Skip to content

Commit

Permalink
feat: add release automation (oscal-compass#28)
Browse files Browse the repository at this point in the history
Signed-off-by: Takumi Yanagawa <[email protected]>
  • Loading branch information
yana1205 committed Aug 28, 2024
1 parent b8fc4d9 commit 952b139
Show file tree
Hide file tree
Showing 5 changed files with 274 additions and 35 deletions.
38 changes: 38 additions & 0 deletions .github/workflows/publish.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

# GitHub recommends pinning actions to a commit SHA.
# To get a newer version, you will need to update the SHA.
# You can also reference a tag or branch, but the action may change without warning.

name: publish

on:
workflow_dispatch:
inputs:
release-tag:
type: string
required: true
description: Git tag of the istribution to be published
jobs:
publish-to-pypi:
name: Publish to PyPI
runs-on: ubuntu-latest

environment:
name: pypi
url: https://pypi.org/p/compliance-to-policy

permissions:
id-token: write # IMPORTANT: mandatory for trusted publishing

steps:
- name: Download the distributions from release
run: gh release download ${{ github.event.inputs.release-tag }} -D dist -p '*.tar.gz' -p '*.whl'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_REPO: ${{ github.REPOSITORY }}
- name: Publish distribution 📦 to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
143 changes: 143 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,143 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

# GitHub recommends pinning actions to a commit SHA.
# To get a newer version, you will need to update the SHA.
# You can also reference a tag or branch, but the action may change without warning.

name: release

on:
workflow_dispatch:

jobs:
build:
name: Build with semantic versioning
runs-on: ubuntu-latest
outputs:
release-tag: ${{ steps.release.outputs.tag }}
release-version: ${{ steps.release.outputs.version }}
permissions:
contents: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Python Semantic Release
id: release
uses: python-semantic-release/[email protected]
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
- name: Check release
if: steps.release.outputs.released == 'false'
run: |
echo 'No release will be made since there are no release commits. See also Commit Parsers configuration.'
exit 1
- name: Set up Python 3.10
uses: actions/setup-python@v5
with:
python-version: '3.10'
- name: Install build tools
run: |
make install-dev
- name: Build
run: |
make build
- name: Store the distribution packages
uses: actions/upload-artifact@v3
with:
name: python-package-distributions
path: dist/

publish-to-github:
name: Publish to GitHub
needs:
- build
runs-on: ubuntu-latest

permissions:
contents: write
packages: write
id-token: write # IMPORTANT: mandatory for trusted publishing

steps:
- name: Download all the dists
uses: actions/download-artifact@v3
with:
name: python-package-distributions
path: dist/
- name: Sign the dists with Sigstore
uses: sigstore/[email protected]
with:
inputs: |
./dist/*.tar.gz
./dist/*.whl
- name: Upload package distributions to GitHub Releases
run: gh release upload ${{needs.build.outputs.release-tag}} ./dist/*
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_REPO: ${{ github.REPOSITORY }}

publish-to-testpypi:
name: Publish to TestPyPI
needs:
- build
- publish-to-github
runs-on: ubuntu-latest

environment:
name: testpypi
url: https://pypi.org/p/compliance-to-policy

permissions:
id-token: write # IMPORTANT: mandatory for trusted publishing

steps:
- name: Download the distributions from release
run: gh release download ${{needs.build.outputs.release-tag}} -D dist -p '*.tar.gz' -p '*.whl'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_REPO: ${{ github.REPOSITORY }}
- name: Publish distribution 📦 to TestPyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
repository-url: https://test.pypi.org/legacy/

test:
name: Integration Test
needs:
- build
- publish-to-testpypi
runs-on: ubuntu-latest

steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
ref: ${{needs.build.outputs.release-tag}}
- name: Set up Python 3.10
uses: actions/setup-python@v5
with:
python-version: '3.10'
- name: Install
run: |
version=${{needs.build.outputs.release-version}}
version=${version/-rc./rc}
count=0
while :; do
count=$(($count+1))
echo "Check if ${version} is available or not ...$count"
if pip index versions -i https://test.pypi.org/simple/ compliance-to-policy | grep ${version};then
break
fi
[[ "$count" -gt 5 ]] && echo "Not found ${version}" && exit 1
sleep 5
done
pip index versions -i https://test.pypi.org/simple/ compliance-to-policy | grep ${version}
pip install -i https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple compliance-to-policy==${version}
pip install pytest
- name: Run test
run: make it
44 changes: 44 additions & 0 deletions .github/workflows/validate.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

# GitHub recommends pinning actions to a commit SHA.
# To get a newer version, you will need to update the SHA.
# You can also reference a tag or branch, but the action may change without warning.

name: validate

on:
pull_request_target:
types:
- opened
- edited
- synchronize
branches:
- 'main'

jobs:
validate:
name: Validate
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up Python 3.10
uses: actions/setup-python@v5
with:
python-version: '3.10'
- name: Install for develompemnt
run: |
make install-dev
- name: Unit Test
run: |
make test
- name: Build
run: |
make build
- name: Integration Test
run: |
pip install ./dist/*.tar.gz
make it
74 changes: 39 additions & 35 deletions Makefile
Original file line number Diff line number Diff line change
@@ -1,57 +1,61 @@
PYTHON := $(shell pwd)/.venv/bin/python
.PHONY: build
build:
python -m build

.venv:
@echo Please create venv firstly
.PHONY: install
install:
python -m pip install .

build: .venv
@$(PYTHON) -m build
.PHONY: install-dev
install-dev:
python -m pip install ".[dev]"

install: .venv
@$(PYTHON) -m pip install .
.PHONY: uninstall
uninstall:
python -m pip uninstall compliance-to-policy

install-dev: .venv
@$(PYTHON) -m pip install ".[dev]"
.PHONY: format
format:
python -m isort .
python -m black .

uninstall: .venv
@$(PYTHON) -m pip uninstall compliance-to-policy


format: .venv
@$(PYTHON) -m isort .
@$(PYTHON) -m black .

lint: .venv
@$(PYTHON) -m pylint ./c2p ./tests
.PHONY: lint
lint:
python -m pylint ./c2p ./tests

.PHONY: docs
docs: .venv
@$(PYTHON) -m mkdocs build
docs:
python -m mkdocs build

.PHONY: gh-pages
gh-pages: .venv
@$(PYTHON) -m mkdocs gh-deploy
gh-pages:
python -m mkdocs gh-deploy

# make test ARGS="-n 2 --dist loadscope --log-cli-level DEBUG" TARGET="tests/c2p/test_cli.py"
# TODO: -n 2 (pytest-xdist plugin) results in no logs displayed.
.PHONY: test
test: ARGS ?=
test: TARGET ?= tests/
test: .venv test-plugin
test: test-plugin
@OUTPUT_PATH=/dev/null $(PYTHON) -m pytest $(ARGS) $(TARGET)

.PHONY: test-plugin
test-plugin: ARGS ?=
test-plugin: TARGET ?= plugins_public/tests/
test-plugin: .venv
test-plugin:
@OUTPUT_PATH=/dev/null $(PYTHON) -m pytest $(ARGS) $(TARGET)

# After published, the branch must be merged first-forwardly. TODO: Integrate with CI
publish: GIT_TAG ?=
publish:
@toml set --toml-path pyproject.toml project.version $(GIT_TAG)
@git add pyproject.toml
@git commit -S -s -m "update version to $(GIT_TAG)"
@git tag $(GIT_TAG)

clean: .venv
.PHONY: it
it:
python samples_public/kyverno/compliance_to_policy.py
python samples_public/kyverno/result_to_compliance.py
python samples_public/ocm/compliance_to_policy.py
python samples_public/ocm/result_to_compliance.py
python samples_public/auditree/compliance_to_policy.py
python samples_public/auditree/result_to_compliance.py

.PHONY: clean
clean:
@rm -rf build *.egg-info dist
@find ./plugins -type d \( -name '*.egg-info' -o -name 'dist' \) | while read x; do echo $$x; rm -r $$x ; done
@$(PYTHON) -m pyclean -v .
python -m pyclean -v .
10 changes: 10 additions & 0 deletions pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -88,3 +88,13 @@ disable = ["W1203", "W1201"]

[tool.pylint.format]
max-line-length = 120

[tool.semantic_release]
version_toml = ["pyproject.toml:project.version"]
commit_message = "{version}\n\nAutomatically generated by python-semantic-release"

[tool.semantic_release.remote.token]
env = "GITHUB_TOKEN"

[tool.semantic_release.publish]
upload_to_vcs_release = false

0 comments on commit 952b139

Please sign in to comment.