-
Notifications
You must be signed in to change notification settings - Fork 16
135 lines (120 loc) · 4.07 KB
/
Copy pathrelease-rc.yml
File metadata and controls
135 lines (120 loc) · 4.07 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
# ============================================================================
# Release candidate workflow.
#
# Same modular build as `release.yml` (delegated to `_build.yml`) but
# publishes to **TestPyPI** and creates a GitHub pre-release. Does not
# touch PyPI nor GitHub Pages. MSI build is enabled by default.
#
# Triggers:
# * push of a tag matching vX.Y.Z-rcN on any branch.
#
# Prerequisites:
# - Configure TestPyPI Trusted Publishing -> GitHub environment `testpypi`.
# ============================================================================
name: Release Candidate
on:
push:
tags:
- "v[0-9]*.[0-9]*.[0-9]*-rc[0-9]*"
permissions:
contents: read
concurrency:
group: release-rc-${{ github.ref }}
cancel-in-progress: false
jobs:
build:
uses: ./.github/workflows/_build.yml
with:
build-msi: true
# RC tags may be pushed from any branch, so skip the "tag on main" check.
skip-tag-branch-check: true
artifact-retention-days: 14
publish-testpypi:
needs: build
runs-on: ubuntu-latest
environment:
name: testpypi
url: https://test.pypi.org/p/datalab
permissions:
id-token: write
steps:
- name: Download Python distributions
uses: actions/download-artifact@v4
with:
name: python-dists
path: dist
- name: Publish to TestPyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
repository-url: https://test.pypi.org/legacy/
# RC validation may be re-run on the same version (e.g. after fixing
# a later job). TestPyPI versions are immutable, so skip already
# uploaded files instead of failing the whole workflow.
skip-existing: true
github-prerelease:
needs: build
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write # required by attest-build-provenance (OIDC)
attestations: write # required by attest-build-provenance
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.11"
- name: Download Python distributions
uses: actions/download-artifact@v4
with:
name: python-dists
path: assets/dists
- name: Download PDF documentation
uses: actions/download-artifact@v4
with:
name: pdf-docs
path: assets/pdfs
- name: Download MSI installer
uses: actions/download-artifact@v4
with:
name: msi-installer
path: assets/msi
- name: Generate SHA256SUMS
run: |
cd assets
# Published release assets are flat, so SHA256SUMS must reference bare
# filenames. Run sha256sum from each file's own directory so the
# checksum line contains the basename (not dists/…, msi/…, pdfs/…).
find dists msi pdfs -type f \
\( -name '*.whl' -o -name '*.tar.gz' -o -name '*.msi' -o -name '*.pdf' \) \
-printf '%p\n' | sort | while read -r f; do
( cd "$(dirname "$f")" && sha256sum "$(basename "$f")" )
done > SHA256SUMS
cat SHA256SUMS
- name: Attest build provenance
uses: actions/attest-build-provenance@v2
with:
subject-path: |
assets/dists/*.whl
assets/dists/*.tar.gz
assets/msi/*.msi
- name: Extract release notes
run: |
python scripts/ci_release_helpers.py release-notes \
"$GITHUB_REF_NAME" -o release-notes.md
- name: Create GitHub pre-release
uses: softprops/action-gh-release@v2
with:
tag_name: ${{ github.ref_name }}
name: DataLab ${{ github.ref_name }}
body_path: release-notes.md
prerelease: true
draft: false
fail_on_unmatched_files: true
files: |
assets/dists/*.whl
assets/dists/*.tar.gz
assets/msi/*.msi
assets/pdfs/DataLab_fr.pdf
assets/pdfs/DataLab_en.pdf
assets/SHA256SUMS