Remove persist-credentials: false from release job (#520) #226
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: π Release | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| release: | |
| description: "π Release (semver bump)?" | |
| required: true | |
| default: "no" | |
| type: choice | |
| options: ["no", patch, minor, major] | |
| push: | |
| branches: ["main"] | |
| pull_request: | |
| concurrency: | |
| group: >- | |
| ${{ github.workflow }}-${{ github.ref }}${{ | |
| github.event.inputs.release && github.event.inputs.release != 'no' && '-release' || '' | |
| }} | |
| cancel-in-progress: ${{ github.event.inputs.release == 'no' || github.event.inputs.release == null }} | |
| permissions: | |
| contents: read | |
| env: | |
| dists-artifact-name: python-package-distributions | |
| jobs: | |
| build: | |
| name: π¦ build | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| outputs: | |
| version: ${{ steps.v.outputs.version }} | |
| changelog: ${{ steps.v.outputs.changelog }} | |
| steps: | |
| - name: π₯ Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: π¦ Setup uv | |
| uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7 | |
| with: | |
| enable-cache: true | |
| cache-dependency-glob: "tasks/changelog.py" | |
| - name: π Generate changelog | |
| id: v | |
| run: >- | |
| uv run tasks/changelog.py "$RELEASE_TYPE" "$EVENT_NUMBER" "$BASE_SHA" | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| RELEASE_TYPE: | |
| ${{ github.event.inputs.release == 'no' || github.event.inputs.release == null && 'patch' || | |
| github.event.inputs.release }} | |
| EVENT_NUMBER: ${{ github.event.number }} | |
| BASE_SHA: ${{ github.event.pull_request.base.sha }} | |
| - name: π·οΈ Create temporary tag for hatch-vcs | |
| if: github.event.inputs.release != 'no' && github.event.inputs.release != null | |
| run: git tag '${STEPS_V_OUTPUTS_VERSION}' | |
| env: | |
| STEPS_V_OUTPUTS_VERSION: ${{ steps.v.outputs.version }} | |
| - name: π¦ Build package | |
| run: uv build --python 3.14 --python-preference only-managed --sdist --wheel . --out-dir dist | |
| - name: π€ Store the distribution packages | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 | |
| with: | |
| name: ${{ env.dists-artifact-name }} | |
| path: dist/* | |
| release: | |
| name: π release | |
| needs: [build] | |
| if: github.event.inputs.release != 'no' && github.event.inputs.release != null && github.ref == 'refs/heads/main' | |
| runs-on: ubuntu-24.04 | |
| environment: | |
| name: release | |
| url: https://pypi.org/project/filelock/${{ needs.build.outputs.version }} | |
| permissions: | |
| id-token: write | |
| contents: write | |
| steps: | |
| - name: π₯ Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| token: ${{ secrets.RELEASE_TOKEN }} # zizmor: ignore[artipacked] | |
| - name: π€ Commit changelog and tag | |
| env: | |
| CHANGELOG: ${{ needs.build.outputs.changelog }} | |
| VERSION: ${{ needs.build.outputs.version }} | |
| run: | | |
| if git ls-remote --tags origin "refs/tags/$VERSION" | grep -q .; then | |
| echo "Tag $VERSION already exists, skipping changelog commit" | |
| exit 0 | |
| fi | |
| git config user.name "${GITHUB_ACTOR}" | |
| git config user.email "${GITHUB_ACTOR_ID}+${GITHUB_ACTOR}@users.noreply.github.com" | |
| header="$VERSION ($(date -u +%Y-%m-%d))" | |
| separator=$(printf '%0.s*' $(seq 1 $((${#header} + 1)))) | |
| { | |
| head -4 docs/changelog.rst | |
| printf '%s\n %s\n%s\n\n' "$separator" "$header" "$separator" | |
| printf '%s\n\n' "$CHANGELOG" | |
| tail -n +5 docs/changelog.rst | |
| } > docs/changelog.tmp | |
| mv docs/changelog.tmp docs/changelog.rst | |
| git add docs/changelog.rst | |
| git commit -m "Release $VERSION" | |
| git tag "$VERSION" | |
| git push origin "$VERSION" | |
| git push origin main | |
| - name: β¬οΈ Download all the dists | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 | |
| with: | |
| name: ${{ env.dists-artifact-name }} | |
| path: dist/ | |
| - name: π Publish to PyPI | |
| uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 | |
| with: | |
| skip-existing: true | |
| - name: π’ Create GitHub release | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }} | |
| VERSION: ${{ needs.build.outputs.version }} | |
| run: | | |
| if gh release view "$VERSION" > /dev/null 2>&1; then | |
| echo "Release $VERSION already exists, skipping" | |
| else | |
| gh release create "$VERSION" --title="$VERSION" --verify-tag --generate-notes | |
| fi |