193182
194183publish_pypi :
195184 name : Publish to pypi
196- needs : [init, test_binaries ]
185+ needs : [init, fetch_binaries ]
197186 if : ${{ needs.init.outputs.bumped == 'true' }}
198187 runs-on : windows-latest
199188 timeout-minutes : 10
0 commit comments