Prod Release for pantos-io/client-cli - 3.0.0 #8
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release Workflow | |
| run-name: ${{ (github.event.release.prerelease && 'Beta') || 'Prod'}} Release for ${{ github.repository }} - ${{ github.event.release.tag_name }} | |
| on: | |
| release: | |
| # Triggered on Pre-Releases and Releases | |
| types: [released, prereleased] | |
| # Only allow one release at the time | |
| concurrency: | |
| group: deploy-${{ github.repository }}-release-${{ github.event.release.prerelease }} | |
| jobs: | |
| define-environment: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| version: ${{ steps.get-environment.outputs.version }} | |
| steps: | |
| - uses: step-security/harden-runner@v2 | |
| with: | |
| disable-sudo: true | |
| egress-policy: audit | |
| - name: Configure Environment | |
| id: get-environment | |
| run: | | |
| wget -O /usr/local/bin/semver https://raw.githubusercontent.com/fsaintjacques/semver-tool/master/src/semver | |
| chmod +x /usr/local/bin/semver | |
| if [[ $(semver validate ${{ github.event.release.tag_name }}) == "invalid" ]]; then | |
| echo "::error title=Invalid Release::Release must be tagged with a valid SemVer version" | |
| exit 1 | |
| fi | |
| echo "version=$(semver get release ${{ github.event.release.tag_name }})" >> $GITHUB_OUTPUT | |
| build: | |
| name: Build Package | |
| needs: define-environment | |
| uses: ./.github/workflows/build.yaml | |
| secrets: 'inherit' | |
| with: | |
| version: ${{ needs.define-environment.outputs.version }} | |
| environment: ${{ github.event.release.prerelease && 'beta' || 'prod' }} | |
| publish-docker: | |
| name: Publish docker image for ${{ needs.define-environment.outputs.deployment_longname }} | |
| needs: [define-environment, build] | |
| uses: ./.github/workflows/publish-docker.yaml | |
| secrets: 'inherit' | |
| with: | |
| tag: ${{ github.event.release.tag_name }}${{ needs.define-environment.outputs.deployment_environment }} | |
| environment: dockerhub | |
| extra_tag: ${{ github.event.release.prerelease && 'beta' || 'latest' }} | |
| publish-pypi: | |
| name: Publish to PyPi | |
| needs: [define-environment, build] | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: pypi | |
| url: https://pypi.org/project/pantos-${{ github.repository }}/${{ needs.define-environment.outputs.version }} | |
| permissions: | |
| id-token: write # IMPORTANT: this permission is mandatory for trusted publishing | |
| steps: | |
| - uses: step-security/harden-runner@v2 | |
| with: | |
| disable-sudo: true | |
| egress-policy: audit | |
| - name: Download build artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: build | |
| path: dist | |
| - name: Publish package distributions to PyPi | |
| uses: pypa/gh-action-pypi-publish@release/v1 | |
| with: | |
| print-hash: true | |
| repository-url: 'https://upload.pypi.org/legacy/' | |
| add-assets: | |
| name: Add Assets to the ${{ github.event.release.tag_name }} Release | |
| needs: build | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| id-token: write | |
| steps: | |
| - uses: step-security/harden-runner@v2 | |
| with: | |
| disable-sudo: true | |
| egress-policy: audit | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: build | |
| path: release | |
| - name: Upload release assets | |
| uses: svenstaro/upload-release-action@v2 | |
| with: | |
| file: "./release/*" | |
| file_glob: true | |
| overwrite: true | |
| repo_token: ${{ secrets.GITHUB_TOKEN }} | |
| tag: ${{ github.event.release.tag_name }} | |
| - uses: robinraju/[email protected] | |
| name: Download tarball | |
| with: | |
| tag: ${{ github.event.release.tag_name }} | |
| tarBall: true | |
| zipBall: true | |
| fileName: '*' | |
| out-file-path: external-release | |
| preRelease: ${{ github.event.release.prerelease }} | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| repository: ${{ github.repository }} | |
| - name: List directory | |
| run: | | |
| ls -lha external-release | |
| # Remove all the files in external-release that are also present in release | |
| for file in $(ls release); do | |
| rm -f external-release/$file | |
| done | |
| - uses: sigstore/gh-action-sigstore-python@v3 | |
| with: | |
| inputs: external-release/* | |
| - name: Upload signed source code | |
| uses: ncipollo/release-action@v1 | |
| with: | |
| artifacts: "./external-release/*" | |
| artifactErrorsFailBuild: true | |
| allowUpdates: true | |
| tag: ${{ github.event.release.tag_name }} | |
| token: ${{ secrets.GITHUB_TOKEN }} | |