Spaces:
Runtime error
Runtime error
| name: test-release | |
| on: | |
| workflow_call: | |
| inputs: | |
| working-directory: | |
| required: true | |
| type: string | |
| description: "From which folder this pipeline executes" | |
| dangerous-nonmaster-release: | |
| required: false | |
| type: boolean | |
| default: false | |
| description: "Release from a non-master branch (danger!)" | |
| env: | |
| POETRY_VERSION: "1.7.1" | |
| PYTHON_VERSION: "3.10" | |
| jobs: | |
| build: | |
| if: github.ref == 'refs/heads/master' || inputs.dangerous-nonmaster-release | |
| runs-on: ubuntu-latest | |
| outputs: | |
| pkg-name: ${{ steps.check-version.outputs.pkg-name }} | |
| version: ${{ steps.check-version.outputs.version }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python + Poetry ${{ env.POETRY_VERSION }} | |
| uses: "./.github/actions/poetry_setup" | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| poetry-version: ${{ env.POETRY_VERSION }} | |
| working-directory: ${{ inputs.working-directory }} | |
| cache-key: release | |
| # We want to keep this build stage *separate* from the release stage, | |
| # so that there's no sharing of permissions between them. | |
| # The release stage has trusted publishing and GitHub repo contents write access, | |
| # and we want to keep the scope of that access limited just to the release job. | |
| # Otherwise, a malicious `build` step (e.g. via a compromised dependency) | |
| # could get access to our GitHub or PyPI credentials. | |
| # | |
| # Per the trusted publishing GitHub Action: | |
| # > It is strongly advised to separate jobs for building [...] | |
| # > from the publish job. | |
| # https://github.com/pypa/gh-action-pypi-publish#non-goals | |
| - name: Build project for distribution | |
| run: poetry build | |
| working-directory: ${{ inputs.working-directory }} | |
| - name: Upload build | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: test-dist | |
| path: ${{ inputs.working-directory }}/dist/ | |
| - name: Check Version | |
| id: check-version | |
| shell: bash | |
| working-directory: ${{ inputs.working-directory }} | |
| run: | | |
| echo pkg-name="$(poetry version | cut -d ' ' -f 1)" >> $GITHUB_OUTPUT | |
| echo version="$(poetry version --short)" >> $GITHUB_OUTPUT | |
| publish: | |
| needs: | |
| - build | |
| runs-on: ubuntu-latest | |
| permissions: | |
| # This permission is used for trusted publishing: | |
| # https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/ | |
| # | |
| # Trusted publishing has to also be configured on PyPI for each package: | |
| # https://docs.pypi.org/trusted-publishers/adding-a-publisher/ | |
| id-token: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: test-dist | |
| path: ${{ inputs.working-directory }}/dist/ | |
| - name: Publish to test PyPI | |
| uses: pypa/gh-action-pypi-publish@release/v1 | |
| with: | |
| packages-dir: ${{ inputs.working-directory }}/dist/ | |
| verbose: true | |
| print-hash: true | |
| repository-url: https://test.pypi.org/legacy/ | |
| # We overwrite any existing distributions with the same name and version. | |
| # This is *only for CI use* and is *extremely dangerous* otherwise! | |
| # https://github.com/pypa/gh-action-pypi-publish#tolerating-release-package-file-duplicates | |
| skip-existing: true | |