tighten GHA security with zizmor, freeze pre-commit hashes #1165
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| branches-ignore: | |
| - "dependabot/**" | |
| - "pre-commit-ci-update-config" | |
| tags: | |
| - "**" | |
| pull_request: | |
| paths: | |
| - pyproject.toml | |
| - CMakeLists.txt | |
| - cmake/** | |
| - buildutils/** | |
| - .github/workflows/wheels.yml | |
| - tools/install_libzmq.sh | |
| - zmq/utils/*.h | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| env: | |
| PYTHONUNBUFFERED: "1" | |
| # CIBW_PRERELEASE_PYTHONS: "1" | |
| jobs: | |
| sdist: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| persist-credentials: false | |
| - name: setup python | |
| uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 | |
| with: | |
| python-version: "3.11" | |
| - name: install dependencies | |
| run: | | |
| pip install --upgrade pip build pytest | |
| pip install -r tools/wheel-requirements.txt | |
| - name: build sdist | |
| run: | | |
| python -m build --sdist . | |
| - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 | |
| with: | |
| name: sdist | |
| path: "dist/*.tar.gz" | |
| if-no-files-found: error | |
| - name: verify sdist files | |
| run: | |
| pytest -v tools/test_sdist.py | |
| wheel: | |
| runs-on: ${{ matrix.os || 'ubuntu-22.04' }} | |
| name: wheel-${{ matrix.name }} | |
| env: | |
| MACOSX_DEPLOYMENT_TARGET: "10.15" | |
| CIBW_BUILD: "${{ matrix.cibw.build || '*' }}" | |
| CIBW_SKIP: "${{ matrix.cibw.skip || '' }}" | |
| CIBW_ARCHS: "${{ matrix.cibw.arch || 'auto' }}" | |
| CIBW_MANYLINUX_X86_64_IMAGE: "${{ matrix.cibw.manylinux_x86_64_image || '' }}" | |
| CIBW_PLATFORM: "${{ matrix.cibw.platform || 'auto' }}" | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - os: macos-14 | |
| name: mac-pypy-arm | |
| cibw: | |
| build: "pp*" | |
| arch: arm64 | |
| - os: macos-14 | |
| name: mac-pypy-x86 | |
| cibw: | |
| build: "pp*" | |
| arch: x86_64 | |
| - os: macos-14 | |
| name: mac-cpython | |
| cibw: | |
| arch: universal2 | |
| build: "cp*" | |
| - name: manylinux-x86_64 | |
| cibw: | |
| arch: x86_64 | |
| build: "*manylinux*" | |
| - name: manylinux-i686 | |
| cibw: | |
| arch: i686 | |
| build: "*manylinux*" | |
| - name: manylinux-arm | |
| os: ubuntu-24.04-arm | |
| cibw: | |
| build: "*manylinux*" | |
| # additional manylinux variants, not specified in pyproject.toml: | |
| # this is where we would add e.g. older manylinux_2014 builds | |
| # - name: manylinux-x86_64-2014 | |
| # cibw: | |
| # arch: x86_64 | |
| # build: "cp31*-manylinux* pp39-manylinux*" | |
| # manylinux_x86_64_image: manylinux_2_28 | |
| - name: manylinux-riscv64 | |
| cibw: | |
| arch: riscv64 | |
| # this build is emulated, limit to the stable-abi build on 3.12 (works on 3.13+) | |
| # because it costs way more per wheel | |
| build: "cp312*manylinux*" | |
| - name: musllinux | |
| cibw: | |
| arch: auto,auto32 | |
| build: "*musllinux*" | |
| - name: musllinux-arm | |
| os: ubuntu-24.04-arm | |
| cibw: | |
| build: "*musllinux*" | |
| - name: android | |
| os: ubuntu-24.04 | |
| cibw: | |
| platform: android | |
| arch: all | |
| - name: win32 | |
| os: windows-2022 | |
| architecture: x86 | |
| cibw: | |
| build: "cp*win32" | |
| - os: windows-2022 | |
| name: win-pypy | |
| architecture: x64 | |
| cibw: | |
| build: "pp*win_amd64" | |
| - os: windows-2022 | |
| name: win_amd64 | |
| architecture: x64 | |
| cibw: | |
| build: "cp*win_amd64" | |
| - os: windows-11-arm | |
| name: win_arm64 | |
| cibw: | |
| arch: ARM64 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| persist-credentials: false | |
| - name: setup python | |
| uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 | |
| with: | |
| python-version: "3.13" | |
| architecture: ${{ matrix.architecture }} | |
| - name: locate windows-arm vcredist | |
| if: matrix.name == 'win_arm64' | |
| run: | | |
| python tools/find_vcredist.py | |
| - name: customize mac-arm-64 | |
| if: contains(matrix.os, 'macos') && matrix.cibw.arch | |
| run: | | |
| echo 'MACOSX_DEPLOYMENT_TARGET=10.15' >> "$GITHUB_ENV" | |
| # https://github.blog/changelog/2024-04-02-github-actions-hardware-accelerated-android-virtualization-now-available/ | |
| - name: enable KVM for Android emulator | |
| if: matrix.name == 'android' | |
| run: | | |
| echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules | |
| sudo udevadm control --reload-rules | |
| sudo udevadm trigger --name-match=kvm | |
| - name: Set up QEMU | |
| if: matrix.name == 'manylinux-riscv64' | |
| uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3 | |
| with: | |
| platforms: riscv64 | |
| - name: install dependencies | |
| run: | | |
| pip install --upgrade setuptools pip wheel | |
| pip install -r tools/wheel-requirements.txt | |
| - name: show environment | |
| run: | | |
| pip freeze | |
| - name: list target wheels | |
| run: | | |
| python -m cibuildwheel . --print-build-identifiers | |
| - name: build wheels | |
| run: | | |
| python -m cibuildwheel . | |
| - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 | |
| with: | |
| name: wheels-${{ matrix.name }} | |
| path: "wheelhouse/*" | |
| if-no-files-found: error | |
| github-release: | |
| permissions: | |
| contents: write | |
| environment: release | |
| runs-on: ubuntu-22.04 | |
| if: startsWith(github.ref, 'refs/tags/') | |
| steps: | |
| - id: version | |
| # strip leading `v` from tag, since it's not part of the version | |
| # see https://github.com/orgs/community/discussions/26625 for substring feature request | |
| run: | | |
| echo "${GITHUB_REF_NAME}" | sed s@^v@v=@ >> "${GITHUB_OUTPUT}" | |
| - run: | | |
| ARGS="" | |
| case "$VERSION" in | |
| *a*|*b*|*rc*) | |
| ARGS="--prerelease" | |
| ;; | |
| esac | |
| cat <<EOF | gh release create --repo $GITHUB_REPOSITORY $ARGS --verify-tag ${GITHUB_REF_NAME} --notes-file=- | |
| See [release notes][], or [pyzmq on PyPI][]. | |
| Install with: | |
| \`\`\` | |
| pip install 'pyzmq==${VERSION}' | |
| \`\`\` | |
| [release notes]: https://pyzmq.readthedocs.io/en/latest/changelog.html | |
| [pyzmq on PyPI]: https://pypi.org/project/pyzmq/${VERSION}/ | |
| EOF | |
| env: | |
| VERSION: "${{ steps.version.outputs.v }}" | |
| GH_TOKEN: "${{ github.token }}" | |
| list-wheels: | |
| runs-on: ubuntu-22.04 | |
| needs: | |
| - sdist | |
| - wheel | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| persist-credentials: false | |
| - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 | |
| with: | |
| path: dist | |
| merge-multiple: true | |
| - name: list wheels | |
| run: | | |
| ls -l dist | |
| python3 tools/wheel_summary.py dist | tee "$GITHUB_STEP_SUMMARY" | |
| upload-pypi: | |
| permissions: | |
| id-token: write | |
| environment: release | |
| runs-on: ubuntu-22.04 | |
| if: startsWith(github.ref, 'refs/tags/') | |
| needs: | |
| - sdist | |
| - wheel | |
| steps: | |
| - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 | |
| with: | |
| path: dist | |
| merge-multiple: true | |
| - name: Publish wheels to PyPI | |
| uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1 |