-
Notifications
You must be signed in to change notification settings - Fork 4
152 lines (128 loc) · 4.45 KB
/
publish.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
# This workflow will call the build_and_test.yml workflow to install Python dependencies, run tests and lint
# with a single version of Python
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python
# These jobs are specifically designed to test the codebase
# and ensure that basic contributing from both mac and windows will work
# Once both windows and mac builds are successful, the next steps will
# - using semantic-version will version the code, pushing the version back to the repo
# - push a package to pypi
# - push a formula to the homebrew repo
name: Publish
on:
push:
branches: [ main ]
jobs:
build-test:
name: Build & Test
uses: ./.github/workflows/build_and_test.yml
secureli-release:
name: GH Release
needs: [ build-test ]
runs-on: ubuntu-latest
environment: publish
concurrency: release
permissions:
id-token: write
contents: write
outputs:
uploaded: ${{ steps.upload.outputs.uploaded }}
steps:
- name: Get App Token
uses: tibdex/github-app-token@v2
id: app_token
with:
app_id: ${{ secrets.APP_ID }}
private_key: ${{ secrets.APP_PRIVATE_KEY }}
- uses: actions/checkout@v4
with:
fetch-depth: 0
token: ${{ steps.app_token.outputs.token }}
- name: Python Semantic Release
id: release
uses: python-semantic-release/[email protected]
with:
github_token: ${{ steps.app_token.outputs.token }}
- name: Upload assets to GitHub Releases
id: upload
env:
GH_TOKEN: ${{ steps.app_token.outputs.token }}
run: |
if [[ -d dist ]]; then
if [[ -n "$(find ./dist -name 'secureli*' -print -quit)" ]]; then
gh release upload ${{ steps.release.outputs.tag }} ./dist/secureli*
echo "uploaded=true" >> "$GITHUB_OUTPUT"
else
echo "uploaded=false" >> "$GITHUB_OUTPUT"
fi
else
echo "uploaded=false" >> "$GITHUB_OUTPUT"
fi
- name: Display Output
run: echo uploaded=${{ steps.upload.outputs.uploaded }}
secureli-publish:
name: PyPI Publish
if: needs.secureli-release.outputs.uploaded == 'true'
runs-on: ubuntu-latest
needs: secureli-release
permissions:
id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
steps:
- name: Display Inputs
run: echo uploaded=${{ needs.secureli-release.outputs.uploaded }}
- name: Checkout seCureLI Repo
uses: actions/checkout@v4
with:
ref: main
fetch-depth: 0
- name: Set up Python 3.11
id: setup-python
uses: actions/setup-python@v4
with:
python-version: "3.11"
- run: |
pip install poetry
poetry install
poetry build
- name: Publish package distributions to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
skip-existing: true
deploy:
name: Upload Homebrew Formula
if: needs.secureli-release.outputs.uploaded == 'true'
runs-on: ubuntu-latest
environment: publish
needs: secureli-release
steps:
- name: Display Inputs
run: echo uploaded=${{ needs.secureli-release.outputs.uploaded }}
- name: Get App Token
uses: tibdex/github-app-token@v2
id: app_token
with:
app_id: ${{ secrets.APP_ID }}
private_key: ${{ secrets.APP_PRIVATE_KEY }}
- uses: actions/checkout@v4
with:
ref: main
fetch-depth: 0
- name: Checkout seCureLI Homebrew Repo
uses: actions/checkout@v4
with:
repository: slalombuild/homebrew-secureli
token: ${{ steps.app_token.outputs.token }}
path: homebrew-secureli
ref: main
fetch-depth: 0
- name: Homebrew Formula Generation
env:
GH_TOKEN: ${{ steps.app_token.outputs.token }}
run: ./scripts/secureli-deployment.sh
integration-testing:
name: Integration Testing
needs: [ build-test, secureli-release, secureli-publish, deploy ]
if: |
always() &&
(needs.secureli-publish.result == 'success' || needs.secureli-publish.result == 'skipped') &&
(needs.deploy.result == 'success' || needs.deploy.result == 'skipped')
uses: ./.github/workflows/integration_testing.yml