Publish release #21
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Publish release | |
on: | |
workflow_dispatch: | |
inputs: | |
environment: | |
type: environment | |
description: "Environment in which to execute the release process" | |
push: | |
branches: [ "ci/*", "ci-*" ] | |
jobs: | |
ci: | |
name: Run CI pipeline | |
uses: MatthiasValvekens/certvalidator/.github/workflows/build-pipeline.yml@master | |
permissions: | |
actions: write | |
contents: read | |
find-env: | |
name: Determine target environment | |
runs-on: ubuntu-latest | |
permissions: {} | |
outputs: | |
publish-env: ${{ steps.setenv.outputs.envname }} | |
release-version: ${{ steps.getversion.outputs.version }} | |
steps: | |
- id: setenv | |
run: | | |
if [[ $GITHUB_EVENT_NAME == 'release' ]]; then | |
echo envname=release >> "$GITHUB_OUTPUT" | |
elif [[ $GITHUB_EVENT_NAME == 'push' ]]; then | |
# at times it may be convenient to temporarily turn on release-on-push | |
# for testing purposes, so leaving this line in helps make that smoother | |
echo envname=test-release >> "$GITHUB_OUTPUT" | |
elif [[ $GITHUB_EVENT_NAME == 'workflow_dispatch' ]]; then | |
echo "envname=${{ inputs.environment }}" >> "$GITHUB_OUTPUT" | |
else | |
echo "Cannot run release workflow for trigger event $GITHUB_EVENT_NAME" | |
exit 1 | |
fi | |
cat "$GITHUB_OUTPUT" | |
- uses: actions/checkout@v4 | |
- name: Get version information | |
id: getversion | |
run: | | |
set -eo pipefail | |
grep __version__ < pyhanko_certvalidator/version.py \ | |
| sed "s/__version__ = '\(.*\)'/version=\1/" >> "$GITHUB_OUTPUT" | |
- name: Generate release body | |
run: | | |
sed "s/:VERSION/$VERSION/g" < .github/gh-release-template.md > release.md | |
cat release.md | |
env: | |
VERSION: ${{ steps.getversion.outputs.version }} | |
- name: Upload release body | |
uses: actions/upload-artifact@v4 | |
with: | |
name: release-body | |
path: release.md | |
provenance: | |
name: Generate SLSA provenance data | |
needs: [ci] | |
permissions: | |
actions: read | |
id-token: write | |
contents: write # https://github.com/slsa-framework/slsa-github-generator/issues/2044 :( | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
with: | |
base64-subjects: "${{ needs.ci.outputs.hashes }}" | |
upload-assets: false | |
provenance-name: multiple.intoto.jsonl | |
publish: | |
name: Publish release artifacts | |
needs: [provenance, find-env] | |
runs-on: ubuntu-latest | |
environment: ${{ needs.find-env.outputs.publish-env }} | |
permissions: | |
# we use PyPI's trusted publisher model -> expose identity token | |
id-token: write | |
# we want to add sigstore's artifacts to the release on GitHub | |
contents: write | |
steps: | |
- name: Download dist artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
name: pyhanko-certvalidator-dist | |
path: dist/ | |
- name: Download provenance data | |
uses: actions/download-artifact@v4 | |
with: | |
name: multiple.intoto.jsonl | |
path: provenance/ | |
- name: Download release body | |
uses: actions/download-artifact@v4 | |
with: | |
name: release-body | |
path: release-body | |
- name: Upload to PyPI | |
uses: pypa/gh-action-pypi-publish@release/v1 | |
with: | |
repository-url: ${{ vars.REPOSITORY_URL }} | |
- name: Sign with sigstore | |
uses: sigstore/[email protected] | |
with: | |
inputs: ./dist/* | |
# useful to inspect workflow artifacts in test runs | |
upload-signing-artifacts: true | |
- name: Create GitHub release | |
if: needs.find-env.outputs.publish-env == 'release' && startsWith(github.ref, 'refs/tags/') | |
uses: softprops/action-gh-release@v2 | |
with: | |
files: | | |
dist/*.whl | |
dist/*.tar.gz | |
dist/*.sigstore | |
provenance/multiple.intoto.jsonl | |
body_path: release-body/release.md | |
fail_on_unmatched_files: true | |
prerelease: true | |
name: pyhanko-certvalidator ${{ needs.extract-params.outputs.release-version }} |