Safety check tag match version #6
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deployment | |
| on: | |
| push: | |
| branches: ["main"] | |
| tags: | |
| - "*" | |
| pull_request: | |
| branches: ["main"] | |
| jobs: | |
| test: | |
| name: Run tests | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Install Nix | |
| uses: cachix/install-nix-action@v26 | |
| with: | |
| nix_path: nixpkgs=channel:nixpkgs-23.11-darwin | |
| - name: Extract nixpkgs hash | |
| run: | | |
| nixpkgs_hash=$(grep -o -P '(?<=archive/)[0-9a-f]{40}(?=\.tar\.gz)' shell.nix) | |
| echo "NIXPKGS_HASH=$nixpkgs_hash" >> $GITHUB_ENV | |
| - name: Cache Nix store | |
| uses: actions/cache@v4 | |
| id: nix-cache | |
| with: | |
| key: nix-${{ runner.os }}-${{ env.NIXPKGS_HASH }} | |
| path: /tmp/nix-cache | |
| - name: Import Nix store cache | |
| if: steps.nix-cache.outputs.cache-hit == 'true' | |
| run: | | |
| nix-store --import < /tmp/nix-cache | |
| - name: Cache Python packages | |
| uses: actions/cache@v4 | |
| with: | |
| key: python-${{ runner.os }}-${{ hashFiles('poetry.lock') }} | |
| path: .venv | |
| - name: Install dependencies | |
| run: | | |
| nix-shell --pure --run true | |
| - name: Export Nix store cache | |
| if: steps.nix-cache.outputs.cache-hit != 'true' | |
| run: | | |
| nix-store --export $(find /nix/store -maxdepth 1 -name '*-*') > /tmp/nix-cache | |
| - name: Assert tag name matches version | |
| if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') | |
| run: | | |
| version="$(poetry version --short)" | |
| tag_name="${{ github.ref_name }}" | |
| if [ "$version" != "$tag_name" ]; then | |
| echo "Tag name mismatch: $version != $tag_name" | |
| exit 1 | |
| fi | |
| - name: Run tests | |
| run: | | |
| nix-shell --pure --run run-tests | |
| - name: Build distribution | |
| run: | | |
| nix-shell --pure --run "poetry build" | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: dist | |
| path: dist/ | |
| publish-pypi: | |
| if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') | |
| name: Publish to PyPI | |
| needs: test | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: pypi | |
| url: https://pypi.org/p/starlette-compress | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - name: Download artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: dist | |
| path: dist/ | |
| - name: Publish to PyPI | |
| uses: pypa/gh-action-pypi-publish@release/v1 | |
| publish-gh: | |
| name: Publish to GitHub Release | |
| needs: publish-pypi | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| contents: write | |
| steps: | |
| - name: Download artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: dist | |
| path: dist/ | |
| - name: Sign with Sigstore | |
| uses: sigstore/[email protected] | |
| with: | |
| inputs: >- | |
| ./dist/*.tar.gz | |
| ./dist/*.whl | |
| - name: Create GitHub Release | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| run: >- | |
| gh release create | |
| '${{ github.ref_name }}' | |
| --repo '${{ github.repository }}' | |
| --notes "" | |
| - name: Upload signed artifacts | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| run: >- | |
| gh release upload | |
| '${{ github.ref_name }}' dist/** | |
| --repo '${{ github.repository }}' |