ci: Update action versions for node deprecation

The changes to checkout and setup-python shouldn't have been major version bumps. upload-artifact and download-artifact should have had updated node versions on v3 so we don't have to adapt to incompatible changes here. But anyway, here we are. build.yml has updates from https://github.com/pypa/cibuildwheel/blob/main/examples/github-deploy.yml This commit also moves the pypi upload step to use OIDC instead of a static token.
2024-06-03 21:05:22 -04:00 · 2024-06-03 21:05:22 -04:00 · b2431b273b
parent b109915b4e
commit b2431b273b
2 changed files with 32 additions and 27 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -25,8 +25,8 @@ jobs:
    name: Build sdist
    runs-on: ubuntu-22.04
    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
        name: Install Python
        with:
          python-version: ${{ env.python-version }}
@ -36,8 +36,9 @@ jobs:
      - name: Build sdist
        run: "python setup.py sdist && ls -l dist"

-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
        with:
+          name: artifacts-sdist
          path: ./dist/tornado-*.tar.gz

  build_wheels:
@ -49,22 +50,23 @@ jobs:
        os: [ubuntu-22.04, windows-2022, macos-12]

    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
        name: Install Python
        with:
          python-version: ${{ env.python-version }}
      - name: Set up QEMU
        if: runner.os == 'Linux'
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
        with:
          platforms: all

      - name: Build wheels
-        uses: pypa/cibuildwheel@v2.12.1
+        uses: pypa/cibuildwheel@v2.18

-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
        with:
+          name: artifacts-${{ matrix.os }}
          path: ./wheelhouse/*.whl

  upload_pypi_test:
@ -72,31 +74,34 @@ jobs:
    needs: [build_wheels, build_sdist]
    runs-on: ubuntu-22.04
    if: github.repository == 'tornadoweb/tornado' && github.event_name == 'workflow_dispatch'
+    permissions:
+      # This permission is required for pypi's "trusted publisher" feature
+      id-token: write
    steps:
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v4
        with:
-          name: artifact
+          pattern: artifacts-*
          path: dist
+          merge-multiple: true

-      - uses: pypa/gh-action-pypi-publish@v1.5.0
+      - uses: pypa/gh-action-pypi-publish@release/v1
        with:
-          user: __token__
-          password: ${{ secrets.TEST_PYPI_API_TOKEN }}
-          repository_url: https://test.pypi.org/legacy/
-          skip_existing: true
+          repository-url: https://test.pypi.org/legacy/
+          skip-existing: true

  upload_pypi:
    name: Upload to PyPI (prod)
    needs: [build_wheels, build_sdist]
    runs-on: ubuntu-22.04
    if: github.repository == 'tornadoweb/tornado' && github.event_name == 'push' && github.ref_type == 'tag' && startsWith(github.ref_name, 'v')
+    permissions:
+      # This permission is required for pypi's "trusted publisher" feature
+      id-token: write
    steps:
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v4
        with:
-          name: artifact
+          pattern: artifacts-*
          path: dist
+          merge-multiple: true

-      - uses: pypa/gh-action-pypi-publish@v1.5.0
-        with:
-          user: __token__
-          password: ${{ secrets.PYPI_API_TOKEN }}
+      - uses: pypa/gh-action-pypi-publish@release/v1
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -17,8 +17,8 @@ jobs:
    name: Run quick tests
    runs-on: ubuntu-22.04
    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
        name: Install Python
        with:
          # Lint python version must be synced with tox.ini
@ -62,8 +62,8 @@ jobs:
            tox_env: docs

    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
        name: Install Python
        with:
          python-version: ${{ matrix.python}}
@ -85,8 +85,8 @@ jobs:
    needs: test_quick
    runs-on: windows-2022
    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
        name: Install Python
        with:
          python-version: '3.11'