datamasque-python/.github/workflows/release-testpypi.yml at main · datamasque/datamasque-python · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
name: Release (TestPyPI)

on:
  workflow_dispatch:
    inputs:
      ref:
        description: 'Branch, tag, or commit SHA to build from'
        required: true
        default: 'main'
      dev_version:
        description: >-
          Optional PEP 440 pre/dev version override (e.g. 1.1.0.dev1, 1.1.0a2, 1.1.0rc1).
          Leave blank to use the version in pyproject.toml as-is.
        required: false
        default: ''

jobs:
  build:
    name: Build sdist and wheel
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ inputs.ref }}

      - name: Set up uv
        uses: astral-sh/setup-uv@v5
        with:
          enable-cache: true

      - name: Set up Python
        run: uv python install 3.12

      - name: Apply dev_version override
        if: inputs.dev_version != ''
        # Pass the input through the environment, never interpolated into the script body:
        # `${{ }}` is expanded into the script text before the shell runs, so splicing it inline
        # would let a crafted dev_version inject shell commands before the validation below could reject it.
        env:
          DEV_VERSION: ${{ inputs.dev_version }}
        run: |
          # Reject anything that isn't a pre-release / dev version — final releases must go through release.yml.
          if ! printf '%s' "${DEV_VERSION}" | grep -Eq '^[0-9]+\.[0-9]+\.[0-9]+(a|b|rc|\.dev)[0-9]+$'; then
            echo "::error::dev_version '${DEV_VERSION}' is not a PEP 440 pre/dev version (must end in aN, bN, rcN, or .devN)"
            exit 1
          fi
          uv run python -c "
          import os, re, pathlib
          version = os.environ['DEV_VERSION']
          path = pathlib.Path('pyproject.toml')
          text = path.read_text()
          new = re.sub(r'^version\s*=\s*\".*\"', f'version = \"{version}\"', text, count=1, flags=re.M)
          if new == text:
              raise SystemExit('Failed to locate version line in pyproject.toml')
          path.write_text(new)
          "

      - name: Show package version
        env:
          REF: ${{ inputs.ref }}
        run: |
          VERSION="$(uv run python -c 'import tomllib; print(tomllib.loads(open("pyproject.toml","rb").read().decode())["project"]["version"])')"
          echo "Publishing version: ${VERSION} (from ref ${REF})"
          echo "::notice title=TestPyPI version::${VERSION} from ${REF}"

      - name: Build
        run: uv build

      - name: Validate distributions
        run: uvx twine check dist/*

      - name: Upload distributions
        uses: actions/upload-artifact@v4
        with:
          name: dist-testpypi
          path: dist/
          retention-days: 7

  publish:
    name: Publish to TestPyPI
    needs: build
    runs-on: ubuntu-latest
    environment:
      name: testpypi
      url: https://test.pypi.org/p/datamasque-python
    permissions:
      id-token: write
      contents: read
    steps:
      - name: Download distributions
        uses: actions/download-artifact@v4
        with:
          name: dist-testpypi
          path: dist/

      - name: Publish to TestPyPI
        uses: pypa/gh-action-pypi-publish@release/v1
        with:
          repository-url: https://test.pypi.org/legacy/