Add optional pypi release job inside the reusable tox workflow

ansible · Nov 11, 2024 · fd8e955 · fd8e955
1 parent 24da778
commit fd8e955
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 42 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
diff --git a/.github/workflows/tox.yml b/.github/workflows/tox.yml
@@ -54,18 +54,23 @@ on:
         description: Command to run after test commands.
         required: false
         type: string
+      publish_pypi:
+        default: false
+        description: Whether to publish to PyPI
+        required: false
+        type: boolean
 # keep permissions at top level because this is a composite workflow
 permissions:
   checks: read
   contents: read
-  id-token: write
+  id-token: write # release
   packages: write # some tox environments might produce containers
   pull-requests: write # allow codenotify to comment on pull-request
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # might be needed by tox commands
   FORCE_COLOR: 1 # tox, pytest, ansible-lint
   PY_COLORS: 1
-
+  TOX_PARALLEL_NO_SPINNER: 1
 jobs:
   prepare:
     name: prepare
@@ -247,3 +252,44 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         # https://github.com/sourcegraph/codenotify/issues/19
         continue-on-error: true
+
+  pypi:
+    name: release ${{ github.event.ref }}
+    # if: github.ref_type == 'tag' || inputs.publish_pypi == 'true'
+    needs: check
+    environment: release # keep it here to allow users to prompt for release
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Switch to using Python 3.12 by default
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install tox
+        run: python3 -m pip install --user "tox>=4.0.0"
+
+      - name: Check out src from Git
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # needed by setuptools-scm
+
+      - name: Build dists
+        run: python3 -m tox -e pkg
+
+      - name: Fail if secrets are not available
+        env:
+          PYPI_API_TOKEN: ${{ secrets.PYPI_API_TOKEN }}
+        run: |
+          if [ -z "${PYPI_API_TOKEN}" ]; then
+            echo "PYPI_API_TOKEN is not set, please add it to your repository environment named 'release'."
+            exit 1
+          fi
+
+      - name: Publish to pypi.org
+        uses: pypa/gh-action-pypi-publish@release/v1
+        if: inputs.publish_pypi
+        with:
+          # trusted publishing is not possible with shared workflows due to
+          # https://github.com/pypi/warehouse/issues/11096 so we need to use
+          # secrets instead.
+          password: ${{ secrets.PYPI_API_TOKEN }}