Skip to content
release python

build: fix python upload workflows #1292

Sign in to view logs

build: fix python upload workflows

build: fix python upload workflows #1292

Workflow file for this run

.github/workflows/release-python.yml at 08d0227
---
name: release python
on:
push:
branches: [master]
tags:
- '**'
pull_request:
branches: [master]
workflow_dispatch:
jobs:
build_sdist:
name: Build source distribution
runs-on: ubuntu-latest
container:
image: ghcr.io/linux-nvme/debian.python:latest
steps:
- uses: actions/checkout@v4
- name: Allow workspace
run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
- name: Build sdist
run: pipx run build --sdist
- uses: actions/upload-artifact@v4
with:
path: dist/*.tar.gz
retention-days: 5
upload_test_pypi:
needs: [build_sdist]
runs-on: ubuntu-latest
permissions:
id-token: write
steps:
- name: Install Python (if missing)
run: |
sudo apt-get update
sudo apt-get install -y python3 python3-pip
- name: Update python dependencies
run: |
python3 -m venv venv
source venv/bin/activate
pip install -U packaging
- uses: actions/download-artifact@v4
with:
name: artifact
path: dist
- name: mint API token
id: mint-token
run: |
# retrieve the ambient OIDC token
resp=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
"$ACTIONS_ID_TOKEN_REQUEST_URL&audience=testpypi")
oidc_token=$(jq -r '.value' <<< "${resp}")
# exchange the OIDC token for an API token
resp=$(curl -X POST https://pypi.org/_/oidc/mint-token -d "{\"token\": \"${oidc_token}\"}")
api_token=$(jq -r '.token' <<< "${resp}")
# mask the newly minted API token, so that we don't accidentally leak it
echo "::add-mask::${api_token}"
# see the next step in the workflow for an example of using this step output
echo "api-token=${api_token}" >> "${GITHUB_OUTPUT}"
- name: Publish package to TestPyPI
env:
PATH: ${{ github.workspace }}/venv/bin:$PATH
uses: pypa/gh-action-pypi-publish@release/v1
with:
password: ${{ steps.mint-token.outputs.api-token }}
repository-url: https://test.pypi.org/legacy/
upload_pypi:
needs: [build_sdist]
runs-on: ubuntu-latest
permissions:
id-token: write
if: startsWith(github.ref, 'refs/tags/v') && github.repository == 'linux-nvme/libnvme'
steps:
- name: Install Python (if missing)
run: |
sudo apt-get update
sudo apt-get install -y python3 python3-pip
- name: Update python dependencies
run: |
python3 -m venv venv
source venv/bin/activate
pip install -U packaging
- name: Check if it is a release tag
id: check-tag
run: |
if [[ ${{ github.event.ref }} =~ ^refs/tags/v([0-9]+\.[0-9]+)(\.[0-9]+)?(-rc[0-9]+)?$ ]]; then
echo ::set-output name=match::true
fi
- name: Download artifiact
uses: actions/download-artifact@v4
if: steps.check-tag.outputs.match == 'true'
with:
name: artifact
path: dist
- name: mint API token
id: mint-token
run: |
# retrieve the ambient OIDC token
resp=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
"$ACTIONS_ID_TOKEN_REQUEST_URL&audience=pypi")
oidc_token=$(jq -r '.value' <<< "${resp}")
# exchange the OIDC token for an API token
resp=$(curl -X POST https://pypi.org/_/oidc/mint-token -d "{\"token\": \"${oidc_token}\"}")
api_token=$(jq -r '.token' <<< "${resp}")
# mask the newly minted API token, so that we don't accidentally leak it
echo "::add-mask::${api_token}"
# see the next step in the workflow for an example of using this step output
echo "api-token=${api_token}" >> "${GITHUB_OUTPUT}"
- name: Publish package to PyPI
env:
PATH: ${{ github.workspace }}/venv/bin:$PATH
uses: pypa/gh-action-pypi-publish@release/v1
if: steps.check-tag.outputs.match == 'true'
with:
password: ${{ steps.mint-token.outputs.api-token }}