Skip to content

Commit 0818ed2

Browse files
committed
ci: Subdivide release job
This is needed because the SLSA provenance reusable workflow cannot be used as a step within a job, but must be used as a job on its own. This commit therefore subdivides the `release` job into a `release` job, which runs `python-semantic-release` to create a new release, if applicable, and then a `publish` job, to publish the release to PyPI and GitHub Releases, if one was created. We'll then be able to insert the SLSA provenance job between the two.
1 parent 3a3499a commit 0818ed2

File tree

1 file changed

+35
-3
lines changed

1 file changed

+35
-3
lines changed

.github/workflows/semantic-release.yml

Lines changed: 35 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -8,10 +8,12 @@ on:
88
permissions:
99
contents: read
1010

11+
concurrency:
12+
group: release
13+
1114
jobs:
1215
release:
1316
runs-on: ubuntu-latest
14-
concurrency: release
1517
environment: release
1618
permissions:
1719
id-token: write
@@ -37,12 +39,42 @@ jobs:
3739
ssh_private_signing_key: ${{ secrets.SEMANTIC_RELEASE_PRIVATE_KEY }}
3840
ssh_public_signing_key: ${{ secrets.SEMANTIC_RELEASE_PUBLIC_KEY }}
3941

42+
- name: Upload Build Artifacts
43+
if: steps.release.outputs.released == 'true'
44+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
45+
with:
46+
name: dist
47+
path: dist/
48+
49+
outputs:
50+
released: ${{ steps.release.outputs.released }}
51+
52+
publish:
53+
runs-on: ubuntu-latest
54+
needs: release
55+
if: ${{ needs.release.outputs.released == 'true' }}
56+
environment: release
57+
steps:
58+
- name: Harden Runner
59+
uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
60+
with:
61+
egress-policy: audit
62+
63+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
64+
with:
65+
fetch-depth: 0
66+
token: ${{ secrets.GH_TOKEN }}
67+
68+
- name: Download Artifacts
69+
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
70+
with:
71+
name: dist
72+
path: dist
73+
4074
- name: Publish to PyPI
4175
uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # release/v1
42-
if: steps.release.outputs.released == 'true'
4376

4477
- name: Publish to GitHub Releases
4578
uses: python-semantic-release/publish-action@b717f67f7e7e9f709357bce5a542846503ce46ec # v10.2.0
46-
if: steps.release.outputs.released == 'true'
4779
with:
4880
github_token: ${{ secrets.GH_TOKEN }}

0 commit comments

Comments
 (0)