From b05dcb84c427b484e6b662a868f80706f0f13771 Mon Sep 17 00:00:00 2001 From: Dominik Roth Date: Thu, 18 Jan 2024 11:00:10 +0100 Subject: [PATCH 1/4] Publish to PyPI from release instead of master. Still require commits to be tagged. --- .github/workflows/publish-to-pypi.yml | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/.github/workflows/publish-to-pypi.yml b/.github/workflows/publish-to-pypi.yml index 8eebbee..1b5fa08 100644 --- a/.github/workflows/publish-to-pypi.yml +++ b/.github/workflows/publish-to-pypi.yml @@ -2,29 +2,27 @@ name: Publish Python package to PyPI on: push: - tags: - - '*' + branches: + - release jobs: publish: name: Publish to PyPI runs-on: ubuntu-latest - if: false && startsWith(github.ref, 'refs/tags/') # Only run on tagged commits - steps: - name: Check out code uses: actions/checkout@v4 with: fetch-depth: 0 # This fetches all history for all branches and tags - - name: Verify tag is on master branch + - name: Check if commit is tagged run: | - TAG_IS_ON_MASTER=$(git branch -r --contains ${{ github.ref }} | grep 'origin/master') - if [ -z "$TAG_IS_ON_MASTER" ]; then - echo "Tag is not on the master branch. Cancelling the workflow." + TAG=$(git tag --contains HEAD) + if [ -z "$TAG" ]; then + echo "Commit is not tagged. Failing the workflow." exit 1 fi - echo "Tag is on the master branch. Proceeding with the workflow." + echo "Commit is tagged. Proceeding with the workflow." - name: Set up Python uses: actions/setup-python@v4 From 3cac0a92589fe858fd7db0bad72e0851d5ae30a4 Mon Sep 17 00:00:00 2001 From: Dominik Roth Date: Thu, 18 Jan 2024 11:00:52 +0100 Subject: [PATCH 2/4] Remove action to publish to Test-PyPI --- .github/workflows/publish-to-test-pypi.yml | 52 ---------------------- 1 file changed, 52 deletions(-) delete mode 100644 .github/workflows/publish-to-test-pypi.yml diff --git a/.github/workflows/publish-to-test-pypi.yml b/.github/workflows/publish-to-test-pypi.yml deleted file mode 100644 index 64c1888..0000000 --- a/.github/workflows/publish-to-test-pypi.yml +++ /dev/null @@ -1,52 +0,0 @@ -name: Publish Python package to TestPyPI - -on: - push: - tags: - - '*' - -jobs: - publish: - name: Publish to TestPyPI - runs-on: ubuntu-latest - if: startsWith(github.ref, 'refs/tags/') # Only run on tagged commits - - steps: - - name: Check out code - uses: actions/checkout@v4 - with: - fetch-depth: 0 # This fetches all history for all branches and tags - - - name: Verify tag is on master branch - run: | - TAG_IS_ON_MASTER=$(git branch -r --contains ${{ github.ref }} | grep 'origin/master') - if [ -z "$TAG_IS_ON_MASTER" ]; then - echo "Tag is not on the master branch. Cancelling the workflow." - exit 1 - fi - echo "Tag is on the master branch. Proceeding with the workflow." - - - name: Set up Python - uses: actions/setup-python@v4 - with: - python-version: "3.x" - - - name: Install pypa/build/setuptools/twine - run: >- - python3 -m - pip install - build setuptools twine - --user - - - name: Prevent fallback onto setup.py - run: rm setup.py - - - name: Build a binary wheel and a source tarball - run: python3 -m build - - - name: Publish to TestPyPI - env: - TWINE_USERNAME: __token__ - TWINE_PASSWORD: ${{ secrets.TEST_PYPI_TOKEN }} - run: twine upload --repository-url https://test.pypi.org/legacy/ dist/* - From 992ee014a3fd367a8e7698c75d8672ec04ef3f3c Mon Sep 17 00:00:00 2001 From: Dominik Roth Date: Thu, 18 Jan 2024 11:01:13 +0100 Subject: [PATCH 3/4] Ensure all PRs to release to be tagged. Will be enforced via branch protection. --- .github/workflows/ensure-release-tagged.yaml | 26 ++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 .github/workflows/ensure-release-tagged.yaml diff --git a/.github/workflows/ensure-release-tagged.yaml b/.github/workflows/ensure-release-tagged.yaml new file mode 100644 index 0000000..1b79d51 --- /dev/null +++ b/.github/workflows/ensure-release-tagged.yaml @@ -0,0 +1,26 @@ +name: Ensure Tagged Commits on Release + +on: + pull_request: + branches: + - release + +jobs: + check_tag: + runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@v2 + with: + fetch-depth: 0 + + - name: Check if base commit of PR is tagged + run: | + BASE_COMMIT=$(jq -r .pull_request.base.sha < "$GITHUB_EVENT_PATH") + TAG=$(git tag --contains $BASE_COMMIT) + if [ -z "$TAG" ]; then + echo "Base commit of PR is not tagged. PRs onto release must be tagged with the version number." + exit 1 + fi + echo "Base commit of PR is tagged. Check passed." + From f3a3c88978fdaaa799cf42bee210fd8539ca4efe Mon Sep 17 00:00:00 2001 From: Dominik Roth Date: Thu, 18 Jan 2024 11:05:46 +0100 Subject: [PATCH 4/4] Use checkout@v4 for ensure-release-tagged workflow --- .github/workflows/ensure-release-tagged.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ensure-release-tagged.yaml b/.github/workflows/ensure-release-tagged.yaml index 1b79d51..e58e31e 100644 --- a/.github/workflows/ensure-release-tagged.yaml +++ b/.github/workflows/ensure-release-tagged.yaml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out code - uses: actions/checkout@v2 + uses: actions/checkout@v4 with: fetch-depth: 0