-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathpublish.yaml.jinja
More file actions
124 lines (103 loc) · 5.97 KB
/
publish.yaml.jinja
File metadata and controls
124 lines (103 loc) · 5.97 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
{% raw %}name: Publish to Production Package Registry
on:
workflow_dispatch:
env:
PYTHONUNBUFFERED: True
PRE_COMMIT_HOME: ${{ github.workspace }}/.precommit_cache
permissions:
id-token: write
contents: write # needed for mutex
jobs:
lint:
name: Pre-commit
runs-on: {% endraw %}{{ gha_linux_runner }}{% raw %}
steps:
- name: Checkout code
uses: actions/checkout@{% endraw %}{{ gha_checkout }}{% raw %}
- name: Install latest versions of python packages
uses: ./.github/actions/install_deps_uv
with:
python-version: {% endraw %}{{ python_version }}{% if python_package_registry == "AWS CodeArtifact" %}{% raw %}
code-artifact-auth-role-name: CoreInfraBaseAccess
code-artifact-auth-role-account-id: {% endraw %}{{ aws_central_infrastructure_account_id }}{% raw %}
code-artifact-auth-region: {% endraw %}{{ aws_org_home_region }}{% endif %}{% raw %}
- name: Set up mutex # Github concurrency management is horrible, things get arbitrarily cancelled if queued up. So using mutex until github fixes itself. When multiple jobs are modifying cache at once, weird things can happen. possible issue is https://github.com/actions/toolkit/issues/658
if: ${{ runner.os != 'Windows' }} # we're just gonna have to YOLO on Windows, because this action doesn't support it yet https://github.com/ben-z/gh-action-mutex/issues/14
uses: ben-z/gh-action-mutex@{% endraw %}{{ gha_mutex }}{% raw %}
with:
branch: mutex-venv-{% endraw %}{{ gha_linux_runner }}{% raw %}-py{% endraw %}{{ python_version }}{% raw %}
timeout-minutes: 30 # this is the amount of time this action will wait to attempt to acquire the mutex lock before failing, e.g. if other jobs are queued up in front of it
- name: Cache Pre-commit hooks
uses: actions/cache@{% endraw %}{{ gha_cache }}{% raw %}
env:
cache-name: cache-pre-commit-hooks
with:
path: ${{ env.PRE_COMMIT_HOME }}
key: {% endraw %}{{ gha_linux_runner }}{% raw %}-py{% endraw %}{{ python_version }}{% raw %}-build-${{ env.cache-name }}-${{ hashFiles('.pre-commit-config.yaml') }}
restore-keys: |
{% endraw %}{{ gha_linux_runner }}{% raw %}-py{% endraw %}{{ python_version }}{% raw %}-build-${{ env.cache-name }}-
- name: Run pre-commit
run: pre-commit run -a
test:
needs: [ lint ]
strategy:
matrix:
os:
- "{% endraw %}{{ gha_linux_runner }}{% raw %}"
{% endraw %}{% if use_windows_in_ci %} - {{ gha_windows_runner }}{% endif %}{% raw %}
python-version:
{% endraw %}{% for item in python_ci_versions %}
- {{ item }}
{% endfor %}{% raw %}
include:
- os: "{% endraw %}{{ gha_linux_runner }}{% raw %}"
python-version: "{% endraw %}{{ python_ci_versions[0] }}{% raw %}"
JOB_MATCHING_DEV_ENV: true
runs-on: ${{ matrix.os }}
steps:
- name: Checkout code
uses: actions/checkout@{% endraw %}{{ gha_checkout }}{% raw %}
- name: Install python tooling
uses: ./.github/actions/install_deps_uv
with:
python-version: ${{ matrix.python-version }}{% endraw %}{% if python_package_registry == "AWS CodeArtifact" %}{% raw %}
code-artifact-auth-role-name: CoreInfraBaseAccess
code-artifact-auth-role-account-id: {% endraw %}{{ aws_central_infrastructure_account_id }}{% raw %}
code-artifact-auth-region: {% endraw %}{{ aws_org_home_region }}{% endif %}{% raw %}
- name: Unit test
run: uv run pytest --durations=5
build:
needs: [ test ]
runs-on: {% endraw %}{{ gha_linux_runner }}{% raw %}
steps:
- name: Checkout code
uses: actions/checkout@{% endraw %}{{ gha_checkout }}{% raw %}
- name: Install python tooling
uses: ./.github/actions/install_deps_uv
with:
python-version: {% endraw %}{{ python_version }}{% if python_package_registry == "AWS CodeArtifact" %}{% raw %}
code-artifact-auth-role-name: CoreInfraBaseAccess
code-artifact-auth-role-account-id: {% endraw %}{{ aws_central_infrastructure_account_id }}{% raw %}
code-artifact-auth-region: {% endraw %}{{ aws_org_home_region }}{% endif %}{% raw %}
{% endraw %}{% if python_package_registry == "AWS CodeArtifact" %}{% raw %}
- name: OIDC Auth for Installing any dependencies that uv may need for build (sometimes it likes to install setuptools...even if it's already in the package dependencies)
uses: aws-actions/configure-aws-credentials@{% endraw %}{{ gha_configure_aws_credentials }}{% raw %}
with:
role-to-assume: arn:aws:iam::{% endraw %}{{ aws_central_infrastructure_account_id }}{% raw %}:role/CoreInfraBaseAccess
aws-region: {% endraw %}{{ aws_org_home_region }}{% raw %}
{% endraw %}{% endif %}{% raw %}
- name: Build package
run: |
{% endraw %}{% if python_package_registry == "AWS CodeArtifact" %}{% raw %} . .devcontainer/code-artifact-auth.sh{% endraw %}{% endif %}{% raw %}
uv build --no-sources
{% endraw %}{% if python_package_registry == "AWS CodeArtifact" %}{% raw %}
- name: OIDC Auth for Publishing to CodeArtifact
uses: aws-actions/configure-aws-credentials@{% endraw %}{{ gha_configure_aws_credentials }}{% raw %}
with:
role-to-assume: arn:aws:iam::{% endraw %}{{ aws_central_infrastructure_account_id }}{% raw %}:role/GHA-CA-Primary-{% endraw %}{{ repo_name }}{% raw %}
aws-region: {% endraw %}{{ aws_org_home_region }}{% raw %}
{% endraw %}{% endif %}{% raw %}
- name: Publish package
run: |
{% endraw %}{% if python_package_registry == "AWS CodeArtifact" %}{% raw %} . .devcontainer/code-artifact-auth.sh{% endraw %}{% endif %}{% raw %}
uv publish --verbose --index {% endraw %}{% if python_package_registry == "AWS CodeArtifact" %}code-artifact-primary --username aws --password "$TWINE_PASSWORD"{% else %}pypi{% endif %}