Skip to content

Publish release

Publish release #21

Workflow file for this run

name: Publish release
on:
workflow_dispatch:
inputs:
environment:
type: environment
description: "Environment in which to execute the release process"
push:
branches: [ "ci/*", "ci-*" ]
jobs:
ci:
name: Run CI pipeline
uses: MatthiasValvekens/certvalidator/.github/workflows/build-pipeline.yml@master
permissions:
actions: write
contents: read
find-env:
name: Determine target environment
runs-on: ubuntu-latest
permissions: {}
outputs:
publish-env: ${{ steps.setenv.outputs.envname }}
release-version: ${{ steps.getversion.outputs.version }}
steps:
- id: setenv
run: |
if [[ $GITHUB_EVENT_NAME == 'release' ]]; then
echo envname=release >> "$GITHUB_OUTPUT"
elif [[ $GITHUB_EVENT_NAME == 'push' ]]; then
# at times it may be convenient to temporarily turn on release-on-push
# for testing purposes, so leaving this line in helps make that smoother
echo envname=test-release >> "$GITHUB_OUTPUT"
elif [[ $GITHUB_EVENT_NAME == 'workflow_dispatch' ]]; then
echo "envname=${{ inputs.environment }}" >> "$GITHUB_OUTPUT"
else
echo "Cannot run release workflow for trigger event $GITHUB_EVENT_NAME"
exit 1
fi
cat "$GITHUB_OUTPUT"
- uses: actions/checkout@v4
- name: Get version information
id: getversion
run: |
set -eo pipefail
grep __version__ < pyhanko_certvalidator/version.py \
| sed "s/__version__ = '\(.*\)'/version=\1/" >> "$GITHUB_OUTPUT"
- name: Generate release body
run: |
sed "s/:VERSION/$VERSION/g" < .github/gh-release-template.md > release.md
cat release.md
env:
VERSION: ${{ steps.getversion.outputs.version }}
- name: Upload release body
uses: actions/upload-artifact@v4
with:
name: release-body
path: release.md
provenance:
name: Generate SLSA provenance data
needs: [ci]
permissions:
actions: read
id-token: write
contents: write # https://github.com/slsa-framework/slsa-github-generator/issues/2044 :(
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
base64-subjects: "${{ needs.ci.outputs.hashes }}"
upload-assets: false
provenance-name: multiple.intoto.jsonl
publish:
name: Publish release artifacts
needs: [provenance, find-env]
runs-on: ubuntu-latest
environment: ${{ needs.find-env.outputs.publish-env }}
permissions:
# we use PyPI's trusted publisher model -> expose identity token
id-token: write
# we want to add sigstore's artifacts to the release on GitHub
contents: write
steps:
- name: Download dist artifacts
uses: actions/download-artifact@v4
with:
name: pyhanko-certvalidator-dist
path: dist/
- name: Download provenance data
uses: actions/download-artifact@v4
with:
name: multiple.intoto.jsonl
path: provenance/
- name: Download release body
uses: actions/download-artifact@v4
with:
name: release-body
path: release-body
- name: Upload to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
repository-url: ${{ vars.REPOSITORY_URL }}
- name: Sign with sigstore
uses: sigstore/[email protected]
with:
inputs: ./dist/*
# useful to inspect workflow artifacts in test runs
upload-signing-artifacts: true
- name: Create GitHub release
if: needs.find-env.outputs.publish-env == 'release' && startsWith(github.ref, 'refs/tags/')
uses: softprops/action-gh-release@v2
with:
files: |
dist/*.whl
dist/*.tar.gz
dist/*.sigstore
provenance/multiple.intoto.jsonl
body_path: release-body/release.md
fail_on_unmatched_files: true
prerelease: true
name: pyhanko-certvalidator ${{ needs.extract-params.outputs.release-version }}