workflow

langchain-ai · Jan 29, 2024 · 4f9b90c · 4f9b90c
1 parent 9f56158
commit 4f9b90c
Showing 1 changed file with 34 additions and 23 deletions.
diff --git a/.github/workflows/_release.yml b/.github/workflows/_release.yml
@@ -1,44 +1,43 @@
-name: release
-run-name: Release langchain-weaviate by @${{ github.actor }}
+name: release-please
 on:
-  workflow_call:
-  workflow_dispatch:
+  push:
+    branches:
+      - main
+permissions:
+  contents: write
+  pull-requests: write
 
 env:
   PYTHON_VERSION: "3.10"
   POETRY_VERSION: "1.7.1"
 
 jobs:
-  build:
-    if: github.ref == 'refs/heads/main'
+  release-please:
     runs-on: ubuntu-latest
-
     outputs:
-      pkg-name: ${{ steps.check-version.outputs.pkg-name }}
-      version: ${{ steps.check-version.outputs.version }}
-
+      releases_created: ${{ steps.release.outputs.release_created }}
+      paths_released: ${{ steps.release.outputs.paths_released }}
+      prs_created: ${{ steps.release.outputs.prs_created }}
+      prs: ${{ steps.release.outputs.prs }}
+    steps:
+      - uses: google-github-actions/release-please-action@v4
+        id: release
+        with:
+          manifest-file: ".release-please-manifest.json"
+          config-file: "release-please-config.json"
+  build:
+    needs: release-please
+    if: ${{ needs.release-please.outputs.releases_created }}
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-
       - name: Set up Python + Poetry ${{ env.POETRY_VERSION }}
         uses: "./.github/actions/poetry_setup"
         with:
           python-version: ${{ env.PYTHON_VERSION }}
           poetry-version: ${{ env.POETRY_VERSION }}
           working-directory: .
           cache-key: release
-
-      # We want to keep this build stage *separate* from the release stage,
-      # so that there's no sharing of permissions between them.
-      # The release stage has trusted publishing and GitHub repo contents write access,
-      # and we want to keep the scope of that access limited just to the release job.
-      # Otherwise, a malicious `build` step (e.g. via a compromised dependency)
-      # could get access to our GitHub or PyPI credentials.
-      #
-      # Per the trusted publishing GitHub Action:
-      # > It is strongly advised to separate jobs for building [...]
-      # > from the publish job.
-      # https://github.com/pypa/gh-action-pypi-publish#non-goals
       - name: Build project for distribution
         run: poetry build
         working-directory: .
@@ -57,6 +56,18 @@ jobs:
           echo pkg-name="$(poetry version | cut -d ' ' -f 1)" >> $GITHUB_OUTPUT
           echo version="$(poetry version --short)" >> $GITHUB_OUTPUT
 
+      # We want to keep this build stage *separate* from the release stage,
+      # so that there's no sharing of permissions between them.
+      # The release stage has trusted publishing and GitHub repo contents write access,
+      # and we want to keep the scope of that access limited just to the release job.
+      # Otherwise, a malicious `build` step (e.g. via a compromised dependency)
+      # could get access to our GitHub or PyPI credentials.
+      #
+      # Per the trusted publishing GitHub Action:
+      # > It is strongly advised to separate jobs for building [...]
+      # > from the publish job.
+      # https://github.com/pypa/gh-action-pypi-publish#non-goals
+
   test-pypi-publish:
     needs:
       - build