Skip to content

Add upstream contribution policy #374

Add upstream contribution policy

Add upstream contribution policy #374

Workflow file for this run

name: "Build and maybe upload PyPI package"
on:
release:
types: [published]
push:
branches: [main]
tags: ["*"]
pull_request:
branches:
- main
workflow_dispatch:
env:
FORCE_COLOR: "1" # Make tools pretty.
permissions:
contents: read # This is required for actions/checkout
jobs:
# Always build & verify package.
build-package:
name: Build & verify package
runs-on: ubuntu-latest
strategy:
matrix:
directory:
- "conda-store"
- "conda-store-server"
defaults:
run:
working-directory: ${{ matrix.directory }}
steps:
- name: "Checkout Repository 🛎"
uses: actions/checkout@v4
with:
fetch-depth: 0
- run: echo "Running on ${{ matrix.directory }}"
- name: "Check package build - ${{ matrix.directory }} 📦"
uses: hynek/build-and-inspect-python-package@v1
with:
path: ${{ matrix.directory }}
# Adding a separate upload for publishing
- name: "Upload build artefacts 📤"
uses: actions/upload-artifact@v3
with:
name: ${{ matrix.directory }}-package
path: |
/tmp/baipp/dist/*.whl
/tmp/baipp/dist/*.tar.gz
# Upload to Test PyPI on every commit on main
release-test-pypi:
name: Publish in-dev to test.pypi.org
environment: release-test-pypi
if: github.repository_owner == 'conda-incubator' && github.event_name == 'push' && github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
needs: build-package
permissions:
id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
strategy:
matrix:
directory:
- "conda-store"
- "conda-store-server"
steps:
- name: "Download build artefacts 📥"
uses: actions/download-artifact@v3
with:
name: ${{ matrix.directory }}-package
path: dist
- name: "Upload package to Test PyPI"
uses: pypa/gh-action-pypi-publish@release/v1
with:
repository-url: https://test.pypi.org/legacy/
print-hash: true
verbose: true
release-pypi:
name: Publish released package to pypi.org
environment: release-pypi
if: github.repository_owner == 'conda-incubator' && github.event_name == 'release' && startsWith(github.ref, 'refs/tags/')
runs-on: ubuntu-latest
needs: build-package
permissions:
id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
strategy:
matrix:
directory:
- "conda-store"
- "conda-store-server"
defaults:
run:
working-directory: ${{ matrix.directory }}
steps:
- name: "Download build artefacts 📥"
uses: actions/download-artifact@v3
with:
name: ${{ matrix.directory }}-package
path: dist
- name: "Upload to PyPI 🚀"
uses: pypa/gh-action-pypi-publish@release/v1
with:
print-hash: true
verbose: true
build_and_push_docker_image:
name: "Build Docker Images 🛠"
runs-on: ubuntu-latest
needs: release-pypi
permissions:
id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
strategy:
matrix:
docker-image:
- conda-store
- conda-store-server
steps:
- name: "Checkout Repository 🛎"
uses: actions/checkout@v4
- name: "Retrieve secret from Vault 🗝"
uses: hashicorp/vault-action@v2
with:
method: jwt
url: "https://quansight-vault-public-vault-b2379fa7.d415e30e.z1.hashicorp.cloud:8200"
namespace: "admin/quansight"
role: "repository-conda-incubator-conda-store-role"
secrets: |
kv/data/repository/conda-incubator/conda-store/shared_secrets DOCKER_QUANSIGHT_USERNAME | DOCKER_USERNAME;
kv/data/repository/conda-incubator/conda-store/shared_secrets DOCKER_QUANSIGHT_PASSWORD | DOCKER_PASSWORD;
kv/data/repository/conda-incubator/conda-store/shared_secrets QUAY_QUANSIGHT_USERNAME | QUAY_USERNAME;
kv/data/repository/conda-incubator/conda-store/shared_secrets QUAY_QUANSIGHT_PASSWORD | QUAY_PASSWORD;
- name: "Set up Docker Buildx 🏗"
uses: docker/setup-buildx-action@v3
- name: "Login to Docker Hub 🐳"
uses: docker/login-action@v3
with:
username: ${{ env.DOCKER_USERNAME }}
password: ${{ env.DOCKER_PASSWORD }}
- name: "Login to quay.io 🐳"
uses: docker/login-action@v3
with:
registry: quay.io
username: ${{ env.QUAY_USERNAME }}
password: ${{ env.QUAY_PASSWORD }}
- name: "Add Docker metadata 📝"
id: meta
uses: docker/metadata-action@v5
with:
images: |
quansight/${{ matrix.docker-image }}
quay.io/quansight/${{ matrix.docker-image }}
tags: |
type=ref,event=tag
type=ref,event=branch
type=sha
- name: "Publish Docker image 🚀"
uses: docker/build-push-action@v5
with:
context: "${{ matrix.docker-image }}"
target: "prod"
file: "${{ matrix.docker-image }}/Dockerfile"
build-args: |
RELEASE_VERSION=${{github.ref_name}}
tags: |
${{ steps.meta.outputs.tags }}
push: true
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
if: github.event_name == 'release' && startsWith(github.ref, 'refs/tags/')