From e8be01f1040f77ba64277bb89d53f8f4dfe52ad9 Mon Sep 17 00:00:00 2001 From: mshafer-NI <23644905+mshafer-NI@users.noreply.github.com> Date: Fri, 20 Jun 2025 13:15:08 -0500 Subject: [PATCH 1/4] update publishing flow to use ni/python-actions --- .github/workflows/Publish-Package.yml | 59 ++++++++++++++------------- 1 file changed, 31 insertions(+), 28 deletions(-) diff --git a/.github/workflows/Publish-Package.yml b/.github/workflows/Publish-Package.yml index 5fe1f6ed..6973aa85 100644 --- a/.github/workflows/Publish-Package.yml +++ b/.github/workflows/Publish-Package.yml @@ -20,12 +20,20 @@ jobs: persist-credentials: false # otherwise, the token used is the GITHUB_TOKEN, instead of your personal token fetch-depth: 0 # otherwise, you will failed to push refs to dest repo - - uses: actions/setup-python@v2 + - name: Set up Python + uses: ni/python-actions/setup-python@97860b52be87c788fb6df812bd8d1ca68c7aa885 # v0.3.0 + - name: Set up Poetry + uses: ni/python-actions/setup-poetry@97860b52be87c788fb6df812bd8d1ca68c7aa885 # v0.3.0 + - name: Check project version + if: github.event_name == 'release' + uses: ni/python-actions/check-project-version@97860b52be87c788fb6df812bd8d1ca68c7aa885 # v0.3.0 + - name: Build distribution packages + run: poetry build + - name: Upload build artifacts + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: - python-version: ${{ env.PYTHON_VERSION }} - - uses: Gr1N/setup-poetry@v8 - with: - poetry-version: ${{ env.POETRY_VERSION }} + name: ${{ env.dist-artifact-name }} + path: dist/* # @TODO: This is a workaround for there not being a way to check the lock file # See: https://github.com/python-poetry/poetry/issues/453 - name: Check for lock changes @@ -45,30 +53,25 @@ jobs: # If the version is 0.1.0-alpha.0, this will set the version to 0.1.0 - name: Promote package version to release + uses: ni/python-actions/update-project-version@97860b52be87c788fb6df812bd8d1ca68c7aa885 # v0.3.0 + with: + create-pull-request: false + commit-message: "Bump package version to minor release version" + version-rule: "minor" + - name: Build Python package + if: ${{ github.event.release.target_commitish == 'main' || startsWith(github.event.release.target_commitish, 'releases/')}} run: | - poetry version patch - - - name: Build Python package and publish to PyPI - if: ${{ github.event.release.target_commitish == 'main' }} - run: | - poetry publish --build --username __token__ --password ${{ secrets.PYPI_TOKEN}} + poetry build + - name: Upload Python package + if: ${{ github.event.release.target_commitish == 'main' || startsWith(github.event.release.target_commitish, 'releases/')}} + uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4 + with: + packages-dir: dist/ + - name: Bump poetry version to next alpha version - run: | - poetry version prepatch - - - name: Commit files - if: ${{ github.event.release.target_commitish == 'main' }} - run: | - git config --local user.email "action@github.com" - git config --local user.name "GitHub Action" - git pull --tags -f - git commit -m "Bump package version" -a - - - name: Push changes - if: ${{ github.event.release.target_commitish == 'main' }} - uses: CasperWA/push-protected@v2 + uses: ni/python-actions/update-project-version@97860b52be87c788fb6df812bd8d1ca68c7aa885 # v0.3.0 with: - token: ${{ secrets.ADMIN_PAT }} - branch: ${{ github.event.release.target_commitish }} - unprotect_reviews: true + create-pull-request: true + commit-message: "Bump package version" + version-rule: "prepatch" From bab594cda95639469c67786297e74f4e6f698288 Mon Sep 17 00:00:00 2001 From: Brad Keryan Date: Wed, 9 Jul 2025 11:48:46 -0400 Subject: [PATCH 2/4] github: Split Publish-Package.yml jobs according to security best practices --- .github/workflows/PR.yml | 2 + .github/workflows/Publish-Package.yml | 130 +++++++++++++++----------- 2 files changed, 77 insertions(+), 55 deletions(-) diff --git a/.github/workflows/PR.yml b/.github/workflows/PR.yml index 88f57fd8..f666c462 100644 --- a/.github/workflows/PR.yml +++ b/.github/workflows/PR.yml @@ -10,6 +10,8 @@ on: - pyproject.toml - docs/Coding-Conventions.md - .github/workflows/PR.yml + workflow_call: + workflow_dispatch: env: POETRY_VERSION: 1.8.1 diff --git a/.github/workflows/Publish-Package.yml b/.github/workflows/Publish-Package.yml index 6973aa85..208e9181 100644 --- a/.github/workflows/Publish-Package.yml +++ b/.github/workflows/Publish-Package.yml @@ -2,31 +2,52 @@ name: Publish Package on: release: - types: [released] + types: [published] + workflow_dispatch: + inputs: + environment: + description: The environment to publish to. + default: 'none' + required: true + type: choice + options: + - none + - pypi + - testpypi env: - # Versions are also listed in PR.yml - POETRY_VERSION: 1.8.1 - PYTHON_VERSION: 3.11 # Use latest + dist-artifact-name: package-distribution-packages + environment: ${{ github.event_name == 'release' && 'pypi' || inputs.environment }} + environment-info: | + { + "pypi": { + "base-url": "https://pypi.org", + "upload-url": "https://upload.pypi.org/legacy/" + }, + "testpypi": { + "base-url": "https://test.pypi.org", + "upload-url": "https://test.pypi.org/legacy/" + } + } jobs: - publish_package: - name: Publish Package + check_package: + name: Check package + uses: ./.github/workflows/PR.yml + build_package: + name: Build package runs-on: ubuntu-latest + needs: [check_package] steps: - - uses: actions/checkout@v2 - with: - ref: ${{ github.event.release.target_commitish }} # This is the branch the release was created from. Normally main, but can be a dev branch - persist-credentials: false # otherwise, the token used is the GITHUB_TOKEN, instead of your personal token - fetch-depth: 0 # otherwise, you will failed to push refs to dest repo - + - name: Check out repo + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Python - uses: ni/python-actions/setup-python@97860b52be87c788fb6df812bd8d1ca68c7aa885 # v0.3.0 + uses: ni/python-actions/setup-python@5286c12d65d90b2ea738bd57d452dc4366497581 # v0.4.1 - name: Set up Poetry - uses: ni/python-actions/setup-poetry@97860b52be87c788fb6df812bd8d1ca68c7aa885 # v0.3.0 + uses: ni/python-actions/setup-poetry@5286c12d65d90b2ea738bd57d452dc4366497581 # v0.4.1 - name: Check project version if: github.event_name == 'release' - uses: ni/python-actions/check-project-version@97860b52be87c788fb6df812bd8d1ca68c7aa885 # v0.3.0 + uses: ni/python-actions/check-project-version@5286c12d65d90b2ea738bd57d452dc4366497581 # v0.4.1 - name: Build distribution packages run: poetry build - name: Upload build artifacts @@ -34,44 +55,43 @@ jobs: with: name: ${{ env.dist-artifact-name }} path: dist/* - # @TODO: This is a workaround for there not being a way to check the lock file - # See: https://github.com/python-poetry/poetry/issues/453 - - name: Check for lock changes - run: | - poetry lock --check - - uses: actions/cache@v4 - with: - path: ~/.cache/pypoetry/virtualenvs - key: ${{ runner.os }}-poetry-${{ hashFiles('poetry.lock') }} - - name: Install the Package - run: poetry install - - name: Lint the Code - run: poetry run ni-python-styleguide lint - - - name: Run tests - run: poetry run pytest -v - - # If the version is 0.1.0-alpha.0, this will set the version to 0.1.0 - - name: Promote package version to release - uses: ni/python-actions/update-project-version@97860b52be87c788fb6df812bd8d1ca68c7aa885 # v0.3.0 - with: - create-pull-request: false - commit-message: "Bump package version to minor release version" - version-rule: "minor" - - name: Build Python package - if: ${{ github.event.release.target_commitish == 'main' || startsWith(github.event.release.target_commitish, 'releases/')}} - run: | - poetry build - - - name: Upload Python package - if: ${{ github.event.release.target_commitish == 'main' || startsWith(github.event.release.target_commitish, 'releases/')}} - uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4 - with: - packages-dir: dist/ - - - name: Bump poetry version to next alpha version - uses: ni/python-actions/update-project-version@97860b52be87c788fb6df812bd8d1ca68c7aa885 # v0.3.0 + publish_to_pypi: + name: Publish package to PyPI + if: github.event_name == 'release' || inputs.environment != 'none' + runs-on: ubuntu-latest + needs: [build_package] + environment: + # This logic is duplicated because `name` doesn't support the `env` context. + name: ${{ github.event_name == 'release' && 'pypi' || inputs.environment }} + url: ${{ fromJson(env.environment-info)[env.environment].base-url }}/p/ni-python-styleguide + permissions: + id-token: write + steps: + - name: Download build artifacts + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + with: + name: ${{ env.dist-artifact-name }} + path: dist/ + - run: ls -lR + - name: Upload to ${{ env.environment }} + uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4 + with: + repository-url: ${{ fromJson(env.environment-info)[env.environment].upload-url }} + update_version: + name: Update package version + runs-on: ubuntu-latest + needs: [build_package] + permissions: + contents: write + pull-requests: write + steps: + - name: Check out repo + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Set up Python + uses: ni/python-actions/setup-python@5286c12d65d90b2ea738bd57d452dc4366497581 # v0.4.1 + - name: Set up Poetry + uses: ni/python-actions/setup-poetry@5286c12d65d90b2ea738bd57d452dc4366497581 # v0.4.1 + - name: Update project version + uses: ni/python-actions/update-project-version@5286c12d65d90b2ea738bd57d452dc4366497581 # v0.4.1 with: - create-pull-request: true - commit-message: "Bump package version" - version-rule: "prepatch" + token: ${{ secrets.ADMIN_PAT }} From 2b5ec89d49449be1fb75700e3448192881947b21 Mon Sep 17 00:00:00 2001 From: Brad Keryan Date: Wed, 9 Jul 2025 13:38:15 -0400 Subject: [PATCH 3/4] github: Restore versioning policy --- .github/workflows/Publish-Package.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/Publish-Package.yml b/.github/workflows/Publish-Package.yml index 208e9181..5aa59071 100644 --- a/.github/workflows/Publish-Package.yml +++ b/.github/workflows/Publish-Package.yml @@ -45,6 +45,9 @@ jobs: uses: ni/python-actions/setup-python@5286c12d65d90b2ea738bd57d452dc4366497581 # v0.4.1 - name: Set up Poetry uses: ni/python-actions/setup-poetry@5286c12d65d90b2ea738bd57d452dc4366497581 # v0.4.1 + # If the version is 0.1.0-alpha.0, this will set the version to 0.1.0 + - name: Promote package version to release + run: poetry version patch - name: Check project version if: github.event_name == 'release' uses: ni/python-actions/check-project-version@5286c12d65d90b2ea738bd57d452dc4366497581 # v0.4.1 @@ -78,7 +81,7 @@ jobs: with: repository-url: ${{ fromJson(env.environment-info)[env.environment].upload-url }} update_version: - name: Update package version + name: Update package version to next alpha version runs-on: ubuntu-latest needs: [build_package] permissions: @@ -94,4 +97,7 @@ jobs: - name: Update project version uses: ni/python-actions/update-project-version@5286c12d65d90b2ea738bd57d452dc4366497581 # v0.4.1 with: + # The default GITHUB_TOKEN cannot trigger PR workflows. token: ${{ secrets.ADMIN_PAT }} + version-rule: "prepatch" + use-dev-suffix: false From bb1de828b017505c01376a929c2f2f8de9a9f4d6 Mon Sep 17 00:00:00 2001 From: Brad Keryan Date: Wed, 9 Jul 2025 13:55:57 -0400 Subject: [PATCH 4/4] github: Fix next version update --- .github/workflows/Publish-Package.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/Publish-Package.yml b/.github/workflows/Publish-Package.yml index 5aa59071..0e9e68fc 100644 --- a/.github/workflows/Publish-Package.yml +++ b/.github/workflows/Publish-Package.yml @@ -94,6 +94,9 @@ jobs: uses: ni/python-actions/setup-python@5286c12d65d90b2ea738bd57d452dc4366497581 # v0.4.1 - name: Set up Poetry uses: ni/python-actions/setup-poetry@5286c12d65d90b2ea738bd57d452dc4366497581 # v0.4.1 + # If the version is 0.1.0-alpha.0, this will set the version to 0.1.0 + - name: Promote package version to release + run: poetry version patch - name: Update project version uses: ni/python-actions/update-project-version@5286c12d65d90b2ea738bd57d452dc4366497581 # v0.4.1 with: