Merge pull request #256 from andyfaff/pub

Trusted publishing work

Author: mattip

.github/workflows/posix.yml

@@ -10,6 +10,8 @@ on:
   workflow_dispatch: null
   schedule:
     - cron: '0 0 * * 0'
+  workflow_call:
+
 
 jobs:
   build:

.github/workflows/publish.yml

@@ -0,0 +1,136 @@
+name: Publish scipy_openblasN wheels
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: Which PyPI environment to upload to, if any
+        required: true
+        type: choice
+        options: [ "none", "testpypi", "pypi" ]
+
+
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
+
+jobs:
+# -------------------------------------------------------------------------------------
+# Workflows to build wheels
+  call-posix:
+    uses: ./.github/workflows/posix.yml
+
+
+  call-windows:
+    uses: ./.github/workflows/windows.yml
+
+
+  call-windows-arm:
+    uses: ./.github/workflows/windows-arm.yml
+
+
+# -------------------------------------------------------------------------------------
+  check-version:
+    name: Ensure commit is tag before upload to PyPi
+    if: github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'pypi'
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout openblas-libs
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+          submodules: true
+          persist-credentials: false
+
+      - name: Examine git commit
+        run: |
+          if [ -n "$(git tag --points-at HEAD)" ]; then
+            echo "Current HEAD is tagged."
+          else
+            echo "Current HEAD is not tagged."
+            exit 1
+          fi
+          
+
+# -------------------------------------------------------------------------------------
+  testpypi-publish32:
+    name: Publish scipy-openblas32 to TestPyPI
+    if: github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'testpypi'
+    needs: [call-posix, call-windows, call-windows-arm]
+    runs-on: ubuntu-latest
+    environment:
+      name: testpypi
+      url: https://test.pypi.org/project/scipy-openblas32/
+    permissions:
+      id-token: write  # mandatory for trusted publishing
+    steps:
+      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        with:
+          # I think the run-id for call-posix, call-windows, call-windows-arm should all be the same
+          run-id: ${{ needs.call-posix.outputs.run_id }}
+          pattern: wheels-*
+          merge-multiple: true
+          path: dist
+
+      - name: Publish
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
+        with:
+          repository-url: https://test.pypi.org/legacy/
+          skip-existing: true
+          print-hash: true
+          attestations: true
+
+
+  testpypi-publish64:
+    name: Publish scipy-openblas64 to TestPyPI
+    if: github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'testpypi'
+    needs: [call-posix, call-windows, call-windows-arm]
+    runs-on: ubuntu-latest
+    environment:
+      name: testpypi
+      url: https://test.pypi.org/project/scipy-openblas64/
+    permissions:
+      id-token: write  # mandatory for trusted publishing
+    steps:
+      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        with:
+          # I think the run-id for call-posix, call-windows, call-windows-arm should all be the same
+          run-id: ${{ needs.call-posix.outputs.run_id }}
+          pattern: wheels-*
+          merge-multiple: true
+          path: dist
+
+      - name: Publish
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
+        with:
+          repository-url: https://test.pypi.org/legacy/
+          skip-existing: true
+          print-hash: true
+          attestations: true
+
+## -------------------------------------------------------------------------------------
+#  pypi-publish:
+#    name: Publish release to PyPI
+#    if: github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'pypi'
+#    needs: [call-posix, call-windows, call-windows-arm, check-version]
+#    runs-on: ubuntu-latest
+#    environment:
+#      name: pypi
+#      url: https://pypi.org/p/scipy_openblas-32
+#    permissions:
+#      id-token: write  # mandatory for trusted publishing
+#    steps:
+#      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+#        with:
+#          run-id: ${{ needs.call-posix.outputs.run_id }}
+#          pattern: wheels-*
+#          merge-multiple: true
+#          path: dist
+#
+#      - name: Publish
+#        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
+#        with:
+#          print-hash: true
+#          attestations: true

.github/workflows/windows-arm.yml

@@ -7,6 +7,8 @@ on:
     branches:
       - main
       - maintenance/**
+  workflow_call:
+
 
 env:
   OPENBLAS_ROOT: "c:\\opt"

.github/workflows/windows.yml

@@ -8,6 +8,7 @@ on:
       - main
       - maintenance/**
   workflow_dispatch: null
+  workflow_call:
 
 env:
   OPENBLAS_ROOT: "c:\\opt"