Skip to content

chore: revert back to info for validation of whether actions can appr… #126

chore: revert back to info for validation of whether actions can appr…

chore: revert back to info for validation of whether actions can appr… #126

Workflow file for this run

name: Publish
on:
push:
branches:
# we publish to Test PyPI on pushes to the main branch
- "main"
tags:
- "v*"
env:
REGISTRY: 'ghcr.io'
IMAGE_NAME: ${{ github.repository }}
PYTHON_VERSION: '3.12'
POETRY_VERSION: '1.8.5'
permissions:
contents: read
concurrency:
group: publish-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: false
jobs:
prepare:
if: github.repository == 'eclipse-csi/otterdog'
runs-on: ubuntu-22.04
outputs:
release-tag: ${{ steps.context.outputs.RELEASE_TAG }}
release-version: ${{ steps.context.outputs.RELEASE_VERSION }}
project-version: ${{ steps.context.outputs.PROJECT_VERSION }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
fetch-depth: 0
- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
python-version: ${{ env.PYTHON_VERSION }}
- uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1
with:
virtualenvs-in-project: true
version: ${{ env.POETRY_VERSION }}
plugins: poetry-dynamic-versioning
- name: "Setup context"
id: context
shell: bash
env:
REF: ${{ github.ref }}
REF_NAME: ${{ github.ref_name }}
run: |
if [[ "${REF}" =~ ^refs/heads/.* ]]; then
echo "RELEASE_TAG=${REF_NAME}" >> $GITHUB_OUTPUT
# extract the current version from the pyproject.toml and replace .devN with -SNAPSHOT
VERSION=$(poetry version -s | sed 's/.dev[0-9]*/-SNAPSHOT/')
echo "RELEASE_VERSION=$VERSION" >> $GITHUB_OUTPUT
PROJECT_VERSION=$(poetry version -s)
echo "PROJECT_VERSION=$PROJECT_VERSION" >> $GITHUB_OUTPUT
else
echo "RELEASE_TAG=${REF_NAME}" >> $GITHUB_OUTPUT
VERSION=$(echo ${REF_NAME} | sed 's/v//')
echo "RELEASE_VERSION=$VERSION" >> $GITHUB_OUTPUT
echo "PROJECT_VERSION=$VERSION" >> $GITHUB_OUTPUT
fi
build-and-push-image:
runs-on: ubuntu-22.04
needs: ['prepare']
permissions:
packages: write
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
ref: ${{ needs.release.outputs.release-tag }}
- name: "Log in to the Container registry"
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: "Extract metadata (tags, labels) for Docker"
id: meta
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
with:
tags: |
${{ needs.prepare.outputs.release-version }}
labels: |
org.opencontainers.image.version=${{ needs.prepare.outputs.release-version }}
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
- name: "Build and push Docker image"
uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
with:
context: .
file: docker/Dockerfile
build-args: |
version=${{ needs.prepare.outputs.project-version }}
push: true
tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.prepare.outputs.release-version }}
labels: ${{ steps.meta.outputs.labels }}
build-dist:
runs-on: ubuntu-22.04
needs: ["prepare"]
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
fetch-depth: 0
ref: ${{ needs.prepare.outputs.release-tag }}
- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
python-version: ${{ env.PYTHON_VERSION }}
- uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1
with:
virtualenvs-in-project: true
version: ${{ env.POETRY_VERSION }}
plugins: poetry-dynamic-versioning
- name: "Install dependencies"
run: poetry install --only=main
- name: "Build package"
run: poetry build
- name: "Generate hashes"
id: hash
run: |
cd dist && echo "hashes=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
- name: "Upload dist"
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: "dist"
path: "dist/"
if-no-files-found: error
retention-days: 5
provenance:
needs: ['prepare', 'build-dist']
permissions:
actions: read
contents: write
id-token: write # Needed to access the workflow's OIDC identity.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 # ignore: pin
with:
base64-subjects: "${{ needs.build-dist.outputs.hashes }}"
upload-assets: true
github-publish:
if: startsWith(github.ref, 'refs/tags/')
runs-on: ubuntu-22.04
needs: ['prepare', 'build-dist', 'provenance']
permissions:
contents: write
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: "Download dists"
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: "dist"
path: "dist/"
- name: "Extract release notes"
id: extract-release-notes
uses: ffurrer2/extract-release-notes@9989ccec43d726ef05aa1cd7b2854fb96b6df6ab # v2.2.0
with:
release_notes_file: RELEASE_NOTES.md
- name: "Create GitHub release"
# keep at 2.1.0 due to https://github.com/softprops/action-gh-release/issues/556
uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.1.0
with:
name: "Otterdog ${{ needs.prepare.outputs.release-tag }}"
tag_name: "${{ needs.prepare.outputs.release-tag }}"
body_path: RELEASE_NOTES.md
draft: false
prerelease: false
generate_release_notes: false
make_latest: true
files: dist/*
pypi-publish:
name: "Publish to PyPI"
if: startsWith(github.ref, 'refs/tags/')
runs-on: ubuntu-22.04
needs: ['build-dist', 'provenance']
environment:
name: pypi
url: https://pypi.org/p/otterdog
permissions:
id-token: write
steps:
- name: "Download dists"
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: "dist"
path: "dist/"
- name: "Publish dists to PyPI"
uses: pypa/gh-action-pypi-publish@67339c736fd9354cd4f8cb0b744f2b82a74b5c70 # v1.12.3
with:
attestations: true
test-pypi-publish:
name: "Publish to Test PyPI"
if: startsWith(github.ref, 'refs/heads/')
runs-on: ubuntu-22.04
needs: ['build-dist', 'provenance']
environment:
name: test-pypi
permissions:
id-token: write
steps:
- name: "Download dists"
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: "dist"
path: "dist/"
- name: "Publish dists to Test PyPI"
uses: pypa/gh-action-pypi-publish@67339c736fd9354cd4f8cb0b744f2b82a74b5c70 # v1.12.3
with:
repository-url: https://test.pypi.org/legacy/
attestations: true
verbose: true