From 5e95f22113d9dc55bdb283d6b3f41029fb701c13 Mon Sep 17 00:00:00 2001 From: Colin Rogers <111200756+colin-rogers-dbt@users.noreply.github.com> Date: Wed, 18 Dec 2024 10:43:02 -0800 Subject: [PATCH 1/9] Update publish.yml to inherit secrets when calling publish-pypi --- .github/workflows/publish.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 04a14545..056902d9 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -66,3 +66,4 @@ jobs: package: ${{ inputs.package }} deploy-to: ${{ inputs.deploy-to }} branch: ${{ needs.generate-changelog.outputs.branch-name }} + secrets: inherit From 3f9e1b2ab29e097f16c6dac530d79a3967751eb3 Mon Sep 17 00:00:00 2001 From: Colin Rogers <111200756+colin-rogers-dbt@users.noreply.github.com> Date: Wed, 18 Dec 2024 10:49:52 -0800 Subject: [PATCH 2/9] Update publish.yml --- .github/workflows/publish.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 056902d9..a4ab051e 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -56,7 +56,11 @@ jobs: package: ${{ inputs.package }} deploy-to: ${{ inputs.deploy-to }} branch: ${{ needs.generate-changelog.outputs.branch-name }} - secrets: inherit + secrets: inherit + permissions: + # this permission is required for trusted publishing + # see https://github.com/marketplace/actions/pypi-publish + id-token: write publish-pypi: if: ${{ inputs.pypi-public == true }} From f3ee1adcca53f6f98909afc9ee6aad1335cbef9a Mon Sep 17 00:00:00 2001 From: Colin Rogers <111200756+colin-rogers-dbt@users.noreply.github.com> Date: Wed, 18 Dec 2024 10:50:33 -0800 Subject: [PATCH 3/9] Update publish.yml --- .github/workflows/publish.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index a4ab051e..2e9fca55 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -56,11 +56,7 @@ jobs: package: ${{ inputs.package }} deploy-to: ${{ inputs.deploy-to }} branch: ${{ needs.generate-changelog.outputs.branch-name }} - secrets: inherit - permissions: - # this permission is required for trusted publishing - # see https://github.com/marketplace/actions/pypi-publish - id-token: write + secrets: inherit publish-pypi: if: ${{ inputs.pypi-public == true }} @@ -70,4 +66,8 @@ jobs: package: ${{ inputs.package }} deploy-to: ${{ inputs.deploy-to }} branch: ${{ needs.generate-changelog.outputs.branch-name }} - secrets: inherit + secrets: inherit + permissions: + # this permission is required for trusted publishing + # see https://github.com/marketplace/actions/pypi-publish + id-token: write From 3727714bc848db47682bbe28750c420463e1a706 Mon Sep 17 00:00:00 2001 From: Colin Rogers <111200756+colin-rogers-dbt@users.noreply.github.com> Date: Wed, 18 Dec 2024 10:59:59 -0800 Subject: [PATCH 4/9] Update publish.yml --- .github/workflows/publish.yml | 54 +++++++++++++++++++++++++++++++---- 1 file changed, 48 insertions(+), 6 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 2e9fca55..2ecc0eec 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -27,6 +27,9 @@ on: type: boolean default: false +permissions: + contents: write + # don't publish to the same target in parallel concurrency: group: ${{ github.workflow }}-${{ inputs.package }}-${{ inputs.deploy-to }} @@ -58,16 +61,55 @@ jobs: branch: ${{ needs.generate-changelog.outputs.branch-name }} secrets: inherit - publish-pypi: + package: if: ${{ inputs.pypi-public == true }} - needs: generate-changelog - uses: ./.github/workflows/_publish-pypi.yml + uses: ./.github/workflows/_package-directory.yml with: package: ${{ inputs.package }} - deploy-to: ${{ inputs.deploy-to }} - branch: ${{ needs.generate-changelog.outputs.branch-name }} - secrets: inherit + + publish: + needs: package + runs-on: ${{ vars.DEFAULT_RUNNER }} + environment: + name: ${{ inputs.deploy-to }} + url: ${{ vars.PYPI_PROJECT_URL }}/${{ inputs.package }} permissions: # this permission is required for trusted publishing # see https://github.com/marketplace/actions/pypi-publish id-token: write + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ inputs.branch }} + - uses: actions/setup-python@v5 + with: + python-version: ${{ vars.DEFAULT_PYTHON_VERSION }} + - uses: pypa/hatch@install + # hatch will build using test PyPI first and fall back to prod PyPI when deploying to test + # this is done via environment variables in the test environment in GitHub + - run: hatch build && hatch run build:check-all + working-directory: ./${{ needs.package.outputs.directory }} + - uses: pypa/gh-action-pypi-publish@release/v1 + with: + repository-url: ${{ vars.PYPI_REPOSITORY_URL }} + packages-dir: ./${{ needs.package.outputs.directory }}dist/ + + verify: + runs-on: ${{ vars.DEFAULT_RUNNER }} + needs: [package, publish] + # check the correct index + environment: + name: ${{ inputs.deploy-to }} + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ inputs.branch }} + - id: version + run: echo "version=$(hatch version)" >> $GITHUB_OUTPUT + working-directory: ./${{ needs.package.outputs.directory }} + - uses: nick-fields/retry@v3 + with: + timeout_seconds: 10 + retry_wait_seconds: 10 + max_attempts: 15 # 5 minutes: (10s timeout + 10s delay) * 15 attempts + command: wget ${{ vars.PYPI_PROJECT_URL }}/${{ inputs.package }}/${{ steps.version.outputs.version }} From 5b74bd7c73775cc336351e6be25a76b5859b2f5b Mon Sep 17 00:00:00 2001 From: Colin Rogers <111200756+colin-rogers-dbt@users.noreply.github.com> Date: Wed, 18 Dec 2024 11:03:31 -0800 Subject: [PATCH 5/9] remove write permissions --- .github/workflows/publish.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 2ecc0eec..bc810531 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -27,9 +27,6 @@ on: type: boolean default: false -permissions: - contents: write - # don't publish to the same target in parallel concurrency: group: ${{ github.workflow }}-${{ inputs.package }}-${{ inputs.deploy-to }} From ba477b975beab007535f23caa8680abdacc2301e Mon Sep 17 00:00:00 2001 From: Colin Rogers <111200756+colin-rogers-dbt@users.noreply.github.com> Date: Wed, 18 Dec 2024 11:07:08 -0800 Subject: [PATCH 6/9] Update publish.yml --- .github/workflows/publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index bc810531..0d99ed37 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -109,4 +109,4 @@ jobs: timeout_seconds: 10 retry_wait_seconds: 10 max_attempts: 15 # 5 minutes: (10s timeout + 10s delay) * 15 attempts - command: wget ${{ vars.PYPI_PROJECT_URL }}/${{ inputs.package }}/${{ steps.version.outputs.version }} + command: wget ${{ vars.PYPI_PROJECT_URL }}/${{ steps.version.outputs.version }} From 5a4f08dffc79cd8ba00ab800b2a4ae039204a9a1 Mon Sep 17 00:00:00 2001 From: Colin Rogers <111200756+colin-rogers-dbt@users.noreply.github.com> Date: Wed, 18 Dec 2024 11:44:31 -0800 Subject: [PATCH 7/9] Update publish.yml --- .github/workflows/publish.yml | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 0d99ed37..7e3b8f9e 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -65,7 +65,7 @@ jobs: package: ${{ inputs.package }} publish: - needs: package + needs: [package, generate-changelog] runs-on: ${{ vars.DEFAULT_RUNNER }} environment: name: ${{ inputs.deploy-to }} @@ -90,17 +90,6 @@ jobs: with: repository-url: ${{ vars.PYPI_REPOSITORY_URL }} packages-dir: ./${{ needs.package.outputs.directory }}dist/ - - verify: - runs-on: ${{ vars.DEFAULT_RUNNER }} - needs: [package, publish] - # check the correct index - environment: - name: ${{ inputs.deploy-to }} - steps: - - uses: actions/checkout@v4 - with: - ref: ${{ inputs.branch }} - id: version run: echo "version=$(hatch version)" >> $GITHUB_OUTPUT working-directory: ./${{ needs.package.outputs.directory }} From 3fc76a5ed5ffe435d52520beb02699260037488b Mon Sep 17 00:00:00 2001 From: Colin Rogers <111200756+colin-rogers-dbt@users.noreply.github.com> Date: Wed, 18 Dec 2024 11:46:47 -0800 Subject: [PATCH 8/9] Update publish.yml --- .github/workflows/publish.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 7e3b8f9e..15944402 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -64,7 +64,8 @@ jobs: with: package: ${{ inputs.package }} - publish: + publish-pypi: + if: ${{ inputs.pypi-public == true }} needs: [package, generate-changelog] runs-on: ${{ vars.DEFAULT_RUNNER }} environment: From cb20674f22b8b4080b7c2e6c387bf025b54405db Mon Sep 17 00:00:00 2001 From: Colin Rogers <111200756+colin-rogers-dbt@users.noreply.github.com> Date: Wed, 18 Dec 2024 11:49:20 -0800 Subject: [PATCH 9/9] Update publish.yml --- .github/workflows/publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 15944402..421a66ad 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -78,7 +78,7 @@ jobs: steps: - uses: actions/checkout@v4 with: - ref: ${{ inputs.branch }} + ref: ${{ needs.generate-changelog.outputs.branch-name }} - uses: actions/setup-python@v5 with: python-version: ${{ vars.DEFAULT_PYTHON_VERSION }}