Skip to content

Commit

Permalink
infra: make publish-release workflow non-reusable
Browse files Browse the repository at this point in the history
This seems to be needed to make sure that trusted publishing (see below
link) works properly, since the readme says that it can't work from an
reusable workflow.

I ran into this issue when trying to build the release, the
publish-release workflow was failing with a big amount of text:
https://github.com/IRNAS/irnas-east-software/actions/runs/11718734433/job/32640627624

Relevant issues that helped to get a sense of what is happening:
https://github.com/pypa/gh-action-pypi-publish?tab=readme-ov-file#trusted-publishing
pypi/warehouse#11096
pypa/gh-action-pypi-publish#166
  • Loading branch information
MarkoSagadin committed Nov 7, 2024
1 parent 0117ecc commit 75f56f9
Show file tree
Hide file tree
Showing 2 changed files with 50 additions and 65 deletions.
56 changes: 50 additions & 6 deletions .github/workflows/create-release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -59,15 +59,59 @@ jobs:
with:
checkout_ref: ${{ inputs.version }}

call-publish-release:
publish-release:
needs: call-build
uses: ./.github/workflows/publish-release.yaml
with:
release_version: ${{ inputs.version }}
runs-on: ubuntu-22.04
environment:
name: pypi
url: https://pypi.org/p/east-tool
permissions:
id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
contents: write

steps:
- name: Start
run: |
version_cut=$(echo "${{ inputs.version }}" | cut -c 2-)
echo "release_version=${{ inputs.version }}" >> $GITHUB_ENV
echo "release_version_cut=$version_cut" >> $GITHUB_ENV
- name: Checkout Repository
uses: actions/checkout@v4
with:
ref: ${{ env.release_version }}

- name: Get latest Changelog entry
id: changelog-reader
uses: mindsers/[email protected]
with:
version: ${{ env.release_version_cut }}

- name: Download artifact
uses: actions/download-artifact@v4
with:
name: dist
path: dist

# You wonder how there isn't any token? east is configured to use OIDC,
# check on pypi under Publishing section what is that.
- name: Publish distribution to PyPI
uses: pypa/gh-action-pypi-publish@release/v1

- name: Publish Release
if: ${{ !env.ACT }}
uses: softprops/[email protected]
with:
files: dist/*
tag_name: ${{ env.release_version }}
body: |
# Release notes
${{ steps.changelog-reader.outputs.changes }}
cleanup-on-failure:
# Only run cleanup if either call-build or call-publish-release fail.
needs: [call-build, call-publish-release]
# Only run cleanup if either call-build or publish-release fail.
needs: [call-build, publish-release:]
if: ${{ always() && contains(join(needs.*.result, ','), 'failure') }}
runs-on: ubuntu-22.04

Expand Down
59 changes: 0 additions & 59 deletions .github/workflows/publish-release.yaml

This file was deleted.

0 comments on commit 75f56f9

Please sign in to comment.