Merge pull request #477 from powerapi-ng/ci/release-slsa-permissions #20
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| tags: | |
| - "v*" | |
| permissions: | |
| contents: read | |
| jobs: | |
| pre-checks: | |
| name: Release Pre-Checks | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Check if package version corresponds to git tag | |
| shell: python | |
| env: | |
| PYTHONPATH: ${{ github.workspace }}/src | |
| run: | | |
| import os | |
| import sys | |
| from powerapi import __version__ | |
| git_tag = os.environ['GITHUB_REF_NAME'].removeprefix('v') | |
| pkg_version = __version__ | |
| if git_tag != pkg_version: | |
| title = 'Invalid version' | |
| file = 'src/powerapi/__init__.py' | |
| msg = f'Version mismatch between python package ({pkg_version}) and git tag ({git_tag})' | |
| print(f'::error title={title},file={file}::{msg}') | |
| sys.exit(1) | |
| build-python-package: | |
| name: Build Python Package | |
| runs-on: ubuntu-latest | |
| needs: [pre-checks] | |
| outputs: | |
| dist-hashes: ${{ steps.dist-hashes.outputs.hash }} | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Set up Python | |
| uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 | |
| with: | |
| python-version: "3.x" | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@d8db0a86d3d88f3017a4e6b8a1e2b234e7a0a1b5 # v4.0.0 | |
| - name: Build sdist and wheel | |
| run: | | |
| uv build --sdist --wheel --out-dir dist/ | |
| - name: Compute SHA256 hashes of build artifacts | |
| id: dist-hashes | |
| shell: bash | |
| run: | | |
| cd ./dist && echo "hash=$(sha256sum -- * | base64 -w0)" >> $GITHUB_OUTPUT | |
| - name: Upload build artifacts | |
| uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
| with: | |
| name: "python-build-dist" | |
| path: ./dist | |
| if-no-files-found: error | |
| slsa-provenance: | |
| name: Generate artifacts provenance attestation | |
| needs: [build-python-package] | |
| permissions: | |
| actions: read | |
| contents: write | |
| id-token: write | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
| with: | |
| base64-subjects: "${{ needs.build-python-package.outputs.dist-hashes }}" | |
| upload-assets: false | |
| publish-python-package: | |
| name: Publish Pypi Package | |
| runs-on: ubuntu-latest | |
| needs: [build-python-package, slsa-provenance] | |
| permissions: | |
| contents: read | |
| id-token: write | |
| steps: | |
| - name: Download build artifacts | |
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| name: "python-build-dist" | |
| - name: Publish package | |
| uses: pypa/gh-action-pypi-publish@15c56dba361d8335944d31a2ecd17d700fc7bcbc # v1.12.2 | |
| with: | |
| print-hash: true | |
| attestations: true | |
| docker-image: | |
| name: Publish Docker image | |
| runs-on: ubuntu-latest | |
| needs: [pre-checks] | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | |
| - name: Setup Docker buildx | |
| uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 | |
| - name: Log in to Docker Hub | |
| uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
| with: | |
| username: ${{ vars.DOCKER_HUB_USERNAME }} | |
| password: ${{ secrets.DOCKER_HUB_TOKEN }} | |
| - name: Log in to GitHub Container Registry | |
| uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 | |
| with: | |
| images: | | |
| docker.io/powerapi/powerapi | |
| ghcr.io/powerapi-ng/powerapi | |
| tags: | | |
| type=pep440,pattern={{version}} | |
| - name: Build and push Docker image | |
| uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 | |
| id: build-and-push | |
| with: | |
| push: true | |
| provenance: false | |
| platforms: linux/amd64,linux/arm64 | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| github-release: | |
| name: Publish GitHub release | |
| runs-on: ubuntu-latest | |
| needs: [publish-python-package, docker-image] | |
| permissions: | |
| contents: write | |
| env: | |
| CHGLOG_VERSION: "0.15.4" | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| fetch-depth: 0 | |
| - name: Generate version changelog | |
| run: | | |
| set -euo pipefail | |
| export BASE_URL="https://github.com/git-chglog/git-chglog/releases/download" | |
| export FILENAME="git-chglog_${CHGLOG_VERSION}_linux_amd64.tar.gz" | |
| curl -fsSL "${BASE_URL}/v${CHGLOG_VERSION}/${FILENAME}" |sudo tar xz --no-same-owner -C /usr/local/bin git-chglog | |
| git-chglog --config .github/chglog/config.yml --output CHANGELOG.md "${GITHUB_REF_NAME}" | |
| - name: Download build artifacts | |
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| - name: Create GitHub release | |
| uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.1.0 | |
| with: | |
| body_path: CHANGELOG.md | |
| files: | | |
| dist/powerapi-*.whl | |
| dist/powerapi-*.tar.gz | |
| *.intoto.jsonl |