|
1 | 1 | name: release-pipeline |
2 | 2 |
|
3 | 3 | on: |
| 4 | + push: |
| 5 | + branches: |
| 6 | + - main |
4 | 7 | release: |
5 | 8 | types: |
6 | | - - created |
| 9 | + - published |
7 | 10 |
|
8 | 11 | jobs: |
9 | | - release-job: |
| 12 | + build-package: |
10 | 13 | runs-on: ubuntu-latest |
11 | | - env: |
12 | | - PYPI_TOKEN: ${{ secrets.PYPI_TOKEN_PYMC }} |
| 14 | + permissions: |
| 15 | + # write attestations and id-token are necessary for attest-build-provenance-github |
| 16 | + attestations: write |
| 17 | + id-token: write |
13 | 18 | steps: |
14 | | - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 |
15 | | - with: |
16 | | - persist-credentials: false |
17 | | - - name: Set up Python |
18 | | - uses: actions/setup-python@v5 |
19 | | - with: |
20 | | - python-version: 3.7 |
21 | | - # TODO: ideally, this pipeline should run parallelized tests in upstream jobs.. |
22 | | - #- name: Install test tooling |
23 | | - # run: | |
24 | | - # pip install pytest pytest-cov nose nose-parameterized |
25 | | - # pip install -r requirements.txt |
26 | | - #- name: Run tests |
27 | | - # run: | |
28 | | - # pytest --cov=./pymc --cov-report term-missing pymc/ |
29 | | - - name: Install release tooling |
30 | | - run: | |
31 | | - pip install build twine |
32 | | - - name: Build package |
33 | | - run: | |
34 | | - python -m build |
35 | | - - name: Check version number match |
36 | | - run: | |
37 | | - echo "GITHUB_REF: ${GITHUB_REF}" |
38 | | - # The GITHUB_REF should be something like "refs/tags/v1.2.3" |
39 | | - # Make sure the package version is the same as the tag |
40 | | - grep -Rq "^Version: ${GITHUB_REF:11}$" pymc.egg-info/PKG-INFO |
41 | | - - name: Publish to PyPI |
42 | | - run: | |
43 | | - twine check dist/* |
44 | | - twine upload --repository pypi --username __token__ --password ${PYPI_TOKEN} dist/* |
45 | | - test-install-job: |
46 | | - needs: release-job |
| 19 | + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 |
| 20 | + with: |
| 21 | + fetch-depth: 0 |
| 22 | + persist-credentials: false |
| 23 | + - uses: hynek/build-and-inspect-python-package@14c7e53f5d033cfa99f7af916fa59a6f7f356394 # v2.11.0 |
| 24 | + with: |
| 25 | + attest-build-provenance-github: true |
| 26 | + |
| 27 | + publish-package: |
| 28 | + if: github.repository_owner == 'pymc-devs' && github.event_name == 'push' && github.ref == 'refs/heads/main' |
| 29 | + environment: release |
| 30 | + needs: build-package |
47 | 31 | runs-on: ubuntu-latest |
| 32 | + permissions: |
| 33 | + # write id-token is necessary for trusted publishing (OIDC) |
| 34 | + id-token: write |
48 | 35 | steps: |
49 | | - - name: Set up Python |
50 | | - uses: actions/setup-python@v5 |
51 | | - with: |
52 | | - python-version: 3.7 |
53 | | - - name: Give PyPI a chance to update the index |
54 | | - run: sleep 240 |
55 | | - - name: Install from PyPI |
56 | | - run: | |
57 | | - pip install pymc==${GITHUB_REF:11} |
| 36 | + - name: Download Distribution Artifacts |
| 37 | + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 |
| 38 | + with: |
| 39 | + name: Packages |
| 40 | + path: dist |
| 41 | + - name: Publish Package to PyPI |
| 42 | + uses: pypa/gh-action-pypi-publish@67339c736fd9354cd4f8cb0b744f2b82a74b5c70 # v1.12.3 |
0 commit comments