-
Notifications
You must be signed in to change notification settings - Fork 154
138 lines (115 loc) · 4.17 KB
/
release-python.yml
File metadata and controls
138 lines (115 loc) · 4.17 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
---
name: release python
on:
push:
branches: [master]
tags:
- '**'
pull_request:
branches: [master]
workflow_dispatch:
jobs:
build_sdist:
name: Build source distribution
runs-on: ubuntu-latest
container:
image: ghcr.io/linux-nvme/debian.python:latest
steps:
- uses: actions/checkout@v4
- name: Allow workspace
run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
- name: Build sdist
run: pipx run build --sdist
- uses: actions/upload-artifact@v4
with:
path: dist/*.tar.gz
retention-days: 5
upload_test_pypi:
needs: [build_sdist]
runs-on: ubuntu-latest
permissions:
id-token: write
steps:
- name: Install Python (if missing)
run: |
sudo apt-get update
sudo apt-get install -y python3 python3-pip
- name: Update python dependencies
run: |
python3 -m venv venv
source venv/bin/activate
pip install -U packaging
- uses: actions/download-artifact@v4
with:
name: artifact
path: dist
- name: mint API token
id: mint-token
run: |
# retrieve the ambient OIDC token
resp=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
"$ACTIONS_ID_TOKEN_REQUEST_URL&audience=testpypi")
oidc_token=$(jq -r '.value' <<< "${resp}")
# exchange the OIDC token for an API token
resp=$(curl -X POST https://pypi.org/_/oidc/mint-token -d "{\"token\": \"${oidc_token}\"}")
api_token=$(jq -r '.token' <<< "${resp}")
# mask the newly minted API token, so that we don't accidentally leak it
echo "::add-mask::${api_token}"
# see the next step in the workflow for an example of using this step output
echo "api-token=${api_token}" >> "${GITHUB_OUTPUT}"
- name: Publish package to TestPyPI
env:
PATH: ${{ github.workspace }}/venv/bin:$PATH
uses: pypa/gh-action-pypi-publish@release/v1
with:
password: ${{ steps.mint-token.outputs.api-token }}
repository-url: https://test.pypi.org/legacy/
upload_pypi:
needs: [build_sdist]
runs-on: ubuntu-latest
permissions:
id-token: write
if: startsWith(github.ref, 'refs/tags/v') && github.repository == 'linux-nvme/libnvme'
steps:
- name: Install Python (if missing)
run: |
sudo apt-get update
sudo apt-get install -y python3 python3-pip
- name: Update python dependencies
run: |
python3 -m venv venv
source venv/bin/activate
pip install -U packaging
- name: Check if it is a release tag
id: check-tag
run: |
if [[ ${{ github.event.ref }} =~ ^refs/tags/v([0-9]+\.[0-9]+)(\.[0-9]+)?(-rc[0-9]+)?$ ]]; then
echo ::set-output name=match::true
fi
- name: Download artifiact
uses: actions/download-artifact@v4
if: steps.check-tag.outputs.match == 'true'
with:
name: artifact
path: dist
- name: mint API token
id: mint-token
run: |
# retrieve the ambient OIDC token
resp=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
"$ACTIONS_ID_TOKEN_REQUEST_URL&audience=pypi")
oidc_token=$(jq -r '.value' <<< "${resp}")
# exchange the OIDC token for an API token
resp=$(curl -X POST https://pypi.org/_/oidc/mint-token -d "{\"token\": \"${oidc_token}\"}")
api_token=$(jq -r '.token' <<< "${resp}")
# mask the newly minted API token, so that we don't accidentally leak it
echo "::add-mask::${api_token}"
# see the next step in the workflow for an example of using this step output
echo "api-token=${api_token}" >> "${GITHUB_OUTPUT}"
- name: Publish package to PyPI
env:
PATH: ${{ github.workspace }}/venv/bin:$PATH
uses: pypa/gh-action-pypi-publish@release/v1
if: steps.check-tag.outputs.match == 'true'
with:
password: ${{ steps.mint-token.outputs.api-token }}