CI: use PyPI's trusted publishing #220
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Continuous integration | |
| on: | |
| push: | |
| pull_request: | |
| jobs: | |
| build: | |
| # To prevent this job from running, have "[skip ci]" or "[ci skip]" in the commit message | |
| if: contains(toJson(github.event.commits), '[ci skip]') == false && contains(toJson(github.event.commits), '[skip ci]') == false | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [ubuntu-latest, macos-latest, windows-latest] | |
| python-version: ["3.9", "3.10", "3.11", "3.12"] | |
| exclude: | |
| # pycifrw 4.4.4 is broken on Windows / python 3.10 | |
| - os: windows-latest | |
| python-version: "3.10" | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python ${{ matrix.python-version }} on ${{ matrix.os }} | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| - uses: actions/cache@v4 | |
| if: startsWith(runner.os, 'Linux') | |
| with: | |
| path: ~/.cache/pip | |
| key: ${{ runner.os }}-pip-${{ hashFiles('**/*requirements.txt') }} | |
| - uses: actions/cache@v4 | |
| if: startsWith(runner.os, 'macOS') | |
| with: | |
| path: ~/Library/Caches/pip | |
| key: ${{ runner.os }}-pip-${{ hashFiles('**/*requirements.txt') }} | |
| - uses: actions/cache@v4 | |
| if: startsWith(runner.os, 'Windows') | |
| with: | |
| path: ~\AppData\Local\pip\Cache | |
| key: ${{ runner.os }}-py${{ matrix.python-version }}-pip-${{ hashFiles('**/*requirements.txt') }} | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install numpy wheel | |
| pip install -r requirements.txt | |
| pip install -r dev-requirements.txt | |
| # We run the tests on the installed package, with all optional dependencies | |
| # Note the use of the -Wa flag to show DeprecationWarnings | |
| - name: Unit tests | |
| run: | | |
| python -m pip install .[diffshow] | |
| cd ~ | |
| python -Wa -m pytest --pyargs skued --import-mode=importlib | |
| - name: Build documentation | |
| run: | | |
| python setup.py build_sphinx | |
| - name: Doctests | |
| run: | | |
| python -m sphinx -b doctest docs build | |
| release: | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| needs: [build] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write # IMPORTANT: this permission is mandatory for trusted publishing | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.10" | |
| - name: Install dependencies | |
| run: | | |
| pip install -r requirements.txt | |
| pip install -r dev-requirements.txt | |
| - name: Create release description | |
| run: | | |
| python release-description.py CHANGELOG.rst > description.md | |
| cat description.md | |
| - name: Create source distribution | |
| run: | | |
| python setup.py sdist | |
| - name: Create release | |
| uses: softprops/action-gh-release@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| body_path: description.md | |
| files: | | |
| dist/* | |
| # Github Actions have been set as a trusted publisher on PyPI's npstreams project, | |
| # hence why no username, password, or token is required. | |
| - name: Upload to PyPI | |
| if: always() | |
| uses: pypa/gh-action-pypi-publish@release/v1 |