Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add GitHub workflow for making releases #945

Closed
wants to merge 2 commits into from
Closed

Add GitHub workflow for making releases #945

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
dad87c2
Add GitHub workflow for making releases
di Nov 30, 2022
881125c
Merge branch 'main' into release-workflow
bhrutledge Jun 2, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 67 additions & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
name: Release

on:
release:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lately I've been preferring the workflow_dispatch event — it allows me to type in the version number I want and both PyPI and GH releases get created with that.
I can also make Git updates like generating the changelog, bumping the version, making a tag, and pushing that as a part of the workflow, making sure all the steps are automated, lowering the possibility of human errors as much as possible.

types:
- published

jobs:
build:
name: Build artifacts
runs-on: ubuntu-latest
permissions:
id-token: write
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pretty sure nothing uses this. Did you mean to set contents: write for the upload action?

outputs:
hashes: ${{ steps.hash.outputs.hashes }}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see no such step.

steps:
- uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf

- uses: actions/setup-python@13ae5bb136fac2878aff31522b9efb785519f984
with:
python-version: "3.x"

- name: deps
run: python -m pip install -U build

- name: build
run: python -m build

- name: Upload built packages
uses: actions/upload-artifact@v3
with:
name: built-packages
path: ./dist/
if-no-files-found: warn
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not error out?


release-pypi:
needs: [build]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I strongly recommend putting that token in an environment:

Suggested change
needs: [build]
needs: [build]
environment:
name: pypi
url: https://pypi.org/project/twine/

The environment with the name pypi may be created automatically when this workflow runs. It will be empty.
But you can create it upfront and add the secret there. While on that setting page, also enable the approval requirement and a small cool-down timer.

runs-on: ubuntu-latest
permissions: {}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think contents: read may be necessary for the artifact download.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, you could drop all the privileges on the workflow level additionally.

steps:
- name: Download artifacts diretories # goes to current working directory
uses: actions/download-artifact@v3

- name: publish
uses: pypa/gh-action-pypi-publish@d7edd4c95736a5bc1260d38b5523f5d24338bc25
with:
user: __token__
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not necessary, it's already the default

Suggested change
user: __token__

password: ${{ secrets.PYPI_TOKEN }}
packages_dir: built-packages/

release-github:
needs: [build]
runs-on: ubuntu-latest
permissions:
# Needed to upload release assets.
contents: write
steps:
- name: Download artifacts diretories # goes to current working directory
uses: actions/download-artifact@v3

- name: Upload artifacts to github
# Confusingly, this action also supports updating releases, not
# just creating them. This is what we want here, since we've manually
# created the release that triggered the action.
uses: softprops/action-gh-release@v1
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is also possible to create discussions attached to the releases. Example: https://github.com/cherrypy/cheroot/releases/tag/v9.0.0 (there's a button at the bottom). I started doing this in my automations.
But I think, it only works on creation, not updating. The 📢 announcements discussion category should be pre-existing.

with:
files: built-packages/*