name: test-release on: workflow_call: inputs: working-directory: required: true type: string description: "From which folder this pipeline executes" dangerous-nonmaster-release: required: false type: boolean default: false description: "Release from a non-master branch (danger!)" env: POETRY_VERSION: "1.7.1" PYTHON_VERSION: "3.10" jobs: build: if: github.ref == 'refs/heads/master' || inputs.dangerous-nonmaster-release runs-on: ubuntu-latest outputs: pkg-name: ${{ steps.check-version.outputs.pkg-name }} version: ${{ steps.check-version.outputs.version }} steps: - uses: actions/checkout@v4 - name: Set up Python + Poetry ${{ env.POETRY_VERSION }} uses: "./.github/actions/poetry_setup" with: python-version: ${{ env.PYTHON_VERSION }} poetry-version: ${{ env.POETRY_VERSION }} working-directory: ${{ inputs.working-directory }} cache-key: release # We want to keep this build stage *separate* from the release stage, # so that there's no sharing of permissions between them. # The release stage has trusted publishing and GitHub repo contents write access, # and we want to keep the scope of that access limited just to the release job. # Otherwise, a malicious `build` step (e.g. via a compromised dependency) # could get access to our GitHub or PyPI credentials. # # Per the trusted publishing GitHub Action: # > It is strongly advised to separate jobs for building [...] # > from the publish job. # https://github.com/pypa/gh-action-pypi-publish#non-goals - name: Build project for distribution run: poetry build working-directory: ${{ inputs.working-directory }} - name: Upload build uses: actions/upload-artifact@v4 with: name: test-dist path: ${{ inputs.working-directory }}/dist/ - name: Check Version id: check-version shell: bash working-directory: ${{ inputs.working-directory }} run: | echo pkg-name="$(poetry version | cut -d ' ' -f 1)" >> $GITHUB_OUTPUT echo version="$(poetry version --short)" >> $GITHUB_OUTPUT publish: needs: - build runs-on: ubuntu-latest permissions: # This permission is used for trusted publishing: # https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/ # # Trusted publishing has to also be configured on PyPI for each package: # https://docs.pypi.org/trusted-publishers/adding-a-publisher/ id-token: write steps: - uses: actions/checkout@v4 - uses: actions/download-artifact@v4 with: name: test-dist path: ${{ inputs.working-directory }}/dist/ - name: Publish to test PyPI uses: pypa/gh-action-pypi-publish@release/v1 with: packages-dir: ${{ inputs.working-directory }}/dist/ verbose: true print-hash: true repository-url: https://test.pypi.org/legacy/ # We overwrite any existing distributions with the same name and version. # This is *only for CI use* and is *extremely dangerous* otherwise! # https://github.com/pypa/gh-action-pypi-publish#tolerating-release-package-file-duplicates skip-existing: true