-
Notifications
You must be signed in to change notification settings - Fork 83
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
9eebb96
commit f1df8c2
Showing
1 changed file
with
4 additions
and
146 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,25 +1,11 @@ | ||
| name: publish distributions | ||
| on: | ||
| push: | ||
| branches: | ||
| - main | ||
| tags: | ||
| - v* | ||
| pull_request: | ||
| branches: | ||
| - main | ||
| - release/v* | ||
| release: | ||
| types: [published] | ||
| # Run weekly at 1:23 UTC | ||
| schedule: | ||
| - cron: '23 1 * * 0' | ||
| workflow_dispatch: | ||
| inputs: | ||
| publish: | ||
| type: boolean | ||
| description: 'Publish to TestPyPI' | ||
| default: false | ||
| default: true | ||
|
|
||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.ref }} | ||
|
|
@@ -44,135 +30,7 @@ jobs: | |
| with: | ||
| python-version: '3.12' | ||
|
|
||
| - name: Install python-build and twine | ||
| run: | | ||
| python -m pip install uv | ||
| uv pip install --system --upgrade pip | ||
| uv pip install --system build twine | ||
| python -m pip list | ||
| - name: Build a sdist and wheel | ||
| if: github.event_name != 'schedule' | ||
| run: | | ||
| python -m build --installer uv . | ||
| - name: Build a sdist and wheel and check for warnings | ||
| if: github.event_name == 'schedule' | ||
| run: | | ||
| PYTHONWARNINGS=error,default::DeprecationWarning python -m build --installer uv . | ||
| - name: Verify untagged commits have dev versions | ||
| if: "!startsWith(github.ref, 'refs/tags/')" | ||
| run: | | ||
| latest_tag=$(git describe --tags) | ||
| latest_tag_revlist_SHA=$(git rev-list -n 1 ${latest_tag}) | ||
| main_SHA="$(git rev-parse --verify origin/main)" | ||
| wheel_name=$(find dist/ -iname "*.whl" -printf "%f\n") | ||
| if [[ "${latest_tag_revlist_SHA}" != "${main_SHA}" ]]; then # don't check main push events coming from tags | ||
| if [[ "${wheel_name}" == *"pyhf-0.1.dev"* || "${wheel_name}" != *"dev"* ]]; then | ||
| echo "python-build incorrectly named built distribution: ${wheel_name}" | ||
| echo "python-build is lacking the history and tags required to determine version number" | ||
| echo "intentionally erroring with 'return 1' now" | ||
| return 1 | ||
| fi | ||
| else | ||
| echo "Push event to origin/main was triggered by push of tag ${latest_tag}" | ||
| fi | ||
| echo "python-build named built distribution: ${wheel_name}" | ||
| - name: Verify tagged commits don't have dev versions | ||
| if: startsWith(github.ref, 'refs/tags') | ||
| run: | | ||
| wheel_name=$(find dist/ -iname "*.whl" -printf "%f\n") | ||
| if [[ "${wheel_name}" == *"dev"* ]]; then | ||
| echo "python-build incorrectly named built distribution: ${wheel_name}" | ||
| echo "this is incorrrectly being treated as a dev release" | ||
| echo "intentionally erroring with 'return 1' now" | ||
| return 1 | ||
| fi | ||
| echo "python-build named built distribution: ${wheel_name}" | ||
| - name: Verify the distribution | ||
| run: twine check --strict dist/* | ||
|
|
||
| - name: List contents of sdist | ||
| run: python -m tarfile --list dist/pyhf-*.tar.gz | ||
|
|
||
| - name: List contents of wheel | ||
| run: python -m zipfile --list dist/pyhf-*.whl | ||
|
|
||
| - name: Generate artifact attestation for sdist and wheel | ||
| # If publishing to TestPyPI or PyPI | ||
| if: >- | ||
| (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && github.repository == 'scikit-hep/pyhf') | ||
| || (github.event_name == 'workflow_dispatch' && github.event.inputs.publish == 'true' && github.repository == 'scikit-hep/pyhf') | ||
| || (github.event_name == 'release' && github.event.action == 'published' && github.repository == 'scikit-hep/pyhf') | ||
| uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2 | ||
| with: | ||
| subject-path: "dist/pyhf-*" | ||
|
|
||
| - name: Upload distribution artifact | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: dist-artifact | ||
| path: dist | ||
|
|
||
| publish: | ||
| name: Publish Python distribution to (Test)PyPI | ||
| if: github.event_name != 'pull_request' | ||
| needs: build | ||
| runs-on: ubuntu-latest | ||
| # Mandatory for publishing with a trusted publisher | ||
| # c.f. https://docs.pypi.org/trusted-publishers/using-a-publisher/ | ||
| permissions: | ||
| id-token: write | ||
| # Restrict to the environment set for the trusted publisher | ||
| environment: | ||
| name: publish-package | ||
|
|
||
| steps: | ||
| - name: Download distribution artifact | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| name: dist-artifact | ||
| path: dist | ||
|
|
||
| - name: List all files | ||
| run: ls -lh dist | ||
|
|
||
| - name: Verify sdist artifact attestation | ||
| # If publishing to TestPyPI or PyPI | ||
| if: >- | ||
| (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && github.repository == 'scikit-hep/pyhf') | ||
| || (github.event_name == 'workflow_dispatch' && github.event.inputs.publish == 'true' && github.repository == 'scikit-hep/pyhf') | ||
| || (github.event_name == 'release' && github.event.action == 'published' && github.repository == 'scikit-hep/pyhf') | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: gh attestation verify dist/pyhf-*.tar.gz --repo ${{ github.repository }} | ||
|
|
||
| - name: Verify wheel artifact attestation | ||
| # If publishing to TestPyPI or PyPI | ||
| if: >- | ||
| (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && github.repository == 'scikit-hep/pyhf') | ||
| || (github.event_name == 'workflow_dispatch' && github.event.inputs.publish == 'true' && github.repository == 'scikit-hep/pyhf') | ||
| || (github.event_name == 'release' && github.event.action == 'published' && github.repository == 'scikit-hep/pyhf') | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: gh attestation verify dist/pyhf-*.whl --repo ${{ github.repository }} | ||
|
|
||
| - name: Publish distribution 📦 to Test PyPI | ||
| # Publish to TestPyPI on tag events of if manually triggered | ||
| # Compare to 'true' string as booleans get turned into strings in the console | ||
| if: >- | ||
| (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && github.repository == 'scikit-hep/pyhf') | ||
| || (github.event_name == 'workflow_dispatch' && github.event.inputs.publish == 'true' && github.repository == 'scikit-hep/pyhf') | ||
| uses: pypa/[email protected] | ||
| with: | ||
| repository-url: https://test.pypi.org/legacy/ | ||
| print-hash: true | ||
|
|
||
| - name: Publish distribution 📦 to PyPI | ||
| if: github.event_name == 'release' && github.event.action == 'published' && github.repository == 'scikit-hep/pyhf' | ||
| uses: pypa/[email protected] | ||
| with: | ||
| print-hash: true | ||
| if: github.event.inputs.publish == 'true' | ||
| run: | | ||
| echo "This resolved github.event.inputs.publish ${{ github.event.inputs.publish }} properly" | ||