Skip to content

chore(ci): update conformance certificate and report #4

chore(ci): update conformance certificate and report

chore(ci): update conformance certificate and report #4

Workflow file for this run

# Publish to PyPI when you push a release tag that matches [project].version in pyproject.toml.
#
# 1. Bump [project].version in pyproject.toml and merge to main.
# 2. Create an annotated tag whose name is v plus that exact version (e.g. 0.2.0 -> v0.2.0).
# 3. git push origin vX.Y.Z — this workflow verifies the tag matches pyproject.toml, then uploads.
#
# Configure PyPI “Trusted Publisher” for this workflow (OIDC; no PyPI token in GitHub secrets):
# https://docs.pypi.org/trusted-publishers/
# Optional: set `environment: pypi` on the job and use the same name in PyPI for release approvals.
name: Release
on:
push:
tags:
- "v*"
permissions:
contents: read
checks: read
jobs:
preflight:
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Verify required CI checks passed on release SHA
uses: actions/github-script@v8
with:
script: |
const requiredExact = ["no-handwritten-model-types", "hardening", "intentproof-spec", "spec-golden-parity"];
const requiredPrefixes = ["tox (static", "tox (cov"];
const { owner, repo } = context.repo;
const ref = context.sha;
const runs = await github.paginate(github.rest.checks.listForRef, {
owner,
repo,
ref,
per_page: 100,
});
const names = runs.map((r) => `${r.name}:${r.conclusion ?? r.status}`);
core.info(`check-runs on ${ref}: ${names.join(", ")}`);
for (const name of requiredExact) {
const matches = runs.filter((r) => r.name === name);
if (matches.length === 0) {
core.setFailed(`Missing required check-run: ${name}`);
continue;
}
const ok = matches.some((r) => r.conclusion === "success");
if (!ok) {
core.setFailed(`Required check-run not successful: ${name}`);
}
}
for (const prefix of requiredPrefixes) {
const matches = runs.filter((r) => r.name.startsWith(prefix));
if (matches.length === 0) {
core.setFailed(`Missing required check-run prefix: ${prefix}`);
continue;
}
const ok = matches.some((r) => r.conclusion === "success");
if (!ok) {
core.setFailed(`Required check-run prefix not successful: ${prefix}`);
}
}
publish:
needs: preflight
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v6
- name: Resolve pinned intentproof-spec revision
id: spec_pin
run: |
set -euo pipefail
python3 - <<'PY'
import os
import tomllib
from pathlib import Path
c = tomllib.loads(Path("pyproject.toml").read_text(encoding="utf-8"))["tool"]["intentproof"]["spec-commit"]
with open(os.environ["GITHUB_OUTPUT"], "a", encoding="utf-8") as f:
f.write(f"sha={c}\n")
PY
- uses: actions/checkout@v6
with:
repository: IntentProof/intentproof-spec
ref: ${{ steps.spec_pin.outputs.sha }}
fetch-depth: 0
path: intentproof-spec
- uses: ./.github/actions/setup-python-pip
with:
python-version: "3.x"
check-latest: true
- name: No handwritten model/types outside generated schema package
env:
INTENTPROOF_SPEC_ROOT: ${{ github.workspace }}/intentproof-spec
run: bash scripts/check-no-handwritten-model-types.sh
- name: Verify tag matches pyproject.toml version
env:
TAG_NAME: ${{ github.ref_name }}
run: |
python << 'PY'
import os
import tomllib
tag = os.environ["TAG_NAME"]
if not tag.startswith("v"):
raise SystemExit(f"Tag must start with v, got {tag!r}")
with open("pyproject.toml", "rb") as f:
project = tomllib.load(f)["project"]
version = str(project["version"])
if tag.removeprefix("v") != version:
raise SystemExit(
f"Tag {tag!r} must match [project].version {version!r} in pyproject.toml"
)
PY
- name: Install build
run: pip install "build>=1.2"
- name: Build sdist and wheel
run: python -m build
- name: Publish to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
packages-dir: dist/