mirror of
https://github.com/hwchase17/langchain
synced 2024-11-04 06:00:26 +00:00
96 lines
3.2 KiB
YAML
96 lines
3.2 KiB
YAML
name: test-release
|
|
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
working-directory:
|
|
required: true
|
|
type: string
|
|
description: "From which folder this pipeline executes"
|
|
|
|
env:
|
|
POETRY_VERSION: "1.7.1"
|
|
PYTHON_VERSION: "3.10"
|
|
|
|
jobs:
|
|
build:
|
|
if: github.ref == 'refs/heads/master'
|
|
runs-on: ubuntu-latest
|
|
|
|
outputs:
|
|
pkg-name: ${{ steps.check-version.outputs.pkg-name }}
|
|
version: ${{ steps.check-version.outputs.version }}
|
|
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Set up Python + Poetry ${{ env.POETRY_VERSION }}
|
|
uses: "./.github/actions/poetry_setup"
|
|
with:
|
|
python-version: ${{ env.PYTHON_VERSION }}
|
|
poetry-version: ${{ env.POETRY_VERSION }}
|
|
working-directory: ${{ inputs.working-directory }}
|
|
cache-key: release
|
|
|
|
# We want to keep this build stage *separate* from the release stage,
|
|
# so that there's no sharing of permissions between them.
|
|
# The release stage has trusted publishing and GitHub repo contents write access,
|
|
# and we want to keep the scope of that access limited just to the release job.
|
|
# Otherwise, a malicious `build` step (e.g. via a compromised dependency)
|
|
# could get access to our GitHub or PyPI credentials.
|
|
#
|
|
# Per the trusted publishing GitHub Action:
|
|
# > It is strongly advised to separate jobs for building [...]
|
|
# > from the publish job.
|
|
# https://github.com/pypa/gh-action-pypi-publish#non-goals
|
|
- name: Build project for distribution
|
|
run: poetry build
|
|
working-directory: ${{ inputs.working-directory }}
|
|
|
|
- name: Upload build
|
|
uses: actions/upload-artifact@v3
|
|
with:
|
|
name: test-dist
|
|
path: ${{ inputs.working-directory }}/dist/
|
|
|
|
- name: Check Version
|
|
id: check-version
|
|
shell: bash
|
|
working-directory: ${{ inputs.working-directory }}
|
|
run: |
|
|
echo pkg-name="$(poetry version | cut -d ' ' -f 1)" >> $GITHUB_OUTPUT
|
|
echo version="$(poetry version --short)" >> $GITHUB_OUTPUT
|
|
|
|
publish:
|
|
needs:
|
|
- build
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
# This permission is used for trusted publishing:
|
|
# https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/
|
|
#
|
|
# Trusted publishing has to also be configured on PyPI for each package:
|
|
# https://docs.pypi.org/trusted-publishers/adding-a-publisher/
|
|
id-token: write
|
|
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- uses: actions/download-artifact@v3
|
|
with:
|
|
name: test-dist
|
|
path: ${{ inputs.working-directory }}/dist/
|
|
|
|
- name: Publish to test PyPI
|
|
uses: pypa/gh-action-pypi-publish@release/v1
|
|
with:
|
|
packages-dir: ${{ inputs.working-directory }}/dist/
|
|
verbose: true
|
|
print-hash: true
|
|
repository-url: https://test.pypi.org/legacy/
|
|
|
|
# We overwrite any existing distributions with the same name and version.
|
|
# This is *only for CI use* and is *extremely dangerous* otherwise!
|
|
# https://github.com/pypa/gh-action-pypi-publish#tolerating-release-package-file-duplicates
|
|
skip-existing: true
|