vws-python-mock/.github/workflows/release.yml at main · VWS-Python/vws-python-mock · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
---
name: Release

on: workflow_dispatch

jobs:
  release:
    name: Create release
    runs-on: ubuntu-latest

    permissions:
      # This is needed for https://github.com/stefanzweifel/git-auto-commit-action.
      contents: write

    outputs:
      version: ${{ steps.calver.outputs.release }}
      tag: ${{ steps.tag_version.outputs.new_tag }}

    steps:
      - uses: actions/checkout@v6
        with:
          # Fetch all history including tags.
          # Needed to find the latest tag.
          #
          # Also, avoids
          # https://github.com/stefanzweifel/git-auto-commit-action/issues/99.
          fetch-depth: 0
          # Credentials need to persist for stefanzweifel/git-auto-commit-action.
          # zizmor: ignore[artipacked]
          persist-credentials: true
          # Use a PAT so that the push from git-auto-commit-action
          # can bypass repository ruleset required status checks.
          # The default GITHUB_TOKEN cannot bypass rulesets.
          token: ${{ secrets.RELEASE_PAT }}

      - name: Calver calculate version
        uses: StephaneBour/actions-calver@master
        id: calver
        with:
          date_format: '%Y.%m.%d'
          release: false
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Get the changelog underline
        id: changelog_underline
        run: |
          underline="$(echo "${{ steps.calver.outputs.release }}" | tr -c '\n' '-')"
          echo "underline=${underline}" >> "$GITHUB_OUTPUT"

      - name: Update changelog
        id: update_changelog
        uses: jacobtomlinson/gha-find-replace@v3
        with:
          find: "Next\n----"
          replace: |
            Next
            ----

            ${{ steps.calver.outputs.release }}
            ${{ steps.changelog_underline.outputs.underline }}
          include: CHANGELOG.rst
          regex: false

      - name: Check Update changelog was modified
        run: |
          if [ "${{ steps.update_changelog.outputs.modifiedFiles }}" = "0" ]; then
            echo "Error: No files were modified when updating changelog"
            exit 1
          fi
      - uses: stefanzweifel/git-auto-commit-action@v7
        id: commit
        with:
          commit_message: Bump CHANGELOG
          file_pattern: CHANGELOG.rst
          # Error if there are no changes.
          skip_dirty_check: true

      - name: Bump version and push tag
        id: tag_version
        uses: mathieudutour/github-tag-action@v6.2
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          custom_tag: ${{ steps.calver.outputs.release }}
          tag_prefix: ''
          commit_sha: ${{ steps.commit.outputs.commit_hash }}

      - name: Create a GitHub release
        uses: ncipollo/release-action@v1
        with:
          tag: ${{ steps.tag_version.outputs.new_tag }}
          makeLatest: true
          name: Release ${{ steps.tag_version.outputs.new_tag }}
          body: ${{ steps.tag_version.outputs.changelog }}

  pypi:
    name: Publish to PyPI
    needs: release
    runs-on: ubuntu-latest

    # Specifying an environment is strongly recommended by PyPI.
    # See https://github.com/pypa/gh-action-pypi-publish/tree/release/v1/?tab=readme-ov-file#trusted-publishing.
    environment: release

    permissions:
      # This is needed for PyPI publishing.
      # See https://github.com/pypa/gh-action-pypi-publish/tree/release/v1/?tab=readme-ov-file#trusted-publishing.
      id-token: write

    steps:
      - uses: actions/checkout@v6
        with:
          ref: ${{ needs.release.outputs.tag }}
          # Fetch all history including tags.
          # Needed for setuptools-scm version detection.
          fetch-depth: 0
          persist-credentials: false

      - name: Install uv
        uses: astral-sh/setup-uv@v7
        with:
          enable-cache: true
          cache-dependency-glob: '**/pyproject.toml'

      - name: Build a binary wheel and a source tarball
        run: |
          uv build --sdist --wheel --out-dir dist/
          uv run --extra=release check-wheel-contents dist/*.whl

      # We use PyPI trusted publishing rather than a PyPI API token.
      # See https://github.com/pypa/gh-action-pypi-publish/tree/release/v1/?tab=readme-ov-file#trusted-publishing.
      - name: Publish distribution 📦 to PyPI
        uses: pypa/gh-action-pypi-publish@release/v1
        with:
          verbose: true

  docker:
    name: Publish Docker images
    needs: release
    runs-on: ubuntu-latest

    permissions: {}

    steps:
      - uses: actions/checkout@v6
        with:
          ref: ${{ needs.release.outputs.tag }}
          persist-credentials: false

      - name: Login to DockerHub
        uses: docker/login-action@v4
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v4

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v4

      - name: Build and push Docker images
        uses: docker/bake-action@v7.0.0
        with:
          push: true
        env:
          VERSION: ${{ needs.release.outputs.version }}