DataLab/.github/workflows/release.yml at main · DataLab-Platform/DataLab · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
# ============================================================================
# Build and publish a DataLab release.
#
# The build itself is delegated to the reusable `_build.yml` workflow
# (modular, one artifact per stage). This file only adds the publication
# jobs: PyPI Trusted Publishing + draft GitHub Release + Pages deployment.
#
# Triggers:
#   * push of a tag matching vX.Y.Z (no pre-release suffix) on `main`.
#     RC tags `vX.Y.Z-rcN` are handled by `release-rc.yml`.
#
# Prerequisites (one-time, off-CI):
#   - Configure PyPI Trusted Publishing for `datalab` -> environment `pypi`.
#   - Configure GH_PAGES_TOKEN or GH_PAGES_DEPLOY_KEY (see `pages.yml`).
# ============================================================================
name: Release

on:
  push:
    tags:
      - "v[0-9]*.[0-9]*.[0-9]*"
      - "!v*-*"  # exclude pre-release tags (handled by release-rc.yml)

permissions:
  contents: read

concurrency:
  group: release-${{ github.ref }}
  cancel-in-progress: false

jobs:
  # ---------------------------------------------------------------------------
  # Modular build (translations / PDFs / dists / MSI) via reusable workflow.
  # ---------------------------------------------------------------------------
  build:
    uses: ./.github/workflows/_build.yml
    with:
      build-msi: true
      artifact-retention-days: 30

  # ---------------------------------------------------------------------------
  # Publish sdist + wheel to PyPI via Trusted Publishing (OIDC).
  # ---------------------------------------------------------------------------
  publish-pypi:
    needs: build
    runs-on: ubuntu-latest
    environment:
      name: pypi
      url: https://pypi.org/p/datalab
    permissions:
      id-token: write
    steps:
      - name: Download Python distributions
        uses: actions/download-artifact@v4
        with:
          name: python-dists
          path: dist

      - name: Publish to PyPI
        uses: pypa/gh-action-pypi-publish@release/v1

  # ---------------------------------------------------------------------------
  # Create a draft GitHub Release with all public artifacts.
  # ---------------------------------------------------------------------------
  github-release:
    needs: build
    runs-on: ubuntu-latest
    permissions:
      contents: write
      id-token: write       # required by attest-build-provenance (OIDC)
      attestations: write   # required by attest-build-provenance
    steps:
      - uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.11"

      - name: Download Python distributions
        uses: actions/download-artifact@v4
        with:
          name: python-dists
          path: assets/dists

      - name: Download PDF documentation
        uses: actions/download-artifact@v4
        with:
          name: pdf-docs
          path: assets/pdfs

      - name: Download MSI installer
        uses: actions/download-artifact@v4
        with:
          name: msi-installer
          path: assets/msi

      - name: Generate SHA256SUMS
        # Single checksums file covering every artifact published in the
        # release. Users verify with: `sha256sum -c SHA256SUMS`.
        run: |
          cd assets
          # Published release assets are flat, so SHA256SUMS must reference bare
          # filenames. Run sha256sum from each file's own directory so the
          # checksum line contains the basename (not dists/…, msi/…, pdfs/…).
          find dists msi pdfs -type f \
            \( -name '*.whl' -o -name '*.tar.gz' -o -name '*.msi' -o -name '*.pdf' \) \
            -printf '%p\n' | sort | while read -r f; do
              ( cd "$(dirname "$f")" && sha256sum "$(basename "$f")" )
            done > SHA256SUMS
          echo "--- SHA256SUMS ---"
          cat SHA256SUMS

      - name: Attest build provenance
        # Produces a Sigstore-backed attestation linking each artifact to
        # this exact workflow run. Verifiable with `gh attestation verify`.
        uses: actions/attest-build-provenance@v2
        with:
          subject-path: |
            assets/dists/*.whl
            assets/dists/*.tar.gz
            assets/msi/*.msi

      - name: Extract release notes
        run: |
          python scripts/ci_release_helpers.py release-notes \
            "$GITHUB_REF_NAME" -o release-notes.md
          echo "--- release notes preview ---"
          head -n 20 release-notes.md

      - name: Create draft GitHub Release
        uses: softprops/action-gh-release@v2
        with:
          tag_name: ${{ github.ref_name }}
          name: DataLab ${{ github.ref_name }}
          body_path: release-notes.md
          draft: true
          fail_on_unmatched_files: true
          files: |
            assets/dists/*.whl
            assets/dists/*.tar.gz
            assets/msi/*.msi
            assets/pdfs/DataLab_fr.pdf
            assets/pdfs/DataLab_en.pdf
            assets/SHA256SUMS

  # ---------------------------------------------------------------------------
  # Build & deploy documentation (delegated to pages.yml). Non-blocking.
  # ---------------------------------------------------------------------------
  deploy-pages:
    needs: build
    uses: ./.github/workflows/pages.yml
    secrets: inherit
    with:
      deploy: true