Skip to content

[8.0] fix(Resources): AREX should renew the delegation before submitting a payload #9655

[8.0] fix(Resources): AREX should renew the delegation before submitting a payload

[8.0] fix(Resources): AREX should renew the delegation before submitting a payload #9655

Workflow file for this run

name: Deployment
on:
push:
pull_request:
workflow_dispatch:
inputs:
check-ci:
description: "Require the CI to have passed for this commit"
required: true
default: "yes"
version:
description: "Override the release version number (e.g. 8.0.0a5)"
jobs:
deploy-pypi:
name: PyPI deployment
runs-on: "ubuntu-latest"
if: github.event_name != 'push' || github.repository == 'DIRACGrid/DIRAC'
permissions:
id-token: write
attestations: write
contents: write
defaults:
run:
shell: bash -l {0}
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.PAT || github.token }}
- run: |
git fetch --prune --unshallow
git config --global user.email "[email protected]"
git config --global user.name "DIRACGrid CI"
- uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Installing dependencies
run: |
python -m pip install \
build \
python-dateutil \
pytz \
readme_renderer \
requests \
setuptools_scm
- name: Validate README for PyPI
run: |
python -m readme_renderer README.rst -o /tmp/README.html
- name: Prepare release notes
run: |
set -xeuo pipefail
IFS=$'\n\t'
PREV_VERSION=$(git describe --tags --abbrev=0 --match '*[0-9].[0-9]*' --exclude 'v[0-9]r*' --exclude 'v[0-9][0-9]r*')
REFERENCE_BRANCH=${GITHUB_REF#refs/heads/}
echo "Making release notes for ${REFERENCE_BRANCH} since ${PREV_VERSION}"
./docs/diracdoctools/scripts/dirac-docs-get-release-notes.py \
--token "${{ secrets.GITHUB_TOKEN }}" \
--sinceTag "${PREV_VERSION}" \
--branches "${REFERENCE_BRANCH}" \
--repo "${{ github.repository }}" \
> release.notes.new
cat release.notes.new
- name: Create tag if required
id: check-tag
run: |
set -xeuo pipefail
IFS=$'\n\t'
# Only do a real release for workflow_dispatch events from DIRACGrid/DIRAC for integration for Python 3 compatible branches
if [[ "${{ github.repository }}" == "DIRACGrid/DIRAC" ]]; then
if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
if [[ "${{ github.event.ref }}" =~ ^refs/heads/(integration|rel-v([8-9]|[1-9][0-9]+)r[0-9]+)$ ]]; then
echo "Will create a real release"
export NEW_VERSION="v${{ github.event.inputs.version }}"
if [[ "${NEW_VERSION}" == "v" ]]; then
# If version wasn't given as an input to the workflow, use setuptools_scm to guess while removing "dev" portion of the version number
NEW_VERSION=v$(python -m setuptools_scm | sed 's@Guessed Version @@g' | sed -E 's@(\.dev|\+g).+@@g')
export NEW_VERSION
fi
echo "Release will be named $NEW_VERSION"
# Validate the version
# Ensure the version doesn't look like a PEP-440 "dev release" (which might happen if the automatic version bump has issues)
python -c $'from packaging.version import Version; v = Version('"'$NEW_VERSION'"$')\nif v.is_devrelease:\n raise ValueError(v)'
if [[ "${{ github.event.ref }}" =~ ^refs/heads/integration$ ]]; then
# If we're releasing from integration it must be a pre-release
python -c $'from packaging.version import Version; v = Version('"'$NEW_VERSION'"$')\nif not v.is_prerelease:\n raise ValueError("integration should only be used for pre-releases")'
elif [[ "${{ github.event.ref }}" != "$(python -c $'from packaging.version import Version; v = Version('"'$NEW_VERSION'"$')\nprint(f"refs/heads/rel-v{v.major}r{v.minor}")')" ]]; then
# If we're not releasing from integration the version should match the rel-vXrY branch name
echo "$NEW_VERSION is an invalid version for ${{ github.event.ref }}"
exit 2
fi
# Commit the release notes
mv release.notes release.notes.old
{
echo -e "[${NEW_VERSION}]" && \
tail -n +2 release.notes.new | perl -0777pe 's/\n+$/\n\n/' && \
cat release.notes.old;
} > release.notes
git add release.notes
git commit -m "docs: Add release notes for $NEW_VERSION"
git show
# Create the tag
git tag "$NEW_VERSION"
echo "create-release=true" >> $GITHUB_OUTPUT
echo "new-version=$NEW_VERSION" >> $GITHUB_OUTPUT
fi
fi
fi
- name: Build distributions
run: |
python -m build
- name: Make release on GitHub
if: steps.check-tag.outputs.create-release == 'true'
run: |
set -e
export NEW_VERSION=${{ steps.check-tag.outputs.new-version }}
echo "Pushing tagged release notes to ${GITHUB_REF#refs/heads/}"
git push "origin" "${GITHUB_REF#refs/heads/}"
echo "Making GitHub release for ${NEW_VERSION}"
.github/workflows/make_release.py \
--repo="${{ github.repository }}" \
--token="${{ secrets.GITHUB_TOKEN }}" \
--version="${NEW_VERSION}" \
--rev="$(git rev-parse HEAD)" \
--release-notes-fn="release.notes.new"
- name: Publish package on PyPI
if: steps.check-tag.outputs.create-release == 'true'
uses: pypa/gh-action-pypi-publish@release/v1
with:
user: __token__
password: ${{ secrets.PYPI_API_TOKEN }}
deploy_CVMFS:
runs-on: "ubuntu-latest"
if: github.event_name == 'workflow_dispatch'
needs: deploy-pypi
steps:
- uses: conda-incubator/setup-miniconda@v3
with:
channels: conda-forge,defaults
channel-priority: true
- name: Deploy on CVMFS
env:
CVMFS_PROXY_BASE64: ${{ secrets.CVMFS_PROXY_BASE64 }}
run: |
source /usr/share/miniconda3/etc/profile.d/conda.sh
conda create -n CVMFS_deploy ca-policy-lcg openssl=3.0.0 gct
conda activate CVMFS_deploy
echo "$CVMFS_PROXY_BASE64" | base64 --decode > cvmfs.proxy
chmod 600 cvmfs.proxy
export X509_USER_PROXY=cvmfs.proxy
export PATH=/usr/share/miniconda3/bin:/opt/conda/bin/:/opt/conda/condabin:$PATH
mkdir -p ~/.ssh/ && touch ~/.ssh/known_hosts
ssh-keyscan cvmfs-upload01.gridpp.rl.ac.uk >> ~/.ssh/known_hosts
gsissh -p 1975 -t cvmfs-upload01.gridpp.rl.ac.uk /home/diracsgm/admin/sync_packages.sh