ci: attestation of build provenance #41
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Run this workflow to test Python code changes. | |
| name: 🎨 poetry (push) | |
| on: | |
| push: | |
| branches: [main] | |
| tags: [v*] | |
| jobs: | |
| lint: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: ./.github/actions/poetry | |
| with: | |
| command: lint | |
| groups: main,build,test,lint | |
| test: | |
| strategy: | |
| matrix: | |
| py: ["3.8", "3.9", "3.10", "3.11", "3.12", "3.13"] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: ./.github/actions/cargo | |
| with: | |
| command: install dicom-storescp | |
| - uses: ./.github/actions/poetry | |
| with: | |
| command: test --error-for-skips | |
| groups: main,build,test | |
| python-version: ${{ matrix.py }} | |
| - if: always() | |
| name: Upload coverage reports to codecov.io | |
| uses: codecov/codecov-action@v4 | |
| env: | |
| CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
| check: | |
| outputs: | |
| release: ${{ steps.check.outputs.release }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: ./.github/actions/poetry | |
| with: | |
| artifacts: "" | |
| command: check-for-prerelease | |
| - id: check | |
| run: printf 'release=%s\n' "$(cat check-for-prerelease.out)" | |
| release: | |
| if: needs.check.outputs.release == 'true' | |
| needs: | |
| - lint | |
| - test | |
| - check | |
| outputs: | |
| new: ${{ steps.semantic-release.outputs.released }} | |
| version: ${{ steps.semantic-release.outputs.version }} | |
| permissions: | |
| id-token: write | |
| contents: write | |
| packages: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| fetch-tags: true | |
| - id: semantic-release | |
| uses: python-semantic-release/[email protected] | |
| with: | |
| commit: false | |
| github_token: ${{ github.token }} | |
| prerelease: true | |
| root_options: --strict -vv | |
| docs: | |
| if: needs.check.outputs.release != 'true' | |
| needs: | |
| - lint | |
| - test | |
| - check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| fetch-tags: true | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: lint-docs-py3.12 | |
| path: docs | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: test-docs-py3.12 | |
| path: docs | |
| - uses: ./.github/actions/poetry | |
| with: { artifacts: "", command: setup-versioning } | |
| - uses: ./.github/actions/poetry | |
| with: { artifacts: "", command: dynamic-versioning } | |
| - uses: ./.github/actions/poetry | |
| with: | |
| artifacts: "" | |
| command: docs | |
| - name: Fix permissions | |
| run: | | |
| chmod -c -R +rX "docs/" | while read -r line; do | |
| echo "::warning title=Invalid file permissions automatically fixed::$line" | |
| done | |
| - name: Upload Pages artifact | |
| uses: actions/upload-pages-artifact@v3 | |
| with: | |
| name: github-pages | |
| path: docs | |
| deploy: | |
| if: needs.check.outputs.release != 'true' | |
| environment: | |
| name: GitHub Pages | |
| url: ${{ steps.deploy.outputs.page_url }} | |
| needs: | |
| - check | |
| - docs | |
| permissions: | |
| pages: write | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - id: deploy | |
| uses: actions/deploy-pages@v4 | |
| with: | |
| artifact_name: github-pages | |
| build: | |
| # ref: https://github.com/pydantic/pydantic-core/blob/ba8eab4acba8ad04c45f27a58a5d001c8f212361/.github/workflows/ci.yml#L395-L499 | |
| env: | |
| INTERPRETER: ${{ matrix.interpreter || '3.8 3.9 3.10 3.11 3.12 3.13 pypy3.9 pypy3.10' }} | |
| MANY_LINUX: ${{ contains('linux', matrix.os) && ( matrix.manylinux || 'auto' ) || null }} | |
| OS: ${{ matrix.os || 'linux' }} | |
| name: build ${{ matrix.os }} ${{ matrix.manylinux }} ${{ matrix.target }} | |
| runs-on: ${{ contains('linux', matrix.os) && 'ubuntu' || matrix.os }}-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [macos, linux] # default: linux | |
| manylinux: [auto, musllinux_1_1, musllinux_1_2] # default: 'auto' if linux, or 'null' otherwise | |
| python-architecture: [x64] # default: 'x64' | |
| target: [x86_64, aarch64] | |
| # prettier-ignore | |
| exclude: | |
| - { os: macos, manylinux: musllinux_1_1 } | |
| - { os: macos, manylinux: musllinux_1_2 } | |
| - { os: windows, target: aarch64 } | |
| # prettier-ignore | |
| include: | |
| # manylinux for various platforms | |
| - { os: linux, target: i686 } | |
| - { os: linux, target: armv7, interpreter: 3.8 3.9 3.10 3.11 3.12 3.13 pypy3.9 pypy3.10 } | |
| - { os: linux, target: ppc64le, interpreter: 3.8 3.9 3.10 3.11 3.12 3.13 pypy3.9 pypy3.10 } | |
| - { os: linux, target: s390x, interpreter: 3.8 3.9 3.10 3.11 3.12 3.13 pypy3.9 pypy3.10 } | |
| # windows | |
| # TODO: build py3.13 | |
| - { os: windows, target: i686, interpreter: 3.8 3.9 3.10 3.11 3.12, python-architecture: x86 } | |
| - { os: windows, target: x86, interpreter: 3.8 3.9 3.10 3.11 3.12, python-architecture: x86 } | |
| - { os: windows, target: x86_64, interpreter: 3.8 3.9 3.10 3.11 3.12 } | |
| - { os: windows, target: x64, interpreter: 3.8 3.9 3.10 3.11 3.12 } | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| fetch-tags: true | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: 3.x | |
| - uses: ./.github/actions/poetry | |
| with: { artifacts: "", command: setup-versioning, groups: build } | |
| - uses: ./.github/actions/poetry | |
| with: { artifacts: "", command: dynamic-versioning, groups: build } | |
| - uses: PyO3/maturin-action@v1 | |
| with: | |
| args: --release --out dist --interpreter ${{ env.INTERPRETER }} | |
| manylinux: ${{ env.MANY_LINUX }} | |
| rust-toolchain: stable | |
| sccache: "true" | |
| target: ${{ matrix.target }} | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: build-${{ env.OS }}-${{ env.MANY_LINUX }}-${{ matrix.target }} | |
| path: dist | |
| sdist: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| fetch-tags: true | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: 3.x | |
| - uses: ./.github/actions/poetry | |
| with: { artifacts: "", command: setup-versioning, groups: build } | |
| - uses: ./.github/actions/poetry | |
| with: { artifacts: "", command: dynamic-versioning, groups: build } | |
| - uses: PyO3/maturin-action@v1 | |
| with: | |
| command: sdist | |
| args: --out dist | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: build-sdist | |
| path: dist | |
| upload-assets: | |
| if: github.ref_type == 'tag' | |
| needs: [build, docs, sdist] | |
| permissions: | |
| attestations: write | |
| contents: write | |
| id-token: write | |
| packages: read | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| path: dist | |
| pattern: build-* | |
| merge-multiple: true | |
| - id: attestation | |
| uses: actions/attest-build-provenance@v1 | |
| with: | |
| subject-path: dist/* | |
| - env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: gh release upload ${{ github.ref_name }} dist/* ${{ steps.attestation.outputs.bundle-path }} | |
| test-pypi: | |
| environment: | |
| name: test.pypi.org | |
| url: https://test.pypi.org/p/dicom-echo | |
| if: github.ref_type == 'tag' | |
| needs: | |
| - check | |
| - lint | |
| - test | |
| - build | |
| - sdist | |
| permissions: | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| path: dist | |
| pattern: build-* | |
| merge-multiple: true | |
| - uses: pypa/gh-action-pypi-publish@release/v1 | |
| with: | |
| repository-url: https://test.pypi.org/legacy/ | |
| pypi: | |
| environment: | |
| name: pypi.org | |
| url: https://pypi.org/p/dicom-echo | |
| if: github.ref_type == 'tag' | |
| needs: | |
| - test-pypi | |
| permissions: | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| path: dist | |
| pattern: build-* | |
| merge-multiple: true | |
| - uses: pypa/gh-action-pypi-publish@release/v1 |