on push publish test.pypi on tagged pypi and gh releases

- chore(release.yml): separate build from publish and release - chore(release.yml): run on push, not create - chore(release.yml): on push publish to test.pypi - chore(release.yml): on tagged publish to pypi and github releases
msftcangoblowm · Feb 29, 2024 · 81a98e2 · 81a98e2
1 parent 2f11456
commit 81a98e2
Show file tree

Hide file tree

Showing 3 changed files with 108 additions and 16 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,14 +1,15 @@
-name: release
+# https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#the-whole-ci-cd-workflow
+
+name: "release"
 
 # not on every push. Only then a commit is tagged
 on:
-  create:
+  push:
     branches:
       - master
     tags:
       - '*.*.*'
 
-
 defaults:
   run:
     shell: bash
@@ -22,8 +23,8 @@ permissions:
 
 jobs:
   build:
-    if: github.event_name == 'create' && startsWith(github.ref, 'refs/tags')
     runs-on: ubuntu-latest
+
     steps:
     - name: Checkout the repo
       uses: actions/checkout@v4
@@ -56,18 +57,99 @@ jobs:
         echo "python igor.py build_next $RELEASE_VERSION"
         python igor.py build_next "$RELEASE_VERSION"
 
+    - name: Store the distribution packages
+      uses: actions/upload-artifact@v3
+      with:
+        name: python-package-distributions
+        path: ${{ env.DEST_FOLDER }}
+
+  publish-to-pypi:
+    name: >-
+      Publish Python distribution to PyPI
+    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
+    needs:
+    - build
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/logging-strict
+    permissions:
+      id-token: write  # IMPORTANT: mandatory for trusted publishing and sigstore
+
+    steps:
+    - name: Download all the dists
+      uses: actions/download-artifact@v3
+      with:
+        name: python-package-distributions
+        path: ${{ env.DEST_FOLDER }}
+
     - name: Publish package
       uses: pypa/gh-action-pypi-publish@release/v1
+
+  github-release:
+    name: >-
+      Sign the Python distribution with Sigstore
+      and upload them to GitHub Release
+    needs:
+    - publish-to-pypi
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write  # IMPORTANT: mandatory for making GitHub Releases
+      id-token: write  # IMPORTANT: mandatory for sigstore
+
+    steps:
+    - name: Download all the dists
+      uses: actions/download-artifact@v3
       with:
-        environment:
-          name: pypi
-          url: https://pypi.org/p/logging-strict
-        permissions:
-          id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
-
-    - name: Release GitHub
-      uses: softprops/action-gh-release@v1
+        name: python-package-distributions
+        path: ${{ env.DEST_FOLDER }}
+    - name: Sign the dists with Sigstore
+      uses: sigstore/[email protected]
       with:
-        files: ${{ env.DEST_FOLDER }}*
+        inputs: >-
+          ./dist/*.tar.gz
+          ./dist/*.whl
+    - name: Create GitHub Release
       env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        GITHUB_TOKEN: ${{ github.token }}
+      run: >-
+        gh release create
+        '${{ github.ref_name }}'
+        --repo '${{ github.repository }}'
+        --notes ""
+    - name: Upload artifact signatures to GitHub Release
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+      # Upload to GitHub Release using the `gh` CLI.
+      # `dist/` contains the built packages, and the
+      # sigstore-produced signatures and certificates.
+      run: >-
+        gh release upload
+        '${{ github.ref_name }}' dist/**
+        --repo '${{ github.repository }}'
+
+  publish-to-testpypi:
+    name: Publish Python distribution to TestPyPI
+    needs:
+    - build
+    runs-on: ubuntu-latest
+
+    environment:
+      name: testpypi
+      url: https://test.pypi.org/p/logging-strict
+
+    permissions:
+      id-token: write  # IMPORTANT: mandatory for trusted publishing
+
+    steps:
+    - name: Download all the dists
+      uses: actions/download-artifact@v3
+      with:
+        name: python-package-distributions
+        path: ${{ env.DEST_FOLDER }}
+
+    - name: Publish distribution to TestPyPI
+      uses: pypa/gh-action-pypi-publish@release/v1
+      with:
+        repository-url: https://test.pypi.org/legacy/
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -22,6 +22,16 @@ Changelog
 
 .. scriv-start-here
 
+.. _changes_1-2-14:
+
+Version 1.2.14 — 2024-02-29
+---------------------------
+
+- chore(release.yml): separate build from publish and release
+- chore(release.yml): run on push, not create
+- chore(release.yml): on push publish to test.pypi
+- chore(release.yml): on tagged publish to pypi and github releases
+
 .. _changes_1-2-13:
 
 Version 1.2.13 — 2024-02-29

diff --git a/docs/conf.py b/docs/conf.py
@@ -60,9 +60,9 @@
 # @@@ editable
 copyright = "2023–2024, Dave Faulkmore"
 # The short X.Y.Z version.
-version = "1.2.13"
+version = "1.2.14"
 # The full version, including alpha/beta/rc tags.
-release = "1.2.13"
+release = "1.2.14"
 # The date of release, in "monthname day, year" format.
 release_date = "February 29, 2024"
 # @@@ end