Skip to content

Merge pull request #47 from smochan/dependabot/github_actions/actions… #35

Merge pull request #47 from smochan/dependabot/github_actions/actions…

Merge pull request #47 from smochan/dependabot/github_actions/actions… #35

Workflow file for this run

name: release
# Triggered by version tag push. Final-version tags (e.g. v0.1.0) publish to
# PyPI; pre-release tags (any of rc / a / b / .dev — e.g. v0.1.0rc1) publish
# to TestPyPI as a dry-run.
#
# Authentication is via OIDC trusted publishing — no PYPI_API_TOKEN secret
# needed. The repo + workflow + environment must be registered as a Trusted
# Publisher on pypi.org (and separately on test.pypi.org) before the first
# tag is pushed. See PR description for the one-time setup steps.
on:
push:
tags:
- "v*"
permissions:
contents: read
jobs:
build:
name: Build + validate dist
runs-on: ubuntu-latest
outputs:
is_prerelease: ${{ steps.classify.outputs.is_prerelease }}
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 0
- uses: actions/setup-python@v6
with:
python-version: "3.12"
cache: pip
- name: Install build tooling
run: |
python -m pip install --upgrade pip
pip install build twine
- name: Verify tag matches pyproject version
# Safety net: tagging v0.1.0 while pyproject still says 0.1.0rc1
# would otherwise upload the wrong-named artifact.
run: |
tag="${GITHUB_REF_NAME#v}"
pkg=$(python -c "import tomllib; print(tomllib.load(open('pyproject.toml','rb'))['project']['version'])")
if [ "$tag" != "$pkg" ]; then
echo "::error::Tag '$tag' does not match pyproject version '$pkg'."
echo "::error::Bump pyproject.toml to '$tag' (or retag) before re-running."
exit 1
fi
echo "✓ tag $tag matches pyproject version $pkg"
- name: Build sdist + wheel
run: python -m build
- name: twine check
run: twine check --strict dist/*
- name: Classify release
id: classify
# PEP 440 pre-release markers: rcN, aN, bN, .devN.
run: |
if [[ "${GITHUB_REF_NAME}" =~ (rc|a[0-9]|b[0-9]|\.dev) ]]; then
echo "is_prerelease=true" >> "$GITHUB_OUTPUT"
echo "▸ pre-release → TestPyPI"
else
echo "is_prerelease=false" >> "$GITHUB_OUTPUT"
echo "▸ final → PyPI"
fi
- uses: actions/upload-artifact@v7
with:
name: dist
path: dist/
publish-testpypi:
name: Publish to TestPyPI
needs: build
if: needs.build.outputs.is_prerelease == 'true'
runs-on: ubuntu-latest
environment:
name: testpypi
url: https://test.pypi.org/p/polycodegraph
permissions:
id-token: write # OIDC trusted publishing
steps:
- uses: actions/download-artifact@v8
with:
name: dist
path: dist/
- name: Publish to TestPyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
repository-url: https://test.pypi.org/legacy/
publish-pypi:
name: Publish to PyPI
needs: build
if: needs.build.outputs.is_prerelease == 'false'
runs-on: ubuntu-latest
environment:
name: pypi
url: https://pypi.org/p/polycodegraph
permissions:
id-token: write # OIDC trusted publishing
steps:
- uses: actions/download-artifact@v8
with:
name: dist
path: dist/
- name: Publish to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
github-release:
name: Create GitHub Release
needs: [build, publish-pypi]
if: needs.build.outputs.is_prerelease == 'false'
runs-on: ubuntu-latest
permissions:
contents: write # creates the GitHub Release
steps:
- uses: actions/checkout@v6
- uses: actions/download-artifact@v8
with:
name: dist
path: dist/
- name: Publish GitHub Release
uses: softprops/action-gh-release@v3
with:
body_path: CHANGELOG.md
files: dist/*
draft: false
prerelease: false