-
Notifications
You must be signed in to change notification settings - Fork 235
Feat | LAY-885 cicd publish #7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
3840f9a
9a2fb70
a75e15e
9afc371
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,63 @@ | ||
| # This workflow is used to publish the Python SDK to the actual PyPI. | ||
| # It is triggered by a tag push, and will only publish if the tag is valid. | ||
| # The tag must match the format sdk-v*.*.* | ||
|
|
||
| name: Publish Python SDK | ||
|
|
||
| on: | ||
| push: | ||
| tags: | ||
| - "sdk-v*.*.*" # Trigger on version tags like sdk-v0.1.0 etc. | ||
|
|
||
| jobs: | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can you make sure this job runs on our That way it need manual approval before it can run. Like we do in the atlas-app: https://github.com/LayerLens/atlas-app/blob/main/.github/workflows/deploy-production-backend.yaml#L12
Collaborator
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. done |
||
| validate: | ||
| runs-on: ubuntu-latest | ||
| environment: production | ||
| outputs: | ||
| release_tag: ${{ steps.set_release_tag.outputs.release_tag }} | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 # Fetch all history for checking branch | ||
| - name: Set release tag | ||
| id: set_release_tag | ||
| # ensure the tag is valid (matches code, is on main, etc) | ||
| run: | | ||
| RELEASE_TAG=${GITHUB_REF#refs/tags/} | ||
| echo "Using tag: $RELEASE_TAG" | ||
| ./scripts/validate-release-tag.sh "$RELEASE_TAG" | ||
| echo "RELEASE_TAG=$RELEASE_TAG" >> $GITHUB_ENV | ||
| echo "release_tag=$RELEASE_TAG" >> $GITHUB_OUTPUT | ||
|
|
||
| build-and-publish: | ||
| needs: validate | ||
| runs-on: ubuntu-latest | ||
| environment: production | ||
|
|
||
| env: | ||
| TWINE_USERNAME: __token__ | ||
| TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }} | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. What is TWINE? Is that something we setup on Pypi?
Collaborator
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Twine is the utility used to publish the packages to pypi: https://pypi.org/project/twine/ It is used here: https://github.com/LayerLens/atlas-python/pull/7/files#diff-c63759f58a022cf694046a961470c6e28c042d8f221646bc5ddbb5fa959dda75R24 |
||
| RELEASE_TAG: ${{ needs.validate.outputs.release_tag }} | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - name: Set up Python | ||
| uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: "3.13" | ||
| - name: Install build dependencies | ||
| run: make install-build-deps | ||
| - name: Build | ||
| run: make build | ||
| - name: Test wheel | ||
| run: make test-wheel | ||
| - name: Upload build artifacts | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: sdk-dist | ||
| path: dist/ | ||
| retention-days: 5 | ||
| - name: Publish to PyPI | ||
| run: make _publish | ||
| env: | ||
| PYPI_REPO: pypi | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,78 @@ | ||
| # This workflow creates and pushes a release tag using the push-release-tag.sh script. | ||
| # It can be triggered manually and will prompt for confirmation before creating the tag. | ||
|
|
||
| name: Create Release Tag | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can we make sure this only can be run on the release branch + in the production enviornment so we ensure manual review is needed for publishing?
Collaborator
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. done |
||
| inputs: | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. How do we specify major vs minor vs patch releases?
Collaborator
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. With the current setup we have, I think we should manually bump the version in the _version file, then release the tag. |
||
| dry_run: | ||
| description: "Run in dry-run mode (show what would be done without actually creating/pushing the tag)" | ||
| required: false | ||
| type: boolean | ||
| default: true | ||
| confirm_release: | ||
| description: "Type 'YES' to confirm you want to create and push the release tag" | ||
| required: true | ||
| type: string | ||
|
|
||
| jobs: | ||
| check-branch: | ||
| runs-on: ubuntu-latest | ||
| environment: production | ||
| steps: | ||
| - name: Check if running on release branch | ||
| run: | | ||
| if [ "${{ github.ref }}" != "refs/heads/release" ]; then | ||
| echo "Error: This workflow can only be run from the 'release' branch." | ||
| echo "Current branch: ${{ github.ref }}" | ||
| echo "Please switch to the 'release' branch and try again." | ||
| exit 1 | ||
| fi | ||
| echo "Running on release branch - proceeding with workflow." | ||
|
|
||
| create-release-tag: | ||
| runs-on: ubuntu-latest | ||
| needs: check-branch | ||
| environment: production | ||
| if: github.ref == 'refs/heads/release' | ||
|
|
||
| permissions: | ||
| contents: write # Required to create and push tags | ||
|
|
||
| steps: | ||
| - name: Validate confirmation | ||
| if: github.event.inputs.confirm_release != 'YES' && github.event.inputs.dry_run != 'true' | ||
| run: | | ||
| echo "Error: You must type 'YES' in the confirm_release input to proceed with creating a release tag." | ||
| echo "Received: '${{ github.event.inputs.confirm_release }}'" | ||
| exit 1 | ||
|
|
||
| - uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 # Fetch all history and tags | ||
|
|
||
| - name: Make scripts executable | ||
| run: | | ||
| chmod +x scripts/push-release-tag.sh | ||
| chmod +x scripts/get_version.sh | ||
|
|
||
| - name: Configure Git | ||
| run: | | ||
| git config --global user.name "github-actions[bot]" | ||
| git config --global user.email "github-actions[bot]@users.noreply.github.com" | ||
|
|
||
| - name: Run push-release-tag script (dry-run) | ||
| if: github.event.inputs.dry_run == 'true' | ||
| run: | | ||
| echo "Running in dry-run mode..." | ||
| make push-release-tag DRY_RUN=--dry-run | ||
|
|
||
| - name: Run push-release-tag script | ||
| if: github.event.inputs.dry_run != 'true' | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: | | ||
| echo "Creating and pushing release tag..." | ||
| # Override the interactive confirmation since we already confirmed via workflow input | ||
| echo "YES" | make push-release-tag | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| # This workflow is used to publish the Python SDK to TestPyPI. Do not need to upgrade the | ||
| # version number to use this workflow. | ||
| # Only upgrade the version number when you are ready to publish to PyPi | ||
| # The script will automatically add an "rc" suffix to the version number for test.pypi.org releases. | ||
|
|
||
| name: Publish Python SDK to TestPyPI | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| inputs: | ||
| ref: | ||
| description: "Publish the given Git ref to test.pypi.org (branch, tag, or commit SHA)" | ||
| required: true | ||
| type: string | ||
| default: "main" | ||
|
|
||
| jobs: | ||
| build-and-publish-test: | ||
| runs-on: ubuntu-latest | ||
|
|
||
| env: | ||
| TWINE_USERNAME: __token__ | ||
| TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }} | ||
| PYPI_REPO: testpypi | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| ref: ${{ github.event.inputs.ref }} | ||
| - name: Set up Python | ||
| uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: "3.13" | ||
| - name: Install build dependencies | ||
| run: make install-build-deps | ||
| - name: Build | ||
| run: make build | ||
| - name: Test wheel | ||
| run: make test-wheel | ||
| - name: Publish to TestPyPI | ||
| run: make _publish |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,48 @@ | ||
| install-build-deps: | ||
| pip install build twine | ||
|
|
||
| build: clean _template-version | ||
| python -m build | ||
| # Restore the original version file after the build | ||
| git checkout src/layerlens/_version.py | ||
|
|
||
| test-wheel: | ||
| pip install dist/*.whl | ||
| python -c "import layerlens; print('Package imported successfully')" | ||
|
|
||
| clean: | ||
| rm -rf build dist | ||
|
|
||
| _publish: | ||
| ./scripts/publish.sh | ||
|
|
||
| _template-version: | ||
| @bash scripts/template-version.sh | ||
|
|
||
| _check-git-clean: | ||
| @if [ -n "$$(git status --porcelain)" ]; then \ | ||
| echo "Error: Git working directory is not clean. Won't run publish."; \ | ||
| exit 1; \ | ||
| fi | ||
|
|
||
| _verify-build-publish: _check-git-clean build test-wheel _publish | ||
|
|
||
| publish-to-testpypi: export PYPI_REPO := testpypi | ||
| publish-to-testpypi: _verify-build-publish | ||
|
|
||
| publish-to-pypi: export PYPI_REPO := pypi | ||
| publish-to-pypi: _verify-build-publish | ||
|
|
||
| push-release-tag: | ||
| @bash scripts/push-release-tag.sh $(DRY_RUN) | ||
|
|
||
| help: | ||
| @echo "Available targets:" | ||
| @echo " build - Build Python package" | ||
| @echo " clean - Remove build artifacts" | ||
| @echo " help - Show this help message" | ||
| @echo " install-build-deps - Install build dependencies for CI" | ||
| @echo " test-wheel - Run tests against built wheel" | ||
| @echo " publish-to-pypi - Publish to PyPI" | ||
| @echo " publish-to-testpypi - Publish to TestPyPI" | ||
| @echo " push-release-tag - Create and push a release tag" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we make sure this only runs on the release-branch?
This should never run on main.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This action runs when a new tag is pushed. The tag must follow this pattern
sdk-v*.*.*for this action to run.Then the publish script makes sure we are working with the release branch