rotate secrets #82
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This workflow will install Python dependencies, run tests and lint with a variety of Python versions | |
# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions | |
# Based on ~/code/xcookie/xcookie/rc/tests.yml.in | |
# Now based on ~/code/xcookie/xcookie/builders/github_actions.py | |
# See: https://github.com/Erotemic/xcookie | |
name: BinPyCI | |
on: | |
push: | |
pull_request: | |
branches: [ main ] | |
jobs: | |
lint_job: | |
## | |
# Run quick linting and typing checks. | |
# To disable all linting add "linter=false" to the xcookie config. | |
# To disable type checks add "notypes" to the xcookie tags. | |
## | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout source | |
uses: actions/[email protected] | |
- name: Set up Python 3.12 for linting | |
uses: actions/[email protected] | |
with: | |
python-version: '3.12' | |
- name: Install dependencies | |
run: |- | |
python -m pip install --upgrade pip | |
python -m pip install flake8 | |
- name: Lint with flake8 | |
run: |- | |
# stop the build if there are Python syntax errors or undefined names | |
flake8 ./pyhesaff --count --select=E9,F63,F7,F82 --show-source --statistics | |
- name: Typecheck with mypy | |
run: |- | |
python -m pip install mypy | |
pip install -r requirements/runtime.txt | |
mypy --install-types --non-interactive ./pyhesaff | |
mypy ./pyhesaff | |
build_binpy_wheels: | |
## | |
# Build the binary wheels. Note: even though cibuildwheel will test | |
# them internally here, we will test them independently later in the | |
# test_binpy_wheels step. | |
## | |
name: ${{ matrix.os }}, arch=${{ matrix.arch }} | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
# Normally, xcookie generates explicit lists of platforms to build / test | |
# on, but in this case cibuildwheel does that for us, so we need to just | |
# set the environment variables for cibuildwheel. These are parsed out of | |
# the standard [tool.cibuildwheel] section in pyproject.toml and set | |
# explicitly here. | |
os: | |
- ubuntu-latest | |
cibw_skip: | |
- pp* cp27-* cp34-* cp35-* cp36-* *-musllinux_* | |
arch: | |
- auto | |
steps: | |
- name: Checkout source | |
uses: actions/[email protected] | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
if: runner.os == 'Linux' && matrix.arch != 'auto' | |
with: | |
platforms: all | |
- name: Build binary wheels | |
uses: pypa/[email protected] | |
with: | |
output-dir: wheelhouse | |
config-file: pyproject.toml | |
env: | |
CIBW_SKIP: ${{ matrix.cibw_skip }} | |
CIBW_ARCHS_LINUX: ${{ matrix.arch }} | |
- name: Show built files | |
shell: bash | |
run: ls -la wheelhouse | |
- name: Set up Python 3.12 to combine coverage | |
uses: actions/[email protected] | |
if: runner.os == 'Linux' | |
with: | |
python-version: '3.12' | |
- name: Combine coverage Linux | |
if: runner.os == 'Linux' | |
run: |- | |
echo '############ PWD' | |
pwd | |
cp .wheelhouse/.coverage* . || true | |
ls -al | |
python -m pip install coverage[toml] | |
echo '############ combine' | |
coverage combine . || true | |
echo '############ XML' | |
coverage xml -o ./coverage.xml || true | |
echo '### The cwd should now have a coverage.xml' | |
ls -altr | |
pwd | |
- uses: codecov/[email protected] | |
name: Codecov Upload | |
with: | |
file: ./coverage.xml | |
token: ${{ secrets.CODECOV_TOKEN }} | |
- uses: actions/[email protected] | |
name: Upload wheels artifact | |
with: | |
name: wheels | |
path: ./wheelhouse/pyhesaff*.whl | |
test_binpy_wheels: | |
## | |
# Download the previously build binary wheels from the | |
# build_binpy_wheels step, and test them in an independent | |
# environment. | |
## | |
name: ${{ matrix.python-version }} on ${{ matrix.os }}, arch=${{ matrix.arch }} with ${{ matrix.install-extras }} | |
if: "! startsWith(github.event.ref, 'refs/heads/release')" | |
runs-on: ${{ matrix.os }} | |
needs: | |
- build_binpy_wheels | |
strategy: | |
fail-fast: false | |
matrix: | |
# Xcookie generates an explicit list of environments that will be used | |
# for testing instead of using the more concise matrix notation. | |
include: | |
- python-version: '3.7' | |
install-extras: tests-strict,runtime-strict,headless-strict | |
os: ubuntu-latest | |
arch: auto | |
- python-version: '3.12' | |
install-extras: tests-strict,runtime-strict,optional-strict,headless-strict | |
os: ubuntu-latest | |
arch: auto | |
- python-version: '3.7' | |
install-extras: tests,optional,headless | |
os: ubuntu-latest | |
arch: auto | |
- python-version: '3.8' | |
install-extras: tests,optional,headless | |
os: ubuntu-latest | |
arch: auto | |
- python-version: '3.9' | |
install-extras: tests,optional,headless | |
os: ubuntu-latest | |
arch: auto | |
- python-version: '3.10' | |
install-extras: tests,optional,headless | |
os: ubuntu-latest | |
arch: auto | |
- python-version: '3.11' | |
install-extras: tests,optional,headless | |
os: ubuntu-latest | |
arch: auto | |
- python-version: '3.12' | |
install-extras: tests,optional,headless | |
os: ubuntu-latest | |
arch: auto | |
steps: | |
- name: Checkout source | |
uses: actions/[email protected] | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
if: runner.os == 'Linux' && matrix.arch != 'auto' | |
with: | |
platforms: all | |
- name: Setup Python | |
uses: actions/[email protected] | |
with: | |
python-version: ${{ matrix.python-version }} | |
- uses: actions/[email protected] | |
name: Download wheels | |
with: | |
name: wheels | |
path: wheelhouse | |
- name: Install wheel ${{ matrix.install-extras }} | |
shell: bash | |
env: | |
INSTALL_EXTRAS: ${{ matrix.install-extras }} | |
run: |- | |
echo "Finding the path to the wheel" | |
ls wheelhouse || echo "wheelhouse does not exist" | |
echo "Installing helpers" | |
pip install setuptools>=0.8 setuptools_scm wheel build -U | |
pip install tomli pkginfo | |
export WHEEL_FPATH=$(python -c "import pathlib; print(str(sorted(pathlib.Path('wheelhouse').glob('pyhesaff*.whl'))[-1]).replace(chr(92), chr(47)))") | |
export MOD_VERSION=$(python -c "from pkginfo import Wheel; print(Wheel('$WHEEL_FPATH').version)") | |
echo "$WHEEL_FPATH=WHEEL_FPATH" | |
echo "$INSTALL_EXTRAS=INSTALL_EXTRAS" | |
echo "$MOD_VERSION=MOD_VERSION" | |
pip install --prefer-binary "pyhesaff[$INSTALL_EXTRAS]==$MOD_VERSION" -f wheelhouse | |
echo "Install finished." | |
- name: Test wheel ${{ matrix.install-extras }} | |
shell: bash | |
env: | |
CI_PYTHON_VERSION: py${{ matrix.python-version }} | |
run: |- | |
echo "Creating test sandbox directory" | |
export WORKSPACE_DNAME="testdir_${CI_PYTHON_VERSION}_${GITHUB_RUN_ID}_${RUNNER_OS}" | |
echo "WORKSPACE_DNAME=$WORKSPACE_DNAME" | |
mkdir -p $WORKSPACE_DNAME | |
echo "cd-ing into the workspace" | |
cd $WORKSPACE_DNAME | |
pwd | |
ls -altr | |
# Get the path to the installed package and run the tests | |
export MOD_DPATH=$(python -c "import pyhesaff, os; print(os.path.dirname(pyhesaff.__file__))") | |
export MOD_NAME=pyhesaff | |
echo " | |
--- | |
MOD_DPATH = $MOD_DPATH | |
--- | |
running the pytest command inside the workspace | |
--- | |
" | |
python -m pytest --verbose -p pytester -p no:doctest --xdoctest --cov-config ../pyproject.toml --cov-report term --durations=100 --cov="$MOD_NAME" "$MOD_DPATH" ../tests | |
echo "pytest command finished, moving the coverage file to the repo root" | |
ls -al | |
# Move coverage file to a new name | |
mv .coverage "../.coverage.$WORKSPACE_DNAME" | |
echo "changing directory back to th repo root" | |
cd .. | |
ls -al | |
- name: Combine coverage Linux | |
if: runner.os == 'Linux' | |
run: |- | |
echo '############ PWD' | |
pwd | |
cp .wheelhouse/.coverage* . || true | |
ls -al | |
python -m pip install coverage[toml] | |
echo '############ combine' | |
coverage combine . || true | |
echo '############ XML' | |
coverage xml -o ./coverage.xml || true | |
echo '### The cwd should now have a coverage.xml' | |
ls -altr | |
pwd | |
- uses: codecov/[email protected] | |
name: Codecov Upload | |
with: | |
file: ./coverage.xml | |
token: ${{ secrets.CODECOV_TOKEN }} | |
test_deploy: | |
name: Uploading Test to PyPi | |
runs-on: ubuntu-latest | |
if: github.event_name == 'push' && ! startsWith(github.event.ref, 'refs/tags') && ! startsWith(github.event.ref, 'refs/heads/release') | |
needs: | |
- build_binpy_wheels | |
steps: | |
- name: Checkout source | |
uses: actions/[email protected] | |
- uses: actions/[email protected] | |
name: Download wheels | |
with: | |
name: wheels | |
path: wheelhouse | |
- uses: actions/[email protected] | |
name: Download sdist | |
with: | |
name: sdist_wheels | |
path: wheelhouse | |
- name: Show files to upload | |
shell: bash | |
run: ls -la wheelhouse | |
- name: Sign and Publish | |
env: | |
TWINE_REPOSITORY_URL: https://test.pypi.org/legacy/ | |
TWINE_USERNAME: __token__ | |
TWINE_PASSWORD: ${{ secrets.TEST_TWINE_PASSWORD }} | |
CI_SECRET: ${{ secrets.CI_SECRET }} | |
run: |- | |
GPG_EXECUTABLE=gpg | |
$GPG_EXECUTABLE --version | |
openssl version | |
$GPG_EXECUTABLE --list-keys | |
echo "Decrypting Keys" | |
openssl enc -aes-256-cbc -pbkdf2 -md SHA512 -pass env:CI_SECRET -d -a -in dev/ci_public_gpg_key.pgp.enc | $GPG_EXECUTABLE --import | |
openssl enc -aes-256-cbc -pbkdf2 -md SHA512 -pass env:CI_SECRET -d -a -in dev/gpg_owner_trust.enc | $GPG_EXECUTABLE --import-ownertrust | |
openssl enc -aes-256-cbc -pbkdf2 -md SHA512 -pass env:CI_SECRET -d -a -in dev/ci_secret_gpg_subkeys.pgp.enc | $GPG_EXECUTABLE --import | |
echo "Finish Decrypt Keys" | |
$GPG_EXECUTABLE --list-keys || true | |
$GPG_EXECUTABLE --list-keys || echo "first invocation of gpg creates directories and returns 1" | |
$GPG_EXECUTABLE --list-keys | |
VERSION=$(python -c "import setup; print(setup.VERSION)") | |
pip install twine | |
pip install urllib3 requests[security] twine | |
GPG_KEYID=$(cat dev/public_gpg_key) | |
echo "GPG_KEYID = '$GPG_KEYID'" | |
GPG_SIGN_CMD="$GPG_EXECUTABLE --batch --yes --detach-sign --armor --local-user $GPG_KEYID" | |
WHEEL_PATHS=(wheelhouse/*.whl wheelhouse/*.tar.gz) | |
WHEEL_PATHS_STR=$(printf '"%s" ' "${WHEEL_PATHS[@]}") | |
echo "$WHEEL_PATHS_STR" | |
for WHEEL_PATH in "${WHEEL_PATHS[@]}" | |
do | |
echo "------" | |
echo "WHEEL_PATH = $WHEEL_PATH" | |
$GPG_SIGN_CMD --output $WHEEL_PATH.asc $WHEEL_PATH | |
$GPG_EXECUTABLE --verify $WHEEL_PATH.asc $WHEEL_PATH || echo "hack, the first run of gpg very fails" | |
$GPG_EXECUTABLE --verify $WHEEL_PATH.asc $WHEEL_PATH | |
done | |
ls -la wheelhouse | |
pip install opentimestamps-client | |
ots stamp wheelhouse/*.whl wheelhouse/*.tar.gz wheelhouse/*.asc | |
ls -la wheelhouse | |
twine upload --username __token__ --password "$TWINE_PASSWORD" --repository-url "$TWINE_REPOSITORY_URL" wheelhouse/*.whl wheelhouse/*.tar.gz --skip-existing --verbose || { echo "failed to twine upload" ; exit 1; } | |
- uses: actions/[email protected] | |
name: Upload deploy artifacts | |
with: | |
name: deploy_artifacts | |
path: |- | |
wheelhouse/*.whl | |
wheelhouse/*.zip | |
wheelhouse/*.tar.gz | |
wheelhouse/*.asc | |
wheelhouse/*.ots | |
live_deploy: | |
name: Uploading Live to PyPi | |
runs-on: ubuntu-latest | |
if: github.event_name == 'push' && (startsWith(github.event.ref, 'refs/tags') || startsWith(github.event.ref, 'refs/heads/release')) | |
needs: | |
- build_binpy_wheels | |
steps: | |
- name: Checkout source | |
uses: actions/[email protected] | |
- uses: actions/[email protected] | |
name: Download wheels | |
with: | |
name: wheels | |
path: wheelhouse | |
- uses: actions/[email protected] | |
name: Download sdist | |
with: | |
name: sdist_wheels | |
path: wheelhouse | |
- name: Show files to upload | |
shell: bash | |
run: ls -la wheelhouse | |
- name: Sign and Publish | |
env: | |
TWINE_REPOSITORY_URL: https://upload.pypi.org/legacy/ | |
TWINE_USERNAME: __token__ | |
TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }} | |
CI_SECRET: ${{ secrets.CI_SECRET }} | |
run: |- | |
GPG_EXECUTABLE=gpg | |
$GPG_EXECUTABLE --version | |
openssl version | |
$GPG_EXECUTABLE --list-keys | |
echo "Decrypting Keys" | |
openssl enc -aes-256-cbc -pbkdf2 -md SHA512 -pass env:CI_SECRET -d -a -in dev/ci_public_gpg_key.pgp.enc | $GPG_EXECUTABLE --import | |
openssl enc -aes-256-cbc -pbkdf2 -md SHA512 -pass env:CI_SECRET -d -a -in dev/gpg_owner_trust.enc | $GPG_EXECUTABLE --import-ownertrust | |
openssl enc -aes-256-cbc -pbkdf2 -md SHA512 -pass env:CI_SECRET -d -a -in dev/ci_secret_gpg_subkeys.pgp.enc | $GPG_EXECUTABLE --import | |
echo "Finish Decrypt Keys" | |
$GPG_EXECUTABLE --list-keys || true | |
$GPG_EXECUTABLE --list-keys || echo "first invocation of gpg creates directories and returns 1" | |
$GPG_EXECUTABLE --list-keys | |
VERSION=$(python -c "import setup; print(setup.VERSION)") | |
pip install twine | |
pip install urllib3 requests[security] twine | |
GPG_KEYID=$(cat dev/public_gpg_key) | |
echo "GPG_KEYID = '$GPG_KEYID'" | |
GPG_SIGN_CMD="$GPG_EXECUTABLE --batch --yes --detach-sign --armor --local-user $GPG_KEYID" | |
WHEEL_PATHS=(wheelhouse/*.whl wheelhouse/*.tar.gz) | |
WHEEL_PATHS_STR=$(printf '"%s" ' "${WHEEL_PATHS[@]}") | |
echo "$WHEEL_PATHS_STR" | |
for WHEEL_PATH in "${WHEEL_PATHS[@]}" | |
do | |
echo "------" | |
echo "WHEEL_PATH = $WHEEL_PATH" | |
$GPG_SIGN_CMD --output $WHEEL_PATH.asc $WHEEL_PATH | |
$GPG_EXECUTABLE --verify $WHEEL_PATH.asc $WHEEL_PATH || echo "hack, the first run of gpg very fails" | |
$GPG_EXECUTABLE --verify $WHEEL_PATH.asc $WHEEL_PATH | |
done | |
ls -la wheelhouse | |
pip install opentimestamps-client | |
ots stamp wheelhouse/*.whl wheelhouse/*.tar.gz wheelhouse/*.asc | |
ls -la wheelhouse | |
twine upload --username __token__ --password "$TWINE_PASSWORD" --repository-url "$TWINE_REPOSITORY_URL" wheelhouse/*.whl wheelhouse/*.tar.gz --skip-existing --verbose || { echo "failed to twine upload" ; exit 1; } | |
- uses: actions/[email protected] | |
name: Upload deploy artifacts | |
with: | |
name: deploy_artifacts | |
path: |- | |
wheelhouse/*.whl | |
wheelhouse/*.zip | |
wheelhouse/*.tar.gz | |
wheelhouse/*.asc | |
wheelhouse/*.ots | |
release: | |
name: Create Github Release | |
if: github.event_name == 'push' && (startsWith(github.event.ref, 'refs/tags') || startsWith(github.event.ref, 'refs/heads/release')) | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write | |
needs: | |
- live_deploy | |
steps: | |
- name: Checkout source | |
uses: actions/[email protected] | |
- uses: actions/[email protected] | |
name: Download artifacts | |
with: | |
name: deploy_artifacts | |
path: wheelhouse | |
- name: Show files to release | |
shell: bash | |
run: ls -la wheelhouse | |
- run: 'echo "Automatic Release Notes. TODO: improve" > ${{ github.workspace }}-CHANGELOG.txt' | |
- name: Tag Release Commit | |
if: (startsWith(github.event.ref, 'refs/heads/release')) | |
run: |- | |
export VERSION=$(python -c "import setup; print(setup.VERSION)") | |
git tag "v$VERSION" | |
git push origin "v$VERSION" | |
- uses: softprops/action-gh-release@v1 | |
name: Create Release | |
id: create_release | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
body_path: ${{ github.workspace }}-CHANGELOG.txt | |
tag_name: ${{ github.ref }} | |
name: Release ${{ github.ref }} | |
body: Automatic Release | |
generate_release_notes: true | |
draft: true | |
prerelease: false | |
files: |- | |
wheelhouse/*.whl | |
wheelhouse/*.asc | |
wheelhouse/*.ots | |
wheelhouse/*.zip | |
wheelhouse/*.tar.gz | |
### | |
# Unfortunately we cant (yet) use the yaml docstring trick here | |
# https://github.community/t/allow-unused-keys-in-workflow-yaml-files/172120 | |
#__doc__: | | |
# # How to run locally | |
# # https://packaging.python.org/guides/using-testpypi/ | |
# git clone https://github.com/nektos/act.git $HOME/code/act | |
# chmod +x $HOME/code/act/install.sh | |
# (cd $HOME/code/act && ./install.sh -b $HOME/.local/opt/act) | |
# | |
# load_secrets | |
# unset GITHUB_TOKEN | |
# $HOME/.local/opt/act/act \ | |
# --secret=EROTEMIC_TWINE_PASSWORD=$EROTEMIC_TWINE_PASSWORD \ | |
# --secret=EROTEMIC_TWINE_USERNAME=$EROTEMIC_TWINE_USERNAME \ | |
# --secret=EROTEMIC_CI_SECRET=$EROTEMIC_CI_SECRET \ | |
# --secret=EROTEMIC_TEST_TWINE_USERNAME=$EROTEMIC_TEST_TWINE_USERNAME \ | |
# --secret=EROTEMIC_TEST_TWINE_PASSWORD=$EROTEMIC_TEST_TWINE_PASSWORD |