ci: add bump file

.github/workflows/bump.yml

@@ -0,0 +1,101 @@
+name: Bump
+
+on:
+  workflow_dispatch:
+    inputs:
+      bump_type:
+        description: 'Type of bump to perform'
+        required: true
+        default: 'beta'
+        type: choice
+        options:
+          - beta
+          - stable
+
+jobs:
+  check-and-bump:
+    environment: production
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Check current commit
+        run: |
+          COMMIT_MSG=$(git log --format=%B -n 1)
+          echo "Checking commit message: $COMMIT_MSG"
+          if [[ $COMMIT_MSG == bump:* ]]; then
+            echo "Current commit is a bump, skipping"
+            exit 0
+          fi
+
+      - name: Determine bump type
+        id: bump-type
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            echo "type=${{ inputs.bump_type }}" >> $GITHUB_OUTPUT
+          else
+            echo "type=beta" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install hatch
+        run: pip install hatch
+
+      - name: Configure Git
+        run: |
+          git config --global user.name 'safety-bot'
+          git config --global user.email '[email protected]'
+
+      - name: Import GPG key
+        uses: crazy-max/ghaction-import-gpg@v6
+        with:
+          gpg_private_key: ${{ secrets.SAFETY_BOT_GPG_KEY }}
+          passphrase: ${{ secrets.SAFETY_BOT_GPG_PASSPHRASE }}
+          git_config_global: true
+          git_user_signingkey: true
+          git_commit_gpgsign: true
+          git_tag_gpgsign: true
+
+      - name: Get current version
+        id: current-version
+        run: |
+          CURRENT_VERSION=$(hatch version)
+          echo "version -> $CURRENT_VERSION"
+          echo "version=$CURRENT_VERSION" >> $GITHUB_OUTPUT
+          
+          if [[ $CURRENT_VERSION =~ .*b[0-9]+$ ]]; then
+            echo "is_beta=true" >> $GITHUB_OUTPUT
+          else
+            echo "is_beta=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Perform version bump
+        id: version-bump
+        run: |
+          if [ "${{ steps.bump-type.outputs.type }}" = "stable" ]; then
+            COMMAND="hatch run bump"
+          else
+            # For beta, only proceed if current version is not beta
+            if [ "${{ steps.current-version.outputs.is_beta }}" = "true" ]; then
+              echo "Current version is already beta, skipping bump"
+              echo "bumped=false" >> $GITHUB_OUTPUT
+              exit 0
+            fi
+            COMMAND="hatch run beta-bump"
+          fi
+
+          # Execute the command
+          if $COMMAND; then
+            echo "bumped=true" >> $GITHUB_OUTPUT
+          else
+            echo "bumped=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Push changes
+        if: steps.version-bump.outputs.bumped == 'true'
+        run: |
+          git push --follow-tags

.github/workflows/cd.yml

@@ -0,0 +1,101 @@
+on:
+  schedule:
+    # Monday at 9 AM UTC
+    - cron: '0 9 * * 1'
+  workflow_dispatch:  # Manual trigger for emergency releases
+
+jobs:
+  ci:
+    uses: ./.github/workflows/ci.yml
+  release:
+    needs: ci
+
+
+
+
+    # Release steps
+
+    build-binaries:
+      needs: test
+      runs-on: ${{ matrix.os }}
+
+      strategy:
+        matrix:
+          os: [ 'windows-latest', 'ubuntu-20.04', 'macos-latest' ]
+      env:
+        BINARY_OS: '${{ matrix.os }}'
+      steps:
+        - uses: actions/checkout@v4
+        - name: Set up Python
+          uses: actions/setup-python@v5
+          with:
+            python-version: '3.13'
+        - name: Install Dependencies
+          run: python binaries.py install
+        - name: Test Safety
+          run: python binaries.py test
+        - name: Producing Binaries
+          run: python binaries.py dist
+        - uses: actions/upload-artifact@v4
+          if: ${{ matrix.os == 'windows-latest' }}
+          with:
+            name: safety-win-i686.exe
+            path: dist/safety-win-i686.exe
+            if-no-files-found: error
+        - uses: actions/upload-artifact@v4
+          if: ${{ matrix.os == 'windows-latest' }}
+          with:
+            name: safety-win-x86_64.exe
+            path: dist/safety-win-x86_64.exe
+            if-no-files-found: error
+        - uses: actions/upload-artifact@v4
+          if: ${{ matrix.os == 'ubuntu-20.04' }}
+          with:
+            name: safety-linux-x86_64
+            path: dist/safety-linux-x86_64
+            if-no-files-found: error
+        - uses: actions/upload-artifact@v4
+          if: ${{ matrix.os == 'macos-latest' }}
+          with:
+            name: safety-macos-x86_64
+            path: dist/safety-macos-x86_64
+            if-no-files-found: error
+
+
+    deploy-pypi:
+      if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
+      needs: build-binaries
+      name: Upload release to PyPI
+      runs-on: ubuntu-latest
+      environment:
+        name: pypi
+        url: https://pypi.org/p/safety
+      permissions:
+        id-token: write  # Required for trusted publishing
+      steps:
+        - uses: actions/checkout@v4
+        - name: Set up Python
+          uses: actions/setup-python@v4
+          with:
+            python-version: '3.10'
+        - name: Install dependencies
+          run: |
+            python -m pip install --upgrade pip
+            pip install build
+        - name: Build package
+          run: python -m build
+        - name: Publish package distributions to PyPI
+          uses: pypa/gh-action-pypi-publish@release/v1
+
+    create-gh-release:
+      needs: deploy-pypi
+      runs-on: ubuntu-20.04
+      if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
+      permissions:
+        contents: write
+      steps:
+        - uses: actions/checkout@v2
+        - uses: ncipollo/release-action@v1
+          with:
+            artifacts: "dist/*"
+            draft: True    

.github/workflows/release.yml

@@ -0,0 +1,47 @@
+# .github/workflows/release.yml
+name: Release
+
+on:
+  schedule:
+    - cron: "0 0 * * 0"  # Weekly on Sunday
+  workflow_dispatch:
+
+jobs:
+  check-and-bump:
+    runs-on: ubuntu-latest
+    outputs:
+      bumped: ${{ steps.bump.outputs.bumped }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: "3.11"
+
+      - name: Install hatch
+        run: pip install hatch
+
+      - name: Version bump
+        id: bump
+        run: |
+          if hatch bump; then
+            echo "bumped=true" >> $GITHUB_OUTPUT
+          else
+            echo "bumped=false" >> $GITHUB_OUTPUT
+          fi
+          
+      - name: Push changes
+        if: steps.bump.outputs.bumped == 'true'
+        run: |
+          git config --global user.name 'github-actions[bot]'
+          git config --global user.email 'github-actions[bot]@users.noreply.github.com'
+          git push
+
+  release:
+    needs: check-and-bump
+    if: needs.check-and-bump.outputs.bumped == 'true'
+    uses: ./.github/workflows/reusable-release.yml
+    secrets: inherit

.github/workflows/reusable-release.yml

@@ -0,0 +1,62 @@
+# .github/workflows/reusable-release.yml
+name: Release Package
+
+on:
+  workflow_call:
+    secrets:
+      PYPI_TOKEN:
+        required: true
+      SLACK_WEBHOOK:
+        required: true
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build
+        uses: ./.github/workflows/reusable-build.yml
+
+      - name: Download artifacts
+        uses: actions/download-artifact@v3
+        with:
+          name: dist
+          path: dist/
+
+      - name: Check version type
+        id: version-check
+        run: |
+          VERSION=$(hatch version)
+          if [[ $VERSION =~ .*[ab][0-9]+$ ]]; then
+            echo "is_prerelease=true" >> $GITHUB_OUTPUT
+          else
+            echo "is_prerelease=false" >> $GITHUB_OUTPUT
+          fi
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v1
+        with:
+          files: dist/*
+          tag_name: v${{ steps.version-check.outputs.version }}
+          prerelease: ${{ steps.version-check.outputs.is_prerelease }}
+          generate_release_notes: true
+
+      - name: Publish to PyPI
+        env:
+          TWINE_USERNAME: __token__
+          TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN }}
+        run: |
+          pip install twine
+          twine upload dist/*
+          
+      - name: Notify Slack
+        uses: slackapi/[email protected]
+        with:
+          payload: |
+            {
+              "text": "🚀 New release: ${{ steps.version-check.outputs.version }}\nType: ${{ steps.version-check.outputs.is_prerelease == 'true' && 'Beta' || 'Stable' }}"
+            }
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}

pyproject.toml

@@ -124,8 +124,8 @@ dependencies = [
 
 # Common scripts used across environments
 [tool.hatch.envs.default.scripts]
-bump = "cz bump --check-consistency --yes && cz changelog --merge-prerelease"
-beta-bump = "cz bump -pr beta --check-consistency --yes && cz changelog --merge-prerelease"
+bump = "cz bump --check-consistency --yes --changelog --gpg-sign --annotated-tag --annotated-tag-message 'Version $(hatch version)'"
+beta-bump = "cz bump -pr beta --check-consistency --yes --changelog --gpg-sign --annotated-tag --annotated-tag-message 'Version $(hatch version)'"
 local-bump = "cz bump {args} --files-only --yes"
 binary-dist = "python --version && python -m PyInstaller safety.spec {args}"