From faef0404077d2fe911c720789ef69040d702ad46 Mon Sep 17 00:00:00 2001 From: Lukas Puehringer Date: Wed, 30 Mar 2022 13:25:34 +0200 Subject: [PATCH 1/8] build: add GH workflow to build + release on PyPI Add workflow with two jobs to build and publish on PyPI. The release job waits for the build job and uses a custom release environment, which can be configured to require review. To share the build artifacts between the jobs and to make them available for intermediate review, they are stored using 'actions/upload-artifact' and 'actions/download-artifact'. https://docs.github.com/en/actions/using-workflows/storing-workflow-data-as-artifacts To upload the build artifacts to PyPI, the PyPA recommended 'pypa/gh-action-pypi-publish' is used. https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/ **Caveat** The URL to grab the artifacts, e.g. for review, requires knowledge of action ID and artifact ID, and a login token (no special permissions). This makes it a bit cumbersome to fetch the artifacts with a script and compare them to a local build. https://docs.github.com/en/actions/managing-workflow-runs/downloading-workflow-artifacts Signed-off-by: Lukas Puehringer --- .github/workflows/cd.yml | 51 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 .github/workflows/cd.yml diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml new file mode 100644 index 0000000000..bc28c23f05 --- /dev/null +++ b/.github/workflows/cd.yml @@ -0,0 +1,51 @@ +name: CD +concurrency: cd + +# Trigger workflow on release tag push +on: + push: + # TODO: Should we restrict to vX.Y.Z tags? + tags: v* + +jobs: + build: + name: Build + runs-on: ubuntu-latest + steps: + - name: Checkout release tag + uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 + + - name: Set up Python + uses: actions/setup-python@0ebf233433c08fb9061af664d501c3f3ff0e9e20 + with: + python-version: '3.x' + + - name: Install build dependency + run: python3 -m pip install --upgrade pip build + + - name: Build binary wheel and source tarball + run: python3 -m build --sdist --wheel --outdir dist/ . + + - name: Store build artifacts for review and release + uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 + with: + name: build-artifacts + path: dist + + release-on-pypi: + name: Release on PyPI + runs-on: ubuntu-latest + needs: build + environment: release + steps: + - name: Fetch build artifacts + uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 + with: + name: build-artifacts + path: dist + + - name: Publish binary wheel and source tarball on PyPI + uses: pypa/gh-action-pypi-publish@717ba43cfbb0387f6ce311b169a825772f54d295 + with: + user: __token__ + password: ${{ secrets.PYPI_API_TOKEN }} From 5bfe897335d0303b07bd860f27611682fbaa7963 Mon Sep 17 00:00:00 2001 From: Lukas Puehringer Date: Wed, 6 Apr 2022 16:50:28 +0200 Subject: [PATCH 2/8] build: update CD workflow to create GH release - Create preliminary GitHub release (X.Y.Z-rc) in 'build' job, using popular 3rd-party 'softprops/action-gh-release'. - Finalize GH release in 'release' job using custom GH script. Signed-off-by: Lukas Puehringer --- .github/workflows/cd.yml | 35 ++++++++++++++++++++++++++++++++--- 1 file changed, 32 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index bc28c23f05..f4d3fa000a 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -11,6 +11,8 @@ jobs: build: name: Build runs-on: ubuntu-latest + outputs: + release_id: ${{ steps.gh-release.outputs.id }} steps: - name: Checkout release tag uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 @@ -26,14 +28,29 @@ jobs: - name: Build binary wheel and source tarball run: python3 -m build --sdist --wheel --outdir dist/ . - - name: Store build artifacts for review and release + - id: gh-release + name: Publish GitHub release candiate + uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 + with: + name: ${{ github.ref_name }}-rc + tag_name: ${{ github.ref }} + body: "Release waiting for review..." + files: dist/* + + - name: Store build artifacts + # NOTE: The release job could download the assets from the GitHub release page, + # published in the previous step. But using the GitHub upload/download actions + # seems more robust as there is no need to compute download URLs. + # NOTE: (2) action-gh-release returns download URLSs as output, which could be + # propagated to next job along with release_id (see above) + # https://github.com/softprops/action-gh-release#outputs uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 with: name: build-artifacts path: dist - release-on-pypi: - name: Release on PyPI + release: + name: Release runs-on: ubuntu-latest needs: build environment: release @@ -49,3 +66,15 @@ jobs: with: user: __token__ password: ${{ secrets.PYPI_API_TOKEN }} + + - name: Finalize GitHub release + uses: actions/github-script@9ac08808f993958e9de277fe43a64532a609130e + with: + script: | + await github.rest.repos.updateRelease({ + owner: context.repo.owner, + repo: context.repo.repo, + release_id: '${{ needs.build.outputs.release_id }}', + name: '${{ github.ref_name }}', + body: 'See [CHANGELOG.md](https://github.com/'+ context.repo.owner +'/'+ context.repo.repo +'/blob/${{ github.ref_name }}/docs/CHANGELOG.md) for details.' + }) From a1a71c11a1aff4bb0919c8cc9e6192b4e8d05e2e Mon Sep 17 00:00:00 2001 From: Lukas Puehringer Date: Wed, 6 Apr 2022 16:25:18 +0200 Subject: [PATCH 3/8] build: update CI/CD workflow to run in series - Change CI workflow to also run on push to (release) tag - Change CD workflow to run on successful CI run, and only if a (release) tag push triggered the CI NOTE: Unfortunately the setup is not very robust (see code comment in cd.yml) Signed-off-by: Lukas Puehringer --- .github/workflows/cd.yml | 30 ++++++++++++++++++++++-------- .github/workflows/ci.yml | 4 ++++ 2 files changed, 26 insertions(+), 8 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index f4d3fa000a..1b38b1ae26 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -1,21 +1,35 @@ name: CD concurrency: cd -# Trigger workflow on release tag push +# Trigger workflow on completed CI (further checks below) on: - push: - # TODO: Should we restrict to vX.Y.Z tags? - tags: v* + workflow_run: + workflows: [CI] + types: [completed] jobs: build: name: Build runs-on: ubuntu-latest + # Skip unless CI was successful and ran on a ref starting with 'v' (release tag) + if: ${{ github.event.workflow_run.conclusion == 'success' && startsWith(github.event.workflow_run.head_branch, 'v') }} + # NOTE: This works because we currently only trigger CI on a push to the 'develop' + # branch or a 'v*'-tag, but it seems rather brittle. + # Unfortunately, there is not much more info we get from the CI workflow + # ('workflow_run') than the ref name. No ref, ref_type, etc., so we don't even know + # if a tag or a branch was pushed. :( + # See https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_run + # NOTE: (2) An alternative solution might be to restructure workflows, so that all + # test logic from 'ci.yml' is moved to a separate workflow file '_test.yml', that + # can be included in both CI (triggered on push to 'develop'-branch) and CD + # (triggered on push to 'v*'-tag) workflows. outputs: release_id: ${{ steps.gh-release.outputs.id }} steps: - name: Checkout release tag uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 + with: + ref: ${{ github.event.workflow_run.head_branch }} - name: Set up Python uses: actions/setup-python@0ebf233433c08fb9061af664d501c3f3ff0e9e20 @@ -32,8 +46,8 @@ jobs: name: Publish GitHub release candiate uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 with: - name: ${{ github.ref_name }}-rc - tag_name: ${{ github.ref }} + name: ${{ github.event.workflow_run.head_branch }}-rc + tag_name: ${{ github.event.workflow_run.head_branch }} body: "Release waiting for review..." files: dist/* @@ -75,6 +89,6 @@ jobs: owner: context.repo.owner, repo: context.repo.repo, release_id: '${{ needs.build.outputs.release_id }}', - name: '${{ github.ref_name }}', - body: 'See [CHANGELOG.md](https://github.com/'+ context.repo.owner +'/'+ context.repo.repo +'/blob/${{ github.ref_name }}/docs/CHANGELOG.md) for details.' + name: '${{ github.event.workflow_run.head_branch }}', + body: 'See [CHANGELOG.md](https://github.com/'+ context.repo.owner +'/'+ context.repo.repo +'/blob/${{ github.event.workflow_run.head_branch }}/docs/CHANGELOG.md) for details.' }) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f25da73c3c..b7c9211f1c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,6 +4,10 @@ on: push: branches: - develop + tags: + # TODO: Should we restrict to vX.Y.Z tags? + - v* + pull_request: workflow_dispatch: From a76ed28c02f8b261f048945d4fb5abc27d46a496 Mon Sep 17 00:00:00 2001 From: Lukas Puehringer Date: Wed, 6 Apr 2022 16:31:22 +0200 Subject: [PATCH 4/8] build: lint 'verify_release' with tox Enable tox to lint 'verify_release' script and fix: - whitespace - unused import (we only import here to see if the module is available for use in a subprocess) - unfound import (same as unused import) Signed-off-by: Lukas Puehringer --- tox.ini | 2 +- verify_release | 9 ++++----- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/tox.ini b/tox.ini index a27758366f..d61df9390e 100644 --- a/tox.ini +++ b/tox.ini @@ -39,7 +39,7 @@ commands = [testenv:lint] changedir = {toxinidir} -lint_dirs = tuf examples tests +lint_dirs = tuf examples tests verify_release commands = black --check --diff {[testenv:lint]lint_dirs} isort --check --diff {[testenv:lint]lint_dirs} diff --git a/verify_release b/verify_release index 6479720184..7902c25996 100755 --- a/verify_release +++ b/verify_release @@ -17,12 +17,12 @@ from filecmp import dircmp from tempfile import TemporaryDirectory try: + import build as _ # type: ignore import requests - import build except ImportError: - print ("Error: verify_release requires modules 'requests' and 'build':") - print (" pip install requests build") - exit(1) + print("Error: verify_release requires modules 'requests' and 'build':") + print(" pip install requests build") + sys.exit(1) # Project variables # Note that only these project artifacts are supported: @@ -128,7 +128,6 @@ def progress(s: str) -> None: def main() -> int: success = True with TemporaryDirectory() as build_dir: - progress("Building release") build_version = build(build_dir) finished(f"Built release {build_version}") From 4f275ad63636a22dd7a4c52d990ef81a3fb452b7 Mon Sep 17 00:00:00 2001 From: Lukas Puehringer Date: Wed, 6 Apr 2022 16:36:37 +0200 Subject: [PATCH 5/8] build: add skip-pypi flag to verify_release script Add '--skip-pypi' flag to 'verify_release' script to allow for pre-release checks, when the automatic build job has uploaded the build assets to GitHub and is awaiting review/approval in order to upload it to PyPI eventually. Signed-off-by: Lukas Puehringer --- verify_release | 31 +++++++++++++++++++++---------- 1 file changed, 21 insertions(+), 10 deletions(-) diff --git a/verify_release b/verify_release index 7902c25996..b521d4faa5 100755 --- a/verify_release +++ b/verify_release @@ -9,6 +9,7 @@ Builds a release from current commit and verifies that the release artifacts on GitHub and PyPI match the built release artifacts. """ +import argparse import json import os import subprocess @@ -126,6 +127,15 @@ def progress(s: str) -> None: def main() -> int: + parser = argparse.ArgumentParser() + parser.add_argument( + "--skip-pypi", + action="store_true", + dest="skip_pypi", + help="Skip PyPI release check.", + ) + args = parser.parse_args() + success = True with TemporaryDirectory() as build_dir: progress("Building release") @@ -142,16 +152,17 @@ def main() -> int: if github_version != build_version: finished(f"WARNING: GitHub latest version is {github_version}") - progress("Checking PyPI latest version") - pypi_version = get_pypi_pip_version() - if pypi_version != build_version: - finished(f"WARNING: PyPI latest version is {pypi_version}") - - progress("Downloading release from PyPI") - if not verify_pypi_release(build_version, build_dir): - # This is expected while build is not reproducible - finished("ERROR: PyPI artifacts do not match built release") - success = False + if not args.skip_pypi: + progress("Checking PyPI latest version") + pypi_version = get_pypi_pip_version() + if pypi_version != build_version: + finished(f"WARNING: PyPI latest version is {pypi_version}") + + progress("Downloading release from PyPI") + if not verify_pypi_release(build_version, build_dir): + # This is expected while build is not reproducible + finished("ERROR: PyPI artifacts do not match built release") + success = False progress("Downloading release from GitHub") if not verify_github_release(build_version, build_dir): From 37cb272a437c2a2455a1172d74e57055c6056ae6 Mon Sep 17 00:00:00 2001 From: Lukas Puehringer Date: Wed, 6 Apr 2022 16:33:27 +0200 Subject: [PATCH 6/8] doc: describe auto release workflow in RELEASE.md Change RELEASE.md to include instructions to trigger and review auto release workflow (CI/CD). Signed-off-by: Lukas Puehringer --- docs/RELEASE.md | 60 +++++++++++++++++++++---------------------------- 1 file changed, 25 insertions(+), 35 deletions(-) diff --git a/docs/RELEASE.md b/docs/RELEASE.md index 69f5ef11ad..710b2be99c 100644 --- a/docs/RELEASE.md +++ b/docs/RELEASE.md @@ -1,39 +1,29 @@ # Release process -* Ensure you have a backup of all working files and then remove files not tracked by git - `git clean -xdf`. **NOTE**: this will delete all files in the tuf tree that aren't - tracked by git -* Ensure `docs/CHANGELOG.md` contains a one-line summary of each [notable +1. Ensure `docs/CHANGELOG.md` contains a one-line summary of each [notable change](https://keepachangelog.com/) since the prior release -* Update `tuf/__init__.py` to the new version number "A.B.C" -* Test packaging, uploading to Test PyPI and installing from a virtual environment - (ensure commands invoking `python` below are using Python 3) - * Remove existing dist build dirs - * Create source dist and wheel `python3 -m build` - * Sign source dist `gpg --detach-sign -a dist/tuf-A.B.C.tar.gz` - * Sign wheel `gpg --detach-sign -a dist/tuf-A.B.C-py3-none-any.whl` - * Upload to test PyPI `twine upload --repository testpypi dist/*` - * Verify the uploaded package at https://test.pypi.org/project/tuf/: - Note that installing packages with pip using test.pypi.org is potentially - dangerous (as dependencies may be squatted): download the file and install - the local file instead. -* Create a PR with updated `CHANGELOG.md` and version bumps -* Once the PR is merged, pull the updated `develop` branch locally -* Create a signed tag matching the updated version number on the merge commit +2. Update `tuf/__init__.py` to the new version number `A.B.C` +3. Create a PR with updated `CHANGELOG.md` and version bumps + +➔ Review PR on GitHub + +4. Once the PR is merged, pull the updated `develop` branch locally +5. Create a signed tag for the version number on the merge commit `git tag --sign vA.B.C -m "vA.B.C"` - * Push the tag to GitHub `git push origin vA.B.C` -* Create a new release on GitHub, copying the `CHANGELOG.md` entries for the - release -* Create a package for the formal release - (ensure commands invoking `python` below are using Python 3) - * Remove existing dist build dirs - * Create source dist and wheel `python3 -m build` - * Sign source dist `gpg --detach-sign -a dist/tuf-A.B.C.tar.gz` - * Sign wheel `gpg --detach-sign -a dist/tuf-A.B.C-py3-none-any.whl` - * Upload to PyPI `twine upload dist/*` - * Verify the package at https://pypi.org/project/tuf/ and by installing with pip -* Attach both signed dists and their detached signatures to the release on GitHub -* `verify_release` should be used to make sure the release artifacts match the - git sources, preferably by another developer on a different machine. -* Announce the release on [#tuf on CNCF Slack](https://cloud-native.slack.com/archives/C8NMD3QJ3) -* Ensure [POUF 1](https://github.com/theupdateframework/taps/blob/master/POUFs/reference-POUF/pouf1.md), for the reference implementation, is up-to-date +6. Push the tag to GitHub `git push origin vA.B.C` + + *A push triggers the [CI workflow](.github/workfows/ci.yml), which, on success, triggers + the [CD worfklow](.github/workfows/cd.yml), which builds source dist and wheel, + creates a preliminary GitHub release under `vA.B.C-rc`, and pauses for review.* + +7. Run `verify_release --skip-pypi` locally to make sure a build on your machine matches + the preliminary release artifacts published on GitHub. + +➔ [Review *deployemnt*](https://docs.github.com/en/actions/managing-workflow-runs/reviewing-deployments) on GitHub + + *An approval resumes the CD workflow to publish the release on PyPI, and to finalize the + GitHub release (removse `-rc` suffix and updates release notes).* + +8. `verify_release` may be used again to make sure the release artifacts PyPI. +9. Announce the release on [#tuf on CNCF Slack](https://cloud-native.slack.com/archives/C8NMD3QJ3) +10. Ensure [POUF 1](https://github.com/theupdateframework/taps/blob/master/POUFs/reference-POUF/pouf1.md), for the reference implementation, is up-to-date From 674eb9d096708220964e69b10dbdc32cc1659ce8 Mon Sep 17 00:00:00 2001 From: Lukas Puehringer Date: Wed, 20 Apr 2022 14:54:57 +0200 Subject: [PATCH 7/8] doc: describe repo setup in RELEASE.md + typos fix Signed-off-by: Lukas Puehringer --- docs/RELEASE.md | 35 ++++++++++++++++++++++++++++------- 1 file changed, 28 insertions(+), 7 deletions(-) diff --git a/docs/RELEASE.md b/docs/RELEASE.md index 710b2be99c..a49b3f4c48 100644 --- a/docs/RELEASE.md +++ b/docs/RELEASE.md @@ -1,5 +1,23 @@ # Release process + +**Prerequisites (one-time setup)** + + +1. Go to [PyPI management page](https://pypi.org/manage/account/#api-tokens) and create + an [API token](https://pypi.org/help/#apitoken) with its scope limited to the tuf project. +1. Go to [GitHub + settings](https://github.com/theupdateframework/python-tuf/settings/environments), + create an + [environment](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#creating-an-environment) + called `release` and configure [review + protection](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#required-reviewers). +1. In the environment create a + [secret](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets) + called `PYPI_API_TOKEN` and paste the token created above. + +## Release + 1. Ensure `docs/CHANGELOG.md` contains a one-line summary of each [notable change](https://keepachangelog.com/) since the prior release 2. Update `tuf/__init__.py` to the new version number `A.B.C` @@ -12,18 +30,21 @@ `git tag --sign vA.B.C -m "vA.B.C"` 6. Push the tag to GitHub `git push origin vA.B.C` - *A push triggers the [CI workflow](.github/workfows/ci.yml), which, on success, triggers - the [CD worfklow](.github/workfows/cd.yml), which builds source dist and wheel, - creates a preliminary GitHub release under `vA.B.C-rc`, and pauses for review.* + *A push triggers the [CI workflow](.github/workfows/ci.yml), which, on success, + triggers the [CD workflow](.github/workfows/cd.yml), which builds source dist and + wheel, creates a preliminary GitHub release under `vA.B.C-rc`, and pauses for review.* 7. Run `verify_release --skip-pypi` locally to make sure a build on your machine matches the preliminary release artifacts published on GitHub. -➔ [Review *deployemnt*](https://docs.github.com/en/actions/managing-workflow-runs/reviewing-deployments) on GitHub +➔ [Review *deployment*](https://docs.github.com/en/actions/managing-workflow-runs/reviewing-deployments) +on GitHub *An approval resumes the CD workflow to publish the release on PyPI, and to finalize the - GitHub release (removse `-rc` suffix and updates release notes).* + GitHub release (removes `-rc` suffix and updates release notes).* -8. `verify_release` may be used again to make sure the release artifacts PyPI. +8. `verify_release` may be used again to make sure the PyPI release artifacts match the + local build as well. 9. Announce the release on [#tuf on CNCF Slack](https://cloud-native.slack.com/archives/C8NMD3QJ3) -10. Ensure [POUF 1](https://github.com/theupdateframework/taps/blob/master/POUFs/reference-POUF/pouf1.md), for the reference implementation, is up-to-date +10. Ensure [POUF 1](https://github.com/theupdateframework/taps/blob/master/POUFs/reference-POUF/pouf1.md), + for the reference implementation, is up-to-date From b99d0432a7f0a803c492580085e85f81908e0dc1 Mon Sep 17 00:00:00 2001 From: Lukas Puehringer Date: Wed, 20 Apr 2022 14:56:27 +0200 Subject: [PATCH 8/8] build: minor updates in CI/CD workflow files - polish code comments - wrap long lines Signed-off-by: Lukas Puehringer --- .github/workflows/cd.yml | 33 +++++++++++++-------------------- .github/workflows/ci.yml | 2 +- 2 files changed, 14 insertions(+), 21 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 1b38b1ae26..e36e6e3683 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -1,7 +1,7 @@ name: CD concurrency: cd -# Trigger workflow on completed CI (further checks below) +# Trigger workflow on any completed CI (see further checks below) on: workflow_run: workflows: [CI] @@ -11,18 +11,11 @@ jobs: build: name: Build runs-on: ubuntu-latest - # Skip unless CI was successful and ran on a ref starting with 'v' (release tag) - if: ${{ github.event.workflow_run.conclusion == 'success' && startsWith(github.event.workflow_run.head_branch, 'v') }} - # NOTE: This works because we currently only trigger CI on a push to the 'develop' - # branch or a 'v*'-tag, but it seems rather brittle. - # Unfortunately, there is not much more info we get from the CI workflow - # ('workflow_run') than the ref name. No ref, ref_type, etc., so we don't even know - # if a tag or a branch was pushed. :( - # See https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_run - # NOTE: (2) An alternative solution might be to restructure workflows, so that all - # test logic from 'ci.yml' is moved to a separate workflow file '_test.yml', that - # can be included in both CI (triggered on push to 'develop'-branch) and CD - # (triggered on push to 'v*'-tag) workflows. + # Skip unless CI was successful and ran on release tag, a ref starting with 'v'. + # NOTE: We assume CI does not trigger on branches that start with 'v' (see #1961) + if: >- + github.event.workflow_run.conclusion == 'success' && + startsWith(github.event.workflow_run.head_branch, 'v') outputs: release_id: ${{ steps.gh-release.outputs.id }} steps: @@ -52,13 +45,10 @@ jobs: files: dist/* - name: Store build artifacts - # NOTE: The release job could download the assets from the GitHub release page, - # published in the previous step. But using the GitHub upload/download actions - # seems more robust as there is no need to compute download URLs. - # NOTE: (2) action-gh-release returns download URLSs as output, which could be - # propagated to next job along with release_id (see above) - # https://github.com/softprops/action-gh-release#outputs uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 + # NOTE: The GitHub release page contains the release artifacts too, but using + # GitHub upload/download actions seems robuster: there is no need to compute + # download URLs and tampering with artifacts between jobs is more limited. with: name: build-artifacts path: dist @@ -90,5 +80,8 @@ jobs: repo: context.repo.repo, release_id: '${{ needs.build.outputs.release_id }}', name: '${{ github.event.workflow_run.head_branch }}', - body: 'See [CHANGELOG.md](https://github.com/'+ context.repo.owner +'/'+ context.repo.repo +'/blob/${{ github.event.workflow_run.head_branch }}/docs/CHANGELOG.md) for details.' + body: 'See [CHANGELOG.md](https://github.com/' + + context.repo.owner + '/' + context.repo.repo + '/blob/' + + '${{ github.event.workflow_run.head_branch }}'+ + '/docs/CHANGELOG.md) for details.' }) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b7c9211f1c..b899d33ba4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,11 +1,11 @@ name: CI on: + # NOTE: CD relies on this configuration (see #1961) push: branches: - develop tags: - # TODO: Should we restrict to vX.Y.Z tags? - v* pull_request: