-
Notifications
You must be signed in to change notification settings - Fork 0
140 lines (130 loc) · 4.59 KB
/
Copy pathrelease.yml
File metadata and controls
140 lines (130 loc) · 4.59 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
name: Release
# Builds multi-platform wheels + sdist and (optionally) publishes to PyPI /
# TestPyPI via Trusted Publishing (OIDC) — no API token is stored.
#
# Triggers:
# * push tag v* -> build, gate on provenance, publish to PyPI.
# * workflow_dispatch -> build, and publish to the chosen target:
# none (artifacts only), testpypi, or pypi.
#
# One-time setup before the first real publish (see docs/releasing.md):
# * Configure a PyPI Trusted Publisher for this repo + workflow, and a
# TestPyPI one for dry runs.
# * Create GitHub environments named `pypi` and `testpypi`.
on:
push:
tags: ["v*"]
workflow_dispatch:
inputs:
publish:
description: Where to publish the built artifacts
type: choice
options: [none, testpypi, pypi]
default: none
permissions:
contents: read
jobs:
provenance-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.11"
- name: Check version consistency
# The README is the PyPI project description; block the release if its
# current-version row, nns.__version__, and pyproject disagree.
run: python scripts/check_version_consistency.py
- name: Check release provenance
shell: bash
run: |
if [ "${{ github.event_name }}" = "push" ]; then
# Real tagged release: require full traceability.
python scripts/check_release_provenance.py --tag "${{ github.ref_name }}"
elif [ "${{ inputs.publish }}" = "pypi" ]; then
python scripts/check_release_provenance.py
else
# Dry run / artifact-only / TestPyPI: allow placeholder provenance.
python scripts/check_release_provenance.py --allow-unknown
fi
- name: Verify vendored provenance against upstream
# Real releases only: clone the upstreams at the recorded commits and
# prove the vendored extern/NNS-core and tools/NNS actually came from
# them. Dry runs may carry placeholder provenance, so skip them.
if: github.event_name == 'push' || inputs.publish == 'pypi'
run: python scripts/verify_release_provenance.py
build_wheels:
needs: provenance-check
name: Wheels on ${{ matrix.os }}
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, macos-14, windows-latest]
steps:
- uses: actions/checkout@v4
- name: Build wheels
uses: pypa/cibuildwheel@v4.1.0
- uses: actions/upload-artifact@v4
with:
name: wheels-${{ matrix.os }}
path: ./wheelhouse/*.whl
build_sdist:
needs: provenance-check
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.11"
- name: Build sdist
run: pipx run build --sdist
- uses: actions/upload-artifact@v4
with:
name: sdist
path: dist/*.tar.gz
check_metadata:
needs: [build_wheels, build_sdist]
runs-on: ubuntu-latest
steps:
- uses: actions/download-artifact@v4
with:
path: dist
merge-multiple: true
- uses: actions/setup-python@v5
with:
python-version: "3.11"
- name: Validate metadata and README rendering (twine check)
run: |
# Pin modern tooling so PEP 639 License-Expression / Metadata 2.4 is
# recognized regardless of any preinstalled system 'packaging'.
python -m pip install -U pip "twine>=6.1" "packaging>=24.2"
python -m twine check --strict dist/*
publish_testpypi:
needs: [build_wheels, build_sdist, check_metadata]
if: github.event_name == 'workflow_dispatch' && inputs.publish == 'testpypi'
runs-on: ubuntu-latest
environment: testpypi
permissions:
id-token: write
steps:
- uses: actions/download-artifact@v4
with:
path: dist
merge-multiple: true
- uses: pypa/gh-action-pypi-publish@release/v1
with:
repository-url: https://test.pypi.org/legacy/
publish_pypi:
needs: [build_wheels, build_sdist, check_metadata]
if: github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && inputs.publish == 'pypi')
runs-on: ubuntu-latest
environment: pypi
permissions:
id-token: write
steps:
- uses: actions/download-artifact@v4
with:
path: dist
merge-multiple: true
- uses: pypa/gh-action-pypi-publish@release/v1