python-ci/.github/workflows/github-release.yaml at main · glenn20/python-ci · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
name: Create github release
# description: |-
#   A reusable github workflow to sign the python package files and upload to a
#   GitHub Release. Assumes the python package has been saved as a workflow
#   artifact. Uses the Sigstore GitHub Action to sign the package before
#   uploading. The release name can be provided as the `tag` input, else the
#   current tag name if triggered by a git tag push else the latest version
#   number from the python package wheel file.
#   Invoke with `uses: glenn20/python-ci/.github/workflows/github-release.yaml@v2`

on:
  workflow_call:
    inputs:
      tag:
        description: >-
          Name of the release. Defaults to the current git tag if the
          workflow is triggered by a tag else the version number from the
          python package wheel file.
        required: false
        type: string
        default: ''

jobs:
  github-release:
    name: GitHub Release
    runs-on: ubuntu-latest

    permissions:
      contents: write  # IMPORTANT: mandatory for making GitHub Releases
      id-token: write  # IMPORTANT: mandatory for sigstore

    steps:
      - name: Download all the dists
        uses: actions/download-artifact@v4
        with:
          name: python-package
          path: dist/

      - name: Sign the dists with Sigstore
        uses: sigstore/gh-action-sigstore-python@v3.0.0
        with:
          inputs: >-
            ./dist/*.tar.gz
            ./dist/*.whl

      - name: Check the release version tag
        id: tag
        run: |
          if [ -n "${{ inputs.tag }}" ]; then
            tag="${{ inputs.tag }}"
          elif [[ "${{ github.ref }}" == /refs/tags/* ]]; then
            tag="${{ github.ref_name }}"
          else
            tag="$(ls ./dist/*.whl | tail -1 | sed 's/^[^-]*-\([^-]*\)-py.*$/v\1/')"
          fi
          echo "tag=$tag" >> $GITHUB_OUTPUT
        shell: bash

      - name: Create GitHub Release
        env:
          GITHUB_TOKEN: ${{ github.token }}
        run: >-
          gh release create
          '${{ steps.tag.outputs.tag }}'
          --repo '${{ github.repository }}'
          --notes ""

      - name: Upload artifact signatures to GitHub Release
        env:
          GITHUB_TOKEN: ${{ github.token }}
        # Upload to GitHub Release using the `gh` CLI.
        # `dist/` contains the built packages, and the
        # sigstore-produced signatures and certificates.
        run: >-
          gh release upload
          '${{ steps.tag.outputs.tag }}'
          dist/**
          --repo '${{ github.repository }}'