chore(ci): update conformance certificate and report #4
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Publish to PyPI when you push a release tag that matches [project].version in pyproject.toml. | |
| # | |
| # 1. Bump [project].version in pyproject.toml and merge to main. | |
| # 2. Create an annotated tag whose name is v plus that exact version (e.g. 0.2.0 -> v0.2.0). | |
| # 3. git push origin vX.Y.Z — this workflow verifies the tag matches pyproject.toml, then uploads. | |
| # | |
| # Configure PyPI “Trusted Publisher” for this workflow (OIDC; no PyPI token in GitHub secrets): | |
| # https://docs.pypi.org/trusted-publishers/ | |
| # Optional: set `environment: pypi` on the job and use the same name in PyPI for release approvals. | |
| name: Release | |
| on: | |
| push: | |
| tags: | |
| - "v*" | |
| permissions: | |
| contents: read | |
| checks: read | |
| jobs: | |
| preflight: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| steps: | |
| - name: Verify required CI checks passed on release SHA | |
| uses: actions/github-script@v8 | |
| with: | |
| script: | | |
| const requiredExact = ["no-handwritten-model-types", "hardening", "intentproof-spec", "spec-golden-parity"]; | |
| const requiredPrefixes = ["tox (static", "tox (cov"]; | |
| const { owner, repo } = context.repo; | |
| const ref = context.sha; | |
| const runs = await github.paginate(github.rest.checks.listForRef, { | |
| owner, | |
| repo, | |
| ref, | |
| per_page: 100, | |
| }); | |
| const names = runs.map((r) => `${r.name}:${r.conclusion ?? r.status}`); | |
| core.info(`check-runs on ${ref}: ${names.join(", ")}`); | |
| for (const name of requiredExact) { | |
| const matches = runs.filter((r) => r.name === name); | |
| if (matches.length === 0) { | |
| core.setFailed(`Missing required check-run: ${name}`); | |
| continue; | |
| } | |
| const ok = matches.some((r) => r.conclusion === "success"); | |
| if (!ok) { | |
| core.setFailed(`Required check-run not successful: ${name}`); | |
| } | |
| } | |
| for (const prefix of requiredPrefixes) { | |
| const matches = runs.filter((r) => r.name.startsWith(prefix)); | |
| if (matches.length === 0) { | |
| core.setFailed(`Missing required check-run prefix: ${prefix}`); | |
| continue; | |
| } | |
| const ok = matches.some((r) => r.conclusion === "success"); | |
| if (!ok) { | |
| core.setFailed(`Required check-run prefix not successful: ${prefix}`); | |
| } | |
| } | |
| publish: | |
| needs: preflight | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Resolve pinned intentproof-spec revision | |
| id: spec_pin | |
| run: | | |
| set -euo pipefail | |
| python3 - <<'PY' | |
| import os | |
| import tomllib | |
| from pathlib import Path | |
| c = tomllib.loads(Path("pyproject.toml").read_text(encoding="utf-8"))["tool"]["intentproof"]["spec-commit"] | |
| with open(os.environ["GITHUB_OUTPUT"], "a", encoding="utf-8") as f: | |
| f.write(f"sha={c}\n") | |
| PY | |
| - uses: actions/checkout@v6 | |
| with: | |
| repository: IntentProof/intentproof-spec | |
| ref: ${{ steps.spec_pin.outputs.sha }} | |
| fetch-depth: 0 | |
| path: intentproof-spec | |
| - uses: ./.github/actions/setup-python-pip | |
| with: | |
| python-version: "3.x" | |
| check-latest: true | |
| - name: No handwritten model/types outside generated schema package | |
| env: | |
| INTENTPROOF_SPEC_ROOT: ${{ github.workspace }}/intentproof-spec | |
| run: bash scripts/check-no-handwritten-model-types.sh | |
| - name: Verify tag matches pyproject.toml version | |
| env: | |
| TAG_NAME: ${{ github.ref_name }} | |
| run: | | |
| python << 'PY' | |
| import os | |
| import tomllib | |
| tag = os.environ["TAG_NAME"] | |
| if not tag.startswith("v"): | |
| raise SystemExit(f"Tag must start with v, got {tag!r}") | |
| with open("pyproject.toml", "rb") as f: | |
| project = tomllib.load(f)["project"] | |
| version = str(project["version"]) | |
| if tag.removeprefix("v") != version: | |
| raise SystemExit( | |
| f"Tag {tag!r} must match [project].version {version!r} in pyproject.toml" | |
| ) | |
| PY | |
| - name: Install build | |
| run: pip install "build>=1.2" | |
| - name: Build sdist and wheel | |
| run: python -m build | |
| - name: Publish to PyPI | |
| uses: pypa/gh-action-pypi-publish@release/v1 | |
| with: | |
| packages-dir: dist/ |