name: test-release on: workflow_call: inputs: working-directory: required: true type: string description: "From which folder this pipeline executes" env: PYTHON_VERSION: "3.10" permissions: contents: read jobs: build: runs-on: ubuntu-latest outputs: pkg-name: ${{ steps.check-version.outputs.pkg-name }} version: ${{ steps.check-version.outputs.version }} steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Set up Python ${{ env.PYTHON_VERSION }} uses: ./.github/actions/uv_setup with: python-version: ${{ env.PYTHON_VERSION }} cache-suffix: "release" working-directory: ${{ inputs.working-directory }} # We want to keep this build stage *separate* from the release stage, # so that there's no sharing of permissions between them. # The release stage has trusted publishing and GitHub repo contents write access, # and we want to keep the scope of that access limited just to the release job. # Otherwise, a malicious `build` step (e.g. via a compromised dependency) # could get access to our GitHub or PyPI credentials. # # Per the trusted publishing GitHub Action: # > It is strongly advised to separate jobs for building [...] # > from the publish job. # https://github.com/pypa/gh-action-pypi-publish#non-goals - name: Build project for distribution run: uv build working-directory: ${{ inputs.working-directory }} - name: Upload build uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: test-dist path: ${{ inputs.working-directory }}/dist/ - name: Check Version id: check-version shell: bash working-directory: ${{ inputs.working-directory }} run: | echo pkg-name=$(grep -m 1 "^name = " pyproject.toml | cut -d '"' -f 2) echo version=$(grep -m 1 "^version = " pyproject.toml | cut -d '"' -f 2) publish: needs: - build runs-on: ubuntu-latest permissions: # This permission is used for trusted publishing: # https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/ # # Trusted publishing has to also be configured on PyPI for each package: # https://docs.pypi.org/trusted-publishers/adding-a-publisher/ id-token: write steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: test-dist path: ${{ inputs.working-directory }}/dist/ - name: Publish to test PyPI uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1 with: packages-dir: ${{ inputs.working-directory }}/dist/ verbose: true print-hash: true repository-url: https://test.pypi.org/legacy/ # We overwrite any existing distributions with the same name and version. # This is *only for CI use* and is *extremely dangerous* otherwise! # https://github.com/pypa/gh-action-pypi-publish#tolerating-release-package-file-duplicates skip-existing: true # Temp workaround since attestations are on by default as of gh-action-pypi-publish v1.11.0 attestations: false