Automate PyPI releases (#1071)

* Automate PyPI releases * Update .github/workflows/pypi-package.yml Co-authored-by: Sviatoslav Sydorenko <wk@sydorenko.org.ua> * Update .github/workflows/pypi-package.yml Co-authored-by: Sviatoslav Sydorenko <wk@sydorenko.org.ua> * Split uploads for more granular control * Add fix for coverage 7 * Use environments Co-authored-by: Sviatoslav Sydorenko <wk@sydorenko.org.ua>
2022-12-19 14:55:18 +01:00 · 2022-12-19 14:55:18 +01:00 · a74bb8e1bd
parent 37e46c0761
commit a74bb8e1bd
1 changed files with 77 additions and 0 deletions
--- a/.github/workflows/pypi-package.yml
+++ b/.github/workflows/pypi-package.yml
@ -0,0 +1,77 @@
+---
+name: Build & push package to (Test-) PyPI
+
+on:
+  push:
+    branches: [main]
+    tags: ["*"]
+  pull_request:
+    branches: [main]
+  release:
+    types:
+      - published
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  release-test-pypi:
+    environment: release-test-pypi
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') && github.repository_owner == 'python-attrs'
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            files.pythonhosted.org:443
+            github.com:443
+            test.pypi.org:443
+
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - uses: hynek/build-and-inspect-python-package@v1
+        id: baipp
+
+      # Upload to Test PyPI on every pushed tag.
+      - name: Publish package to TestPyPI
+
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          password: ${{ secrets.TEST_PYPI_API_TOKEN }}
+          repository_url: https://test.pypi.org/legacy/
+          packages_dir: ${{ steps.baipp.outputs.dist }}
+
+  release-pypi:
+    environment: release-pypi
+    runs-on: ubuntu-latest
+    if: github.event.action == 'published' && github.repository_owner == 'python-attrs'
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            files.pythonhosted.org:443
+            github.com:443
+            pypi.org:443
+
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - uses: hynek/build-and-inspect-python-package@v1
+        id: baipp
+
+      # Upload to real PyPI on GitHub Releases.
+      - name: Publish package to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          password: ${{ secrets.PYPI_API_TOKEN }}
+          packages_dir: ${{ steps.baipp.outputs.dist }}