python-bsblan/.github/workflows/release.yaml at main · liudger/python-bsblan · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
---
name: Release

# yamllint disable-line rule:truthy
on:
  release:
    types:
      - published

env:
  DEFAULT_PYTHON: "3.13"

jobs:
  release:
    name: Releasing to PyPi
    runs-on: ubuntu-latest
    environment:
      name: release
      url: https://pypi.org/p/python-bsblan
    permissions:
      contents: write
      id-token: write
    steps:
      - name: ⤵️ Check out code from GitHub
        uses: actions/checkout@v6.0.2
      - name: 🏗 Set up uv
        uses: astral-sh/setup-uv@v7
        with:
          enable-cache: true
      - name: 🏗 Set up Python ${{ env.DEFAULT_PYTHON }}
        id: python
        uses: actions/setup-python@v6.2.0
        with:
          python-version: ${{ env.DEFAULT_PYTHON }}
      - name: 🏗 Install dependencies
        run: uv sync
      - name: 🏗 Set package version
        run: |
          version="${{ github.event.release.tag_name }}"
          version="${version,,}"
          version="${version#v}"
          sed -i '0,/version = ".*"/{s/version = ".*"/version = "'"${version}"'"/}' pyproject.toml
      - name: 🏗 Build package
        run: uv build
      - name: 🚀 Publish to PyPi
        uses: pypa/gh-action-pypi-publish@v1.14.0
        with:
          verbose: true
          print-hash: true
      - name: ✍️ Sign published artifacts
        uses: sigstore/gh-action-sigstore-python@v3.3.0
        with:
          inputs: ./dist/*.tar.gz ./dist/*.whl
          release-signing-artifacts: false
      - name: 🔍 Verify signature files
        run: |
          # Retry mechanism for file system sync
          max_retries=5
          retry_delay=2
          retries=0
          while [ $retries -lt $max_retries ]; do
            echo "Checking for signature files (attempt $((retries + 1))/$max_retries)..."
            if find ./dist -name "*.sigstore.json" -type f -exec echo "Found: {}" \; -exec ls -la {} \;; then
              echo "Signature files found and listed."
              break
            else
              echo "Files not ready, retrying in $retry_delay seconds..."
              sleep $retry_delay
              retries=$((retries + 1))
            fi
          done
          if [ $retries -eq $max_retries ]; then
            echo "Error: Signature files not found after $max_retries attempts."
            exit 1
          fi
          # Ensure files are not locked or being written to
          for file in ./dist/*.sigstore.json; do
            if [ -f "$file" ]; then
              echo "Checking file: $file"
              # Test file readability
              cat "$file" > /dev/null && echo "✓ File is readable" || echo "✗ File read error"
              # Ensure file handles are closed
              sync
            fi
          done
          # Poll for file system operations to complete
          max_wait_time=30
          wait_interval=2
          waited_time=0
          while [ $waited_time -lt $max_wait_time ]; do
            all_files_ready=true
            for file in ./dist/*.sigstore.json; do
              if [ -f "$file" ]; then
                # Test file readability
                if ! cat "$file" > /dev/null; then
                  echo "File $file is not readable yet."
                  all_files_ready=false
                  break
                fi
              else
                echo "File $file does not exist yet."
                all_files_ready=false
                break
              fi
            done
            if [ "$all_files_ready" = true ]; then
              echo "All files are ready."
              break
            fi
            echo "Waiting for files to be ready..."
            sleep $wait_interval
            waited_time=$((waited_time + wait_interval))
          done
          if [ $waited_time -ge $max_wait_time ]; then
            echo "Error: Files not ready after $max_wait_time seconds."
            exit 1
          fi
      - name: 📋 List signature files explicitly
        id: list-files
        run: |
          echo "signature_files<<EOF" >> $GITHUB_OUTPUT
          find ./dist -name "*.sigstore.json" -type f | tr '\n' '\0' | xargs -0 -I {} echo "{}"
          echo "EOF" >> $GITHUB_OUTPUT

          # Also create a space-separated list for the upload action
          FILES=$(find ./dist -name "*.sigstore.json" -type f | tr '\n' ' ')
          echo "files_list=$FILES" >> $GITHUB_OUTPUT
          echo "Found files: $FILES"
      - name: 📤 Upload signature files to release
        if: github.event_name == 'release' && github.event.action == 'published'
        run: |
          # Upload files individually to avoid Node.js file handle issues
          for file in ./dist/*.sigstore.json; do
            if [ -f "$file" ]; then
              echo "Uploading $file..."
              # Use GitHub CLI for more reliable uploads
              gh release upload ${{ github.event.release.tag_name }} "$file" --clobber
              if [ $? -ne 0 ]; then
                echo "✗ Failed to upload $file" >&2
                exit 1
              fi
              echo "✓ Uploaded $file"
              sleep 1  # Small delay between uploads
            fi
          done
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}