From 34584c7af9bd3da2ed54d38d9a588817da05de7b Mon Sep 17 00:00:00 2001 From: Jean-Christophe Date: Thu, 23 Oct 2025 13:18:30 -0400 Subject: [PATCH] ci: fix GitHub Actions permissions and workflow structure --- .github/workflows/ci-and-bump.yml | 55 +++++++ .github/workflows/publish-to-test-pypi.yml | 158 --------------------- .github/workflows/release.yml | 96 +++++++++++++ 3 files changed, 151 insertions(+), 158 deletions(-) create mode 100644 .github/workflows/ci-and-bump.yml delete mode 100644 .github/workflows/publish-to-test-pypi.yml create mode 100644 .github/workflows/release.yml diff --git a/.github/workflows/ci-and-bump.yml b/.github/workflows/ci-and-bump.yml new file mode 100644 index 0000000..5e0c1d0 --- /dev/null +++ b/.github/workflows/ci-and-bump.yml @@ -0,0 +1,55 @@ +name: CI & Bump + +on: + pull_request: + branches: [main] + push: + branches: [main] + +permissions: + contents: write # allow pushing commits/tags from this workflow + +jobs: + build: + if: github.event_name == 'pull_request' + name: Build and Test on ${{ matrix.os }} + runs-on: ${{ matrix.os }} + strategy: + matrix: + os: [ubuntu-latest, windows-latest, macos-13, macos-14] + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-python@v5 + with: + python-version: '3.8' + - name: Install package + run: | + python -m pip install --upgrade pip + python -m pip install . + - name: Run tests + run: | + python -m pip install numpy pytest + pytest -q + + bump_version_and_tag: + if: github.event_name == 'push' && github.ref == 'refs/heads/main' && !startsWith(github.event.head_commit.message, 'bump:') + name: Bump version and tag on main + runs-on: ubuntu-latest + steps: + - name: Checkout (HTTPS with token) + uses: actions/checkout@v4 + with: + fetch-depth: 0 + persist-credentials: true # keep token in origin for push + - name: Set git identity + run: | + git config user.name "innoptech-bot" + git config user.email "ruelj2@users.noreply.github.com" + - name: Commitizen bump + id: cz + uses: commitizen-tools/commitizen-action@master + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + push: true # let the action push commit + tag + - name: Show bumped version + run: echo "Bumped to version ${{ steps.cz.outputs.version }}" \ No newline at end of file diff --git a/.github/workflows/publish-to-test-pypi.yml b/.github/workflows/publish-to-test-pypi.yml deleted file mode 100644 index 54f535d..0000000 --- a/.github/workflows/publish-to-test-pypi.yml +++ /dev/null @@ -1,158 +0,0 @@ ---- -name: Publish OpenSTL -on: - push: - branches: - - main - tags: - - 'v*' - pull_request: - branches: - - main - -jobs: - build: - if: "github.event_name == 'pull_request'" - name: Build and Test on ${{ matrix.os }} - runs-on: ${{ matrix.os }} - strategy: - matrix: - os: [ubuntu-latest, windows-latest, macos-13, macos-14] - - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Set up Python - uses: actions/setup-python@v5 - with: - python-version: '3.8' - - - name: Install dependencies - run: | - python3 -m pip install --upgrade pip - python3 -m pip install . - - - name: Run tests - run: | - python3 -m pip install numpy pytest - python3 -m pytest - - bump_version_and_tag: - if: "github.event_name == 'push' && github.ref == 'refs/heads/main' && !startsWith(github.event.head_commit.message, 'bump:')" - name: Bump version and tag on main - runs-on: ubuntu-latest - steps: - - name: Check out - uses: actions/checkout@v3 - with: - fetch-depth: 0 - ssh-key: "${{ secrets.COMMIT_KEY }}" - - name: Create bump and changelog - uses: commitizen-tools/commitizen-action@master - with: - push: false - - name: Print Version - run: echo "Bumped to version ${{ steps.cz.outputs.version }}" - - name: Push using ssh - if: github.event_name == 'push' - run: | - git config --global user.name "${{ env.CI_COMMIT_AUTHOR }}" - git config --global user.email "ruelj2@users.noreply.github.com" - git push --tags - git push - - build_wheels: - if: "github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && startsWith(github.event.head_commit.message, 'bump:')" - name: Build wheels on ${{ matrix.os }} - runs-on: ${{ matrix.os }} - strategy: - matrix: - os: [ubuntu-latest, windows-latest, macos-13, macos-14] - steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 - - name: Print the arch and system - run: | - python -c "import platform; print(f'System: {platform.system()}'); print(f'Architecture: {platform.architecture()[0]}')" - - name: Install cibuildwheel - run: python -m pip install cibuildwheel==2.20.0 - - name: Build wheels - run: python -m cibuildwheel --output-dir wheelhouse - - uses: actions/upload-artifact@v4 - with: - name: cibw-wheels-${{ matrix.os }}-${{ strategy.job-index }} - path: ./wheelhouse/*.whl - - publish-to-testpypi: - name: Publish Python 🐍 distribution 📦 to TestPyPI - needs: - - build_wheels - runs-on: ubuntu-latest - environment: - name: testpypi - url: https://test.pypi.org/p/openstl - permissions: - id-token: write - steps: - - name: Download all the dists - uses: actions/download-artifact@v4 - with: - pattern: cibw-* - path: dist - merge-multiple: true - - name: Publish distribution 📦 to TestPyPI - uses: pypa/gh-action-pypi-publish@release/v1 - with: - repository-url: https://test.pypi.org/legacy/ - - publish-to-pypi: - name: Publish Python 🐍 distribution 📦 to PyPI - needs: - - publish-to-testpypi - runs-on: ubuntu-latest - environment: - name: pypi - url: https://pypi.org/p/openstl - permissions: - id-token: write - steps: - - name: Download all the dists - uses: actions/download-artifact@v4 - with: - pattern: cibw-* - path: dist - merge-multiple: true - - name: Publish distribution 📦 to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 - - github-release: - name: Sign the Python 🐍 distribution 📦 with Sigstore and upload them to GitHub - Release - needs: - - publish-to-pypi - runs-on: ubuntu-latest - permissions: - contents: write - id-token: write - steps: - - name: Download all the dists - uses: actions/download-artifact@v4 - with: - pattern: cibw-* - path: dist - merge-multiple: true - - name: Sign the dists with Sigstore - uses: sigstore/gh-action-sigstore-python@v2.1.1 - with: - inputs: ./dist/*.whl - - name: Create GitHub Release - env: - GITHUB_TOKEN: ${{ github.token }} - run: gh release create '${{ github.ref_name }}' --repo '${{ github.repository - }}' --notes "" - - name: Upload artifact signatures to GitHub Release - env: - GITHUB_TOKEN: ${{ github.token }} - run: gh release upload '${{ github.ref_name }}' dist/** --repo '${{ - github.repository }}' \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..93d8cd3 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,96 @@ +name: Build & Publish + +on: + push: + tags: + - 'v*' + +jobs: + build_wheels: + name: Build wheels on ${{ matrix.os }} + runs-on: ${{ matrix.os }} + strategy: + matrix: + os: [ubuntu-latest, windows-latest, macos-13, macos-14] + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 # cibuildwheel sometimes needs tags + - uses: actions/setup-python@v5 + - name: Print the arch and system + run: | + python -c "import platform; print('System:', platform.system()); print('Architecture:', platform.machine())" + - name: Install cibuildwheel + run: python -m pip install --upgrade pip cibuildwheel==2.20.0 + - name: Build wheels + env: + CIBW_SKIP: "cp36-* cp37-* pp*" + run: python -m cibuildwheel --output-dir wheelhouse + - uses: actions/upload-artifact@v4 + with: + name: cibw-wheels-${{ matrix.os }}-${{ strategy.job-index }} + path: wheelhouse/*.whl + + publish-to-testpypi: + name: Publish to TestPyPI + needs: build_wheels + runs-on: ubuntu-latest + environment: + name: testpypi + url: https://test.pypi.org/p/openstl + permissions: + id-token: write + contents: read + steps: + - uses: actions/download-artifact@v4 + with: + pattern: cibw-* + path: dist + merge-multiple: true + - uses: pypa/gh-action-pypi-publish@release/v1 + with: + repository-url: https://test.pypi.org/legacy/ + + publish-to-pypi: + name: Publish to PyPI + needs: publish-to-testpypi + runs-on: ubuntu-latest + environment: + name: pypi + url: https://pypi.org/p/openstl + permissions: + id-token: write + contents: read + steps: + - uses: actions/download-artifact@v4 + with: + pattern: cibw-* + path: dist + merge-multiple: true + - uses: pypa/gh-action-pypi-publish@release/v1 + + github-release: + name: Sign & Upload to GitHub Release + needs: publish-to-pypi + runs-on: ubuntu-latest + permissions: + contents: write + id-token: write + steps: + - uses: actions/download-artifact@v4 + with: + pattern: cibw-* + path: dist + merge-multiple: true + - name: Sign the dists with Sigstore + uses: sigstore/gh-action-sigstore-python@v2.1.1 + with: + inputs: ./dist/*.whl + - name: Create GitHub Release + env: + GITHUB_TOKEN: ${{ github.token }} + run: gh release create '${{ github.ref_name }}' --repo '${{ github.repository }}' --notes "" + - name: Upload artifacts + env: + GITHUB_TOKEN: ${{ github.token }} + run: gh release upload '${{ github.ref_name }}' dist/** --repo '${{ github.repository }}'