Release version and publish package #494
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release version and publish package | |
| on: | |
| workflow_run: | |
| workflows: ["Build and test"] | |
| types: [completed] | |
| jobs: | |
| # Create release | |
| release: | |
| if: | | |
| github.event.workflow_run.conclusion == 'success' && | |
| github.event.workflow_run.event != 'pull_request' && | |
| github.event.workflow_run.head_branch == github.event.repository.default_branch | |
| name: Create release and publish package | |
| runs-on: ubuntu-latest | |
| outputs: | |
| release-condition: ${{ steps.release.outputs.release-condition }} | |
| release-version: ${{ steps.version.outputs.value }} | |
| scan-build-run-id: ${{ steps.scan-build.outputs.run-id }} | |
| permissions: | |
| actions: read # Required to download artifacts from other workflow runs | |
| contents: read | |
| steps: | |
| - name: Retrieve source | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c | |
| with: | |
| name: source | |
| path: . | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| run-id: ${{ github.event.workflow_run.id }} | |
| - name: Retrieve release distributions | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c | |
| with: | |
| name: dists | |
| path: dist/ | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| run-id: ${{ github.event.workflow_run.id }} | |
| - name: Retrieve standalone binaries | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c | |
| with: | |
| pattern: standalone-* | |
| path: .pyinstaller/dist | |
| merge-multiple: true | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| run-id: ${{ github.event.workflow_run.id }} | |
| - name: Get version | |
| id: version | |
| run: | | |
| VERSION="$(grep -E '^version\s*=' pyproject.toml | sed 's/^version = "\(.*\)"$/\1/')" | |
| echo "version=${VERSION}" | |
| echo "value=${VERSION}" >> "$GITHUB_OUTPUT" | |
| - name: Set terrafirm run-id | |
| id: scan-build | |
| run: | | |
| RUN_ID=$(uuidgen) | |
| echo "run-id=${RUN_ID}" >> "$GITHUB_OUTPUT" | |
| echo "RUN_ID=${RUN_ID}" | |
| - name: Create GitHub release | |
| id: release | |
| uses: plus3it/actions-workflows/.github/actions/release@269d875599c92395f7fa99cab43edc1820798e61 | |
| with: | |
| release-token: "${{ secrets.GH_RELEASES_TOKEN }}" | |
| release-files: | | |
| dist/* | |
| .pyinstaller/dist/*/* | |
| # Publish package to PyPI | |
| publish-pypi: | |
| if: needs.release.outputs.release-condition == 'true' | |
| name: Publish package to pypi | |
| runs-on: ubuntu-latest | |
| needs: | |
| - release | |
| permissions: | |
| actions: read # Required to download artifacts from other workflow runs | |
| id-token: write # IMPORTANT: this permission is mandatory for trusted publishing | |
| steps: | |
| - name: Retrieve release distributions | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c | |
| with: | |
| name: dists | |
| path: dist/ | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| run-id: ${{ github.event.workflow_run.id }} | |
| - name: Publish package distributions to PyPI | |
| uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e | |
| # Publish package to S3 | |
| publish-s3: | |
| name: Publish package to s3 | |
| runs-on: ubuntu-latest | |
| needs: | |
| - release | |
| permissions: | |
| actions: read # Required to download artifacts from other workflow runs | |
| id-token: write # IMPORTANT: needed for oidc assume-role | |
| env: | |
| AWS_DEFAULT_REGION: us-east-1 | |
| BUCKET_NAME: "${{ needs.release.outputs.release-condition != 'true' && vars.DEV_BUCKET || vars.RELEASE_BUCKET }}" | |
| steps: | |
| - name: Retrieve standalone binaries | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c | |
| with: | |
| pattern: standalone-* | |
| path: .pyinstaller/dist | |
| merge-multiple: true | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| run-id: ${{ github.event.workflow_run.id }} | |
| - name: Install aws-cli | |
| uses: unfor19/install-aws-cli-action@f5b46b7f32cf5e7ebd652656c5036bf83dd1e60c | |
| - name: Configure aws credentials | |
| uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 | |
| with: | |
| role-session-name: "watchmaker-publish-s3-package" | |
| role-to-assume: "${{ secrets.AWS_ROLE_ARN }}" | |
| aws-region: "${{ env.AWS_DEFAULT_REGION }}" | |
| - name: Validate credential | |
| run: aws sts get-caller-identity | |
| - run: ls -alR .pyinstaller/dist/ | |
| - run: mkdir -p .pyinstaller/dist/latest | |
| - run: cp .pyinstaller/dist/*/watchmaker-*-standalone-linux-x86_64 .pyinstaller/dist/latest/watchmaker-latest-standalone-linux-x86_64 | |
| - run: cp .pyinstaller/dist/*/watchmaker-*-standalone-windows-amd64.exe .pyinstaller/dist/latest/watchmaker-latest-standalone-windows-amd64.exe | |
| - run: cp .pyinstaller/dist/*/watchmaker-bootstrap.ps1 .pyinstaller/dist/latest/watchmaker-bootstrap.ps1 | |
| - run: cd .pyinstaller/dist/latest && sha256sum watchmaker-latest-standalone-linux-x86_64 > watchmaker-latest-standalone-linux-x86_64.sha256 | |
| - run: cd .pyinstaller/dist/latest && sha256sum watchmaker-latest-standalone-windows-amd64.exe > watchmaker-latest-standalone-windows-amd64.exe.sha256 | |
| - run: ls -alR .pyinstaller/dist/latest | |
| - name: Publish standalone binaries to S3 | |
| run: aws s3 cp --recursive .pyinstaller/dist/ s3://${{ env.BUCKET_NAME }}/${{ vars.S3_PREFIX }}/ | |
| # Publish scans to S3 | |
| publish-scans: | |
| name: Publish scans to s3 | |
| runs-on: | |
| - codebuild-p3-terrafirm-${{ github.run_id }}-${{ github.run_attempt }} | |
| instance-size:small | |
| needs: | |
| - release | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| scan-build: ["rhel8", "rhel9", "win16", "win19", "win22"] | |
| env: | |
| TF_VAR_aws_region: us-east-1 | |
| TF_VAR_codebuild_id: ${{ needs.release.outputs.scan-build-run-id }} | |
| TF_VAR_common_args: "-n -e dev" | |
| TF_VAR_git_ref: ${{ github.sha }} | |
| TF_VAR_git_repo: "${{ github.server_url }}/${{ github.repository }}.git" | |
| TF_VAR_scan_s3_url: "s3://${{ needs.release.outputs.release-condition != 'true' && vars.DEV_BUCKET || vars.RELEASE_BUCKET }}/${{ vars.S3_PREFIX}}/${{ needs.release.outputs.release-version }}/scans" | |
| TF_VAR_source_builds: '["${{ matrix.scan-build }}"]' | |
| TF_VAR_standalone_builds: '[]' | |
| steps: | |
| - name: Generate scan reports | |
| id: terrafirm | |
| uses: plus3it/terrafirm/.github/actions/test@d4283972b2e3738a6ad61a43225a0a5b71d4e83a | |
| with: | |
| destroy-after-test: true |