fix: Pin pyparsing<3.2.0 for httplib2 compatibility #89
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| # SPDX-License-Identifier: Apache-2.0 | |
| # SPDX-FileCopyrightText: 2025 The Linux Foundation | |
| # Runs on a new pull request, performs build and runs tests | |
| name: 'Python Build/Test/Release' | |
| # yamllint disable-line rule:truthy | |
| on: | |
| # Trigger on tag push events | |
| push: | |
| tags: | |
| - '**' | |
| permissions: {} | |
| jobs: | |
| tag-validate: | |
| name: 'Validate Tag Push' | |
| runs-on: 'ubuntu-latest' | |
| permissions: | |
| contents: read | |
| timeout-minutes: 1 | |
| outputs: | |
| tag: "${{ steps.tag-validate.outputs.tag }}" | |
| should_promote: "${{ steps.check-release.outputs.should_promote }}" | |
| steps: | |
| # Harden the runner used by this workflow | |
| # yamllint disable-line rule:line-length | |
| - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 | |
| with: | |
| egress-policy: 'audit' | |
| - name: 'Verify Pushed Tag' | |
| id: 'tag-validate' | |
| # yamllint disable-line rule:line-length | |
| uses: lfreleng-actions/tag-push-verify-action@80e2bdbbb9ee7b67557a31705892b75e75d2859e # v0.1.1 | |
| with: | |
| versioning: 'semver' | |
| - name: 'Reject Development Tags' | |
| if: steps.tag-validate.outputs.dev_version == 'true' | |
| shell: bash | |
| run: | | |
| # Reject Development Tags | |
| echo "Development tag pushed; aborting release workflow 🛑" | |
| echo "Development tag pushed; aborting release workflow 🛑" \ | |
| >> "$GITHUB_STEP_SUMMARY" | |
| exit 1 | |
| - name: 'Check if release exists' | |
| id: 'check-release' | |
| shell: bash | |
| env: | |
| GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
| run: | | |
| TAG="${{ steps.tag-validate.outputs.tag }}" | |
| # Check if release exists and get its draft status | |
| if RELEASE_INFO=$(gh release view "$TAG" --json isDraft \ | |
| 2>/dev/null); then | |
| IS_DRAFT=$(echo "$RELEASE_INFO" | jq -r '.isDraft') | |
| if [ "$IS_DRAFT" = "false" ]; then | |
| echo "should_promote=false" >> "$GITHUB_OUTPUT" | |
| echo "Published release already exists for tag $TAG, " \ | |
| "skipping promotion" | |
| else | |
| echo "should_promote=true" >> "$GITHUB_OUTPUT" | |
| echo "Draft release exists for tag $TAG, " \ | |
| "will proceed with promotion" | |
| fi | |
| else | |
| echo "should_promote=true" >> "$GITHUB_OUTPUT" | |
| echo "No release found for tag $TAG, will proceed with promotion" | |
| fi | |
| python-build: | |
| name: 'Python Build' | |
| needs: 'tag-validate' | |
| runs-on: 'ubuntu-latest' | |
| outputs: | |
| matrix_json: "${{ steps.python-build.outputs.matrix_json }}" | |
| artefact_name: "${{ steps.python-build.outputs.artefact_name }}" | |
| artefact_path: "${{ steps.python-build.outputs.artefact_path }}" | |
| permissions: | |
| contents: read | |
| id-token: write # Needed for attestations | |
| attestations: write # Needed for attestations | |
| timeout-minutes: 12 | |
| env: | |
| GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
| steps: | |
| # Harden the runner used by this workflow | |
| # yamllint disable-line rule:line-length | |
| - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 | |
| with: | |
| egress-policy: 'audit' | |
| # yamllint disable-line rule:line-length | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: 'Build Python project' | |
| id: 'python-build' | |
| # yamllint disable-line rule:line-length | |
| uses: lfreleng-actions/python-build-action@48381cece78a990a6ba93bd5924bcd40bf0d1a7d # v0.1.20 | |
| with: | |
| sigstore_sign: true | |
| attestations: true | |
| python-tests: | |
| name: 'Python Tests' | |
| runs-on: 'ubuntu-latest' | |
| needs: 'python-build' | |
| # Matrix job | |
| strategy: | |
| fail-fast: false | |
| matrix: "${{ fromJson(needs.python-build.outputs.matrix_json) }}" | |
| permissions: | |
| contents: read | |
| timeout-minutes: 12 | |
| steps: | |
| # Harden the runner used by this workflow | |
| # yamllint disable-line rule:line-length | |
| - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 | |
| with: | |
| egress-policy: 'audit' | |
| # yamllint disable-line rule:line-length | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: 'Test Python project [PYTEST]' | |
| # yamllint disable-line rule:line-length | |
| uses: lfreleng-actions/python-test-action@bdde9e4e6221e858359f9036bd4f41ab3b1af90e # v0.1.11 | |
| with: | |
| python_version: "${{ matrix.python-version }}" | |
| python-audit: | |
| name: 'Python Audit' | |
| runs-on: 'ubuntu-latest' | |
| needs: 'python-build' | |
| # Matrix job | |
| strategy: | |
| fail-fast: false | |
| matrix: "${{ fromJson(needs.python-build.outputs.matrix_json) }}" | |
| permissions: | |
| contents: read | |
| timeout-minutes: 10 | |
| continue-on-error: true | |
| steps: | |
| # Harden the runner used by this workflow | |
| # yamllint disable-line rule:line-length | |
| - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 | |
| with: | |
| egress-policy: 'audit' | |
| # yamllint disable-line rule:line-length | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: 'Audit Python project' | |
| # yamllint disable-line rule:line-length | |
| uses: lfreleng-actions/python-audit-action@bab5316468c108870eb759ef0de622bae9239aad # v0.2.2 | |
| with: | |
| python_version: "${{ matrix.python-version }}" | |
| test-pypi: | |
| name: 'Test PyPI Publishing' | |
| runs-on: 'ubuntu-latest' | |
| needs: | |
| - 'tag-validate' | |
| - 'python-tests' | |
| - 'python-audit' | |
| environment: | |
| name: 'development' | |
| permissions: | |
| contents: read | |
| id-token: write # IMPORTANT: mandatory for trusted publishing | |
| timeout-minutes: 5 | |
| steps: | |
| # Harden the runner used by this workflow | |
| # yamllint disable-line rule:line-length | |
| - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 | |
| with: | |
| egress-policy: 'audit' | |
| # yamllint disable-line rule:line-length | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: 'Test PyPI publishing' | |
| # yamllint disable-line rule:line-length | |
| uses: lfreleng-actions/pypi-publish-action@81a056957ed050f8305760055b1fd8103a916989 # v0.1.1 | |
| with: | |
| environment: 'development' | |
| tag: "${{ needs.tag-validate.outputs.tag }}" | |
| pypi_credential: "${{ secrets.TEST_PYPI_CREDENTIAL }}" | |
| pypi: | |
| name: 'Release PyPI Package' | |
| runs-on: 'ubuntu-latest' | |
| needs: | |
| - 'tag-validate' | |
| - 'test-pypi' | |
| environment: | |
| name: 'production' | |
| permissions: | |
| contents: read | |
| id-token: write # IMPORTANT: mandatory for trusted publishing | |
| timeout-minutes: 5 | |
| steps: | |
| # Harden the runner used by this workflow | |
| # yamllint disable-line rule:line-length | |
| - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 | |
| with: | |
| egress-policy: 'audit' | |
| # yamllint disable-line rule:line-length | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: 'PyPI release' | |
| # yamllint disable-line rule:line-length | |
| uses: lfreleng-actions/pypi-publish-action@81a056957ed050f8305760055b1fd8103a916989 # v0.1.1 | |
| with: | |
| environment: 'production' | |
| attestations: true | |
| tag: "${{ needs.tag-validate.outputs.tag }}" | |
| pypi_credential: "${{ secrets.PYPI_CREDENTIAL }}" | |
| promote-release: | |
| name: 'Promote Draft Release' | |
| # yamllint disable-line rule:line-length | |
| if: needs.tag-validate.outputs.should_promote == 'true' | |
| needs: | |
| - 'tag-validate' | |
| - 'pypi' | |
| runs-on: 'ubuntu-latest' | |
| permissions: | |
| contents: write # IMPORTANT: needed to edit a draft release and promote it | |
| timeout-minutes: 2 | |
| outputs: | |
| release_url: "${{ steps.promote-release.outputs.release_url }}" | |
| steps: | |
| # Harden the runner used by this workflow | |
| # yamllint disable-line rule:line-length | |
| - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 | |
| with: | |
| egress-policy: 'audit' | |
| # yamllint disable-line rule:line-length | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: 'Check if release is already promoted' | |
| id: 'check-promoted' | |
| shell: bash | |
| env: | |
| GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
| run: | | |
| TAG="${{ needs.tag-validate.outputs.tag }}" | |
| if gh release view "$TAG" --json isDraft --jq '.isDraft' \ | |
| 2>/dev/null | grep -q "false"; then | |
| echo "Release $TAG is already promoted, skipping promotion" | |
| echo "already_promoted=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "Release $TAG is draft or doesn't exist, " \ | |
| "proceeding with promotion" | |
| echo "already_promoted=false" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: 'Promote draft release' | |
| id: 'promote-release' | |
| if: steps.check-promoted.outputs.already_promoted == 'false' | |
| # yamllint disable-line rule:line-length | |
| uses: lfreleng-actions/draft-release-promote-action@d7e7df12e32fa26b28dbc2f18a12766482785399 # v0.1.2 | |
| with: | |
| token: "${{ secrets.GITHUB_TOKEN }}" | |
| tag: "${{ needs.tag-validate.outputs.tag }}" | |
| latest: true | |
| - name: 'Set release URL for already promoted release' | |
| if: steps.check-promoted.outputs.already_promoted == 'true' | |
| shell: bash | |
| env: | |
| GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
| run: | | |
| TAG="${{ needs.tag-validate.outputs.tag }}" | |
| RELEASE_URL=$(gh release view "$TAG" --json url --jq '.url') | |
| echo "release_url=$RELEASE_URL" >> "$GITHUB_OUTPUT" | |
| # Need to attach build artefacts to the release | |
| # This step could potentially be moved | |
| # (May be better to when/where the release is still in draft state) | |
| attach-artefacts: | |
| name: 'Attach Artefacts to Release' | |
| runs-on: 'ubuntu-latest' | |
| needs: | |
| - 'tag-validate' | |
| - 'python-build' | |
| - 'promote-release' | |
| # yamllint disable-line rule:line-length | |
| if: always() && (needs.promote-release.result == 'success' || needs.promote-release.result == 'skipped') | |
| permissions: | |
| contents: write # IMPORTANT: needed to edit release, attach artefacts | |
| timeout-minutes: 5 | |
| steps: | |
| # Harden the runner used by this workflow | |
| # yamllint disable-line rule:line-length | |
| - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 | |
| with: | |
| egress-policy: 'audit' | |
| # Note: no need for a checkout step in this job | |
| - name: '⬇ Download build artefacts' | |
| # yamllint disable-line rule:line-length | |
| uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 | |
| with: | |
| name: "${{ needs.python-build.outputs.artefact_name }}" | |
| path: "${{ needs.python-build.outputs.artefact_path }}" | |
| - name: 'Attach build artefacts to release' | |
| # yamllint disable-line rule:line-length | |
| uses: alexellis/upload-assets@13926a61cdb2cb35f5fdef1c06b8b591523236d3 # 0.4.1 | |
| env: | |
| GITHUB_TOKEN: "${{ github.token }}" | |
| with: | |
| asset_paths: '["${{ needs.python-build.outputs.artefact_path }}/**"]' |