ci: switch to trusted publishing for pypi #58
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| push: | |
| branches: | |
| - main | |
| - test | |
| tags: | |
| - 'v*' | |
| env: | |
| LIB_VERSION: '2024.10.1' | |
| PYTHON_VERSION: '3.11.9' | |
| CIBW_VERSION: '2.21.3' | |
| CIBW_BUILD: 'cp311-* cp312-*' | |
| CIBW_SKIP: '*-musllinux_*' | |
| CIBW_BUILD_VERBOSITY: 1 | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| build_macos_openssl: | |
| runs-on: macos-13 | |
| strategy: | |
| matrix: | |
| ARCH: | |
| - NAME: x86_64 | |
| CFLAGS: "-mmacosx-version-min=10.09 -march=core2" | |
| OPENSSLDIR: "/usr/local/etc/openssl@3" | |
| FLAGS: no-shared no-asm no-idea no-camellia no-seed no-bf no-cast no-rc2 no-rc4 no-rc5 no-md2 no-md4 no-ecdh no-sock no-ssl3 no-dsa no-dh no-ec no-ecdsa no-tls1 no-rfc3779 no-whirlpool no-srp no-mdc2 no-ecdh no-engine no-srtp no-weak-ssl-ciphers | |
| - NAME: arm64 | |
| CFLAGS: "-mmacosx-version-min=11.0" | |
| OPENSSLDIR: "/opt/homebrew/etc/openssl@3" | |
| FLAGS: no-shared no-asm no-idea no-camellia no-seed no-bf no-cast no-rc2 no-rc4 no-rc5 no-md2 no-md4 no-ecdh no-sock no-ssl3 no-dsa no-dh no-ec no-ecdsa no-tls1 no-rfc3779 no-whirlpool no-srp no-mdc2 no-ecdh no-engine no-srtp no-weak-ssl-ciphers | |
| name: "Build OpenSSL for macOS (${{ matrix.ARCH.NAME }})" | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| submodules: true | |
| persist-credentials: false | |
| - name: Build OpenSSL | |
| run: | | |
| BASEDIR=$(pwd) | |
| cd openssl | |
| perl ./Configure \ | |
| --prefix="${BASEDIR}/artifact" \ | |
| --openssldir=${{ matrix.ARCH.OPENSSLDIR }} \ | |
| darwin64-${{ matrix.ARCH.NAME }}-cc \ | |
| ${{ matrix.ARCH.FLAGS }} | |
| make -j$(sysctl -n hw.logicalcpu) | |
| make install_sw | |
| env: | |
| CFLAGS: ${{ matrix.ARCH.CFLAGS }} | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: "openssl-macos-${{ matrix.ARCH.NAME }}" | |
| path: artifact/ | |
| build_macos_openssl_universal2: | |
| runs-on: macos-13 | |
| name: "Build OpenSSL for macOS (universal2)" | |
| needs: [build_macos_openssl] | |
| steps: | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: openssl-macos-x86_64 | |
| path: x86-64 | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: openssl-macos-arm64 | |
| path: arm64 | |
| - name: Create universal2 OpenSSL | |
| run: | | |
| mkdir artifact | |
| cd artifact | |
| mkdir bin lib | |
| cp -r ../x86-64/include . | |
| cp -r ../x86-64/lib/pkgconfig lib/ | |
| cp ../x86-64/bin/c_rehash bin/ # c_rehash is a perl script | |
| lipo -create -output bin/openssl ../x86-64/bin/openssl ../arm64/bin/openssl | |
| lipo -create -output lib/libssl.a ../x86-64/lib/libssl.a ../arm64/lib/libssl.a | |
| lipo -create -output lib/libcrypto.a ../x86-64/lib/libcrypto.a ../arm64/lib/libcrypto.a | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: "openssl-macos-universal2" | |
| path: artifact/ | |
| build_wheels_macos: | |
| name: 'Build wheels for macOS' | |
| runs-on: macos-13 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| arch: [arm64, x86_64, universal2] | |
| needs: [build_macos_openssl_universal2] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| submodules: true | |
| persist-credentials: false | |
| - name: Set up python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| cache: 'pip' | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: openssl-macos-${{ matrix.arch }} | |
| path: openssl-macos-${{ matrix.arch }} | |
| - name: prepare build directory | |
| run: ./scripts/prepare.sh | |
| - name: Install cibuildwheel | |
| run: python -m pip install cibuildwheel=="${CIBW_VERSION}" | |
| - name: Build wheels | |
| working-directory: build | |
| run: python -m cibuildwheel --output-dir wheelhouse | |
| env: | |
| CIBW_ARCHS_MACOS: ${{ matrix.arch }} | |
| CIBW_BEFORE_ALL_MACOS: ./build.sh | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: pypi-wheels-macos-${{ matrix.arch }} | |
| path: build/wheelhouse/*.whl | |
| build_wheels_linux: | |
| name: 'Build wheels for Linux' | |
| runs-on: ubuntu-20.04 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| arch: [ aarch64, native ] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| submodules: true | |
| persist-credentials: false | |
| - name: Set up python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| cache: 'pip' | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| if: ${{ matrix.arch == 'aarch64' }} | |
| with: | |
| platforms: arm64 | |
| - name: prepare build directory | |
| run: ./scripts/prepare.sh | |
| env: | |
| CIBW_ARCHS_LINUX: ${{ matrix.arch }} | |
| - name: Install cibuildwheel | |
| run: python -m pip install cibuildwheel=="${CIBW_VERSION}" | |
| - name: Build wheels | |
| working-directory: build | |
| run: python -m cibuildwheel --output-dir wheelhouse | |
| env: | |
| CIBW_BEFORE_ALL_LINUX: ./build.sh | |
| CIBW_ARCHS_LINUX: ${{ matrix.arch }} | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: pypi-wheels-linux-${{ matrix.arch }} | |
| path: build/wheelhouse/*.whl | |
| build_wheels_windows: | |
| name: 'Build wheels for Windows' | |
| runs-on: 'windows-2019' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| submodules: true | |
| persist-credentials: false | |
| - name: Set up python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| cache: 'pip' | |
| - name: prepare build directory | |
| run: ./scripts/prepare.ps1 | |
| - name: Install cibuildwheel | |
| run: python -m pip install cibuildwheel=="${env:CIBW_VERSION}" | |
| - name: Build wheels | |
| working-directory: build | |
| run: python -m cibuildwheel --output-dir wheelhouse | |
| env: | |
| CIBW_BEFORE_ALL_WINDOWS: Powershell.exe -F ./build.ps1 | |
| CIBW_ARCHS_WINDOWS: "native" | |
| - name: clean openssl conf | |
| shell: pwsh | |
| run: echo "OPENSSL_CONF=''" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: pypi-wheels-windows | |
| path: build\wheelhouse\*.whl | |
| build_sdist: | |
| name: 'Build sdist' | |
| runs-on: ubuntu-20.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| submodules: true | |
| persist-credentials: false | |
| - name: Set up python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| cache: 'pip' | |
| - name: prepare build directory | |
| run: ./scripts/prepare.sh | |
| - name: Build sdist | |
| working-directory: build | |
| run: python3 -m pip install --upgrade build && python -m build -s | |
| - name: Store artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: pypi-sdist | |
| path: build/dist/*.tar.gz | |
| upload_pypi_test: | |
| name: Upload to PyPI (test) | |
| needs: [build_wheels_macos, build_wheels_linux, build_wheels_windows, build_sdist] | |
| runs-on: ubuntu-20.04 | |
| if: github.event_name == 'push' && !(startsWith(github.ref, 'refs/tags/v')) | |
| environment: test-pypi | |
| permissions: | |
| # IMPORTANT: this permission is mandatory for Trusted Publishing | |
| id-token: write | |
| steps: | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| merge-multiple: true | |
| pattern: pypi-* | |
| path: dist | |
| - uses: pypa/gh-action-pypi-publish@v1.10.3 | |
| with: | |
| repository-url: https://test.pypi.org/legacy/ | |
| skip-existing: true | |
| upload_pypi: | |
| name: Upload to PyPI (prod) | |
| needs: [build_wheels_macos, build_wheels_linux, build_wheels_windows, build_sdist] | |
| runs-on: ubuntu-20.04 | |
| if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') | |
| environment: pypi | |
| permissions: | |
| # IMPORTANT: this permission is mandatory for Trusted Publishing | |
| id-token: write | |
| steps: | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| merge-multiple: true | |
| pattern: pypi-* | |
| path: dist | |
| - uses: pypa/gh-action-pypi-publish@v1.10.3 |