Skip to content

feat: lock file while read, write and refresh token #1529

feat: lock file while read, write and refresh token

feat: lock file while read, write and refresh token #1529

Workflow file for this run

name: Deployment
on:
push:
pull_request:
schedule:
- cron: '0 10 * * *'
workflow_dispatch:
inputs:
check-ci:
description: "Require the CI to have passed for this commit"
required: true
default: "yes"
version:
description: "Override the release version number (e.g. 8.0.0a5)"
jobs:
deploy-pypi:
name: PyPI deployment
runs-on: "ubuntu-latest"
if: github.event_name != 'push' || github.repository == 'DIRACGrid/diracx'
outputs:
new-version: ${{ steps.check-tag.outputs.new-version }}
create-release: ${{ steps.check-tag.outputs.create-release }}
permissions:
id-token: write # IMPORTANT: this permission is mandatory for trusted publishing on pypi
actions: write
checks: write
contents: write
deployments: write
discussions: write
issues: write
packages: write
pages: write
pull-requests: write
repository-projects: write
security-events: write
statuses: write
defaults:
run:
# We need extglob for REFERENCE_BRANCH substitution
shell: bash -l -O extglob {0}
steps:
- uses: actions/checkout@v4
with:
token: ${{ github.token }}
- run: |
git fetch --prune --unshallow
git config --global user.email "[email protected]"
git config --global user.name "DIRACGrid CI"
- uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Installing dependencies
run: |
python -m pip install \
build \
python-dateutil \
pytz \
readme_renderer[md] \
requests \
setuptools_scm
- name: Validate README for PyPI
run: |
python -m readme_renderer README.md -o /tmp/README.html
- name: Prepare release notes
run: |
set -xeuo pipefail
IFS=$'\n\t'
# Needed for the advanced patter matching used in REFERENCE_BRANCH
PREV_VERSION=$(git describe --tags --abbrev=0)
# In case of manual trigger,
# GITHUB_REF is of the form refs/heads/main -> we want main
# In case of PR it is of the form refs/pull/59/merge -> we want pull/59/merge
REFERENCE_BRANCH=${GITHUB_REF##refs*(/heads)/}
echo "Making release notes for ${REFERENCE_BRANCH} since ${PREV_VERSION}"
(git log ${PREV_VERSION}...${REFERENCE_BRANCH} --oneline --no-merges --) > release.notes.new
cat release.notes.new
- name: Create tag if required
id: check-tag
run: |
set -xeuo pipefail
IFS=$'\n\t'
# Only do a real release for workflow_dispatch events
if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
echo "Will create a real release"
export NEW_VERSION="v${{ github.event.inputs.version }}"
if [[ "${NEW_VERSION}" == "v" ]]; then
# If version wasn't given as an input to the workflow, use setuptools_scm to guess while removing "dev" portion of the version number
NEW_VERSION=v$(python -m setuptools_scm | sed 's@Guessed Version @@g' | sed -E 's@(\.dev|\+g).+@@g')
export NEW_VERSION
fi
echo "Release will be named $NEW_VERSION"
# Validate the version
# Ensure the version doesn't look like a PEP-440 "dev release" (which might happen if the automatic version bump has issues)
python -c $'from packaging.version import Version; v = Version('"'$NEW_VERSION'"$')\nif v.is_devrelease:\n raise ValueError(v)'
# Make sure we always only create pre-releases
python -c $'from packaging.version import Version; v = Version('"'$NEW_VERSION'"$')\nif not v.is_prerelease:\n raise ValueError("integration should only be used for pre-releases")'
# Commit the release notes
mv release.notes release.notes.old
cat release.notes.old
(echo -e "[${NEW_VERSION}]" && cat release.notes.new release.notes.old) > release.notes
###################3
# TODO: we should add the release notes somewhere at some point
# now we just don't do it because main branch is protected
# and we can't push directly from the CI
#git add release.notes
#git commit -m "docs: Add release notes for $NEW_VERSION"
# Stash is mandatory not to leave the repo dirty
git stash
########################
git show
# Create the tag
git tag "$NEW_VERSION"
echo "create-release=true" >> $GITHUB_OUTPUT
echo "new-version=$NEW_VERSION" >> $GITHUB_OUTPUT
fi
- name: Build distributions
run: |
for pkg_dir in $PWD/diracx-*; do
echo "Building $pkg_dir"
python -m build --outdir $PWD/dist $pkg_dir
done
# Also build the diracx metapackage
python -m build --outdir $PWD/dist .
- name: 'Upload Artifact'
uses: actions/upload-artifact@v4
with:
name: diracx-whl
path: dist/diracx*.whl
retention-days: 5
- name: Make release on GitHub
if: steps.check-tag.outputs.create-release == 'true'
run: |
set -e
export NEW_VERSION=${{ steps.check-tag.outputs.new-version }}
REFERENCE_BRANCH=${GITHUB_REF##refs*(/heads)/}
echo "Pushing tagged release notes to ${REFERENCE_BRANCH}"
git push "origin" "${REFERENCE_BRANCH}"
echo "Making GitHub release for ${NEW_VERSION}"
.github/workflows/make_release.py \
--repo="${{ github.repository }}" \
--token="${{ secrets.GITHUB_TOKEN }}" \
--version="${NEW_VERSION}" \
--rev="$(git rev-parse HEAD)" \
--release-notes-fn="release.notes.new"
# Use trusted publisher for pypi
# https://docs.pypi.org/trusted-publishers/
- name: Publish package on PyPI
if: steps.check-tag.outputs.create-release == 'true'
uses: pypa/gh-action-pypi-publish@release/v1
docker:
needs: deploy-pypi
timeout-minutes: 30
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to GitHub container registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Download diracx wheels
uses: actions/download-artifact@v4
with:
name: diracx-whl
- name: "Find wheels"
id: find_wheel
run: |
# We need to copy them there to be able to access them in the RUN --mount
cp diracx*.whl containers/client/
cp diracx*.whl containers/services/
for wheel_fn in *.whl; do
pkg_name=$(basename "${wheel_fn}" | cut -d '-' -f 1)
echo "${pkg_name}-wheel-name=$(ls "${pkg_name}"-*.whl)" >> $GITHUB_OUTPUT
done
- name: Build and push client (release)
uses: docker/build-push-action@v6
if: ${{ needs.deploy-pypi.outputs.create-release == 'true' }}
with:
context: containers/client/
push: ${{ needs.deploy-pypi.outputs.create-release == 'true' }}
tags: "ghcr.io/diracgrid/diracx/client:${{ needs.deploy-pypi.outputs.new-version }}"
platforms: linux/amd64,linux/arm64
build-args: EXTRA_PACKAGES_TO_INSTALL=DIRAC~=9.0.0a1
- name: Build and push services (release)
uses: docker/build-push-action@v6
if: ${{ needs.deploy-pypi.outputs.create-release == 'true' }}
with:
context: containers/services/
push: ${{ needs.deploy-pypi.outputs.create-release == 'true' }}
tags: "ghcr.io/diracgrid/diracx/services:${{ needs.deploy-pypi.outputs.new-version }}"
platforms: linux/amd64,linux/arm64
build-args: EXTRA_PACKAGES_TO_INSTALL=DIRAC~=9.0.0a1
- name: Build and push client (dev)
uses: docker/build-push-action@v6
with:
context: containers/client/
push: ${{ github.event_name != 'pull_request' && github.repository == 'DIRACGrid/diracx' && github.ref_name == 'main' }}
tags: ghcr.io/diracgrid/diracx/client:dev
platforms: linux/amd64,linux/arm64
build-args: |
EXTRA_PACKAGES_TO_INSTALL=git+https://github.com/DIRACGrid/DIRAC.git@integration
- name: Build and push services (dev)
uses: docker/build-push-action@v6
with:
context: containers/services/
push: ${{ github.event_name != 'pull_request' && github.repository == 'DIRACGrid/diracx' && github.ref_name == 'main' }}
tags: ghcr.io/diracgrid/diracx/services:dev
platforms: linux/amd64,linux/arm64
build-args: |
EXTRA_PACKAGES_TO_INSTALL=git+https://github.com/DIRACGrid/DIRAC.git@integration