From 3266d2f7efb9df2c39be66ea992217154c890af6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Agust=C3=ADn=20Borgna?= <121866228+aborgna-q@users.noreply.github.com> Date: Fri, 2 Aug 2024 11:16:58 +0100 Subject: [PATCH] ci: Avoid building wheels on unrelated releases, split pypi tokens (#523) - Stops the wheel building jobs from running on releases of other packages. Adding a release for `tket2-eccs` caused `tket2` wheels to be built. Since that's an expensive workflow, this filters it out. We continue to build for all platforms on each commit to `main`. We may want to skip some platforms in the future. - Splits the pypi token used for publishing `tket2-py` and `tket2-eccs`. Scoped tokens only give permissions to a single project. Splitting the tokens here will let us replace the currently unrestricted token. --- .github/workflows/python-pure-wheels.yml | 34 +++++++++++++++++------- .github/workflows/python-wheels.yml | 31 ++++++++++++++++++--- 2 files changed, 52 insertions(+), 13 deletions(-) diff --git a/.github/workflows/python-pure-wheels.yml b/.github/workflows/python-pure-wheels.yml index e012cf6d..e4c1df81 100644 --- a/.github/workflows/python-pure-wheels.yml +++ b/.github/workflows/python-pure-wheels.yml @@ -1,4 +1,4 @@ -name: Build and publish pure python wheels +name: Pure Python wheels 🐍 # Builds and publishes the pure wheels on pypi. # # This does not include the main `tket2-py` package, which is built using maturin. @@ -20,41 +20,55 @@ on: jobs: build-publish: - name: Build and publish wheels + name: Package and publish wheels runs-on: ubuntu-latest strategy: matrix: - package: - - 'tket2-eccs' - + target: + - { name: tket2-eccs, key_secret: PYPI_PUBLISH_TKET2_ECCS } steps: + # Check the release tag against the package name + # + # Skip the workflow when triggered by a release event for any other package. + - name: Check tag + run: | + echo "run=$SHOULD_RUN" >> $GITHUB_OUTPUT + env: + SHOULD_RUN: ${{ github.event_name != 'release' || ( github.ref_type == 'tag' && startsWith(github.ref, format('refs/tags/{0}-v', matrix.target.name)) ) }} + - uses: actions/checkout@v4 + if: ${{ github.job.steps.check-tag.outputs.run == 'true' }} - name: Run sccache-cache + if: ${{ github.job.steps.check-tag.outputs.run == 'true' }} uses: mozilla-actions/sccache-action@v0.0.5 - name: Install poetry + if: ${{ github.job.steps.check-tag.outputs.run == 'true' }} run: pipx install poetry - name: Set up Python '3.10' + if: ${{ github.job.steps.check-tag.outputs.run == 'true' }} uses: actions/setup-python@v5 with: python-version: '3.10' cache: "poetry" - name: Build sdist and wheels + if: ${{ github.job.steps.check-tag.outputs.run == 'true' }} run: | - cd ${{ matrix.package }} + cd ${{ matrix.target.name }} poetry build -o ../dist - name: Upload the built packages as artifacts + if: ${{ github.job.steps.check-tag.outputs.run == 'true' }} uses: actions/upload-artifact@v4 with: - name: build-${{ matrix.package }}-sdist + name: build-${{ matrix.target.name }}-sdist path: | dist/*.tar.gz dist/*.whl - name: Publish to PyPI - if: ${{ (github.event_name == 'release' && github.ref_type == 'tag' && startsWith(github.ref, format('refs/tags/{0}-v', matrix.package)) ) || (github.event_name == 'workflow_dispatch' && github.ref_type == 'tag' && startsWith(github.ref, format('refs/tags/{0}-v', matrix.package)) ) }} + if: ${{ (github.event_name == 'release' && github.ref_type == 'tag' && startsWith(github.ref, format('refs/tags/{0}-v', matrix.target.name)) ) || (github.event_name == 'workflow_dispatch' && github.ref_type == 'tag' && startsWith(github.ref, format('refs/tags/{0}-v', matrix.target.name)) ) }} run: | - cd ${{ matrix.package }} - poetry config pypi-token.pypi ${{ secrets.PYPI_PUBLISH }} + cd ${{ matrix.target.name }} + poetry config pypi-token.pypi ${{ secrets[matrix.target.key_secret] }} poetry publish --dist-dir ../dist --skip-existing diff --git a/.github/workflows/python-wheels.yml b/.github/workflows/python-wheels.yml index 4b31fe5d..11fd5339 100644 --- a/.github/workflows/python-wheels.yml +++ b/.github/workflows/python-wheels.yml @@ -5,7 +5,7 @@ # # maturin generate-ci github > .github/workflows/python-wheels.yml # -# And edit the `on:` action triggers and the filters in `jobs.release.if`. +# And merge the changes into this file. name: Python wheels 🐍 on: @@ -21,7 +21,24 @@ permissions: contents: read jobs: + # Check if the tag matches the package name, + # or if the workflow is running on a non-release event. + check-tag: + name: Check tag + runs-on: ubuntu-latest + outputs: + run: ${{ steps.check-tag.outputs.run }} + steps: + - name: Check tag + id: check-tag + run: | + echo "run=$SHOULD_RUN" >> $GITHUB_OUTPUT + env: + SHOULD_RUN: ${{ github.event_name != 'release' || ( github.ref_type == 'tag' && startsWith(github.ref, 'refs/tags/tket2-py-v') ) }} + linux: + needs: check-tag + if: ${{ needs.check-tag.outputs.run == 'true' }} runs-on: ${{ matrix.platform.runner }} strategy: matrix: @@ -57,6 +74,8 @@ jobs: path: dist musllinux: + needs: check-tag + if: ${{ needs.check-tag.outputs.run == 'true' }} runs-on: ${{ matrix.platform.runner }} strategy: matrix: @@ -88,6 +107,8 @@ jobs: path: dist windows: + needs: check-tag + if: ${{ needs.check-tag.outputs.run == 'true' }} runs-on: ${{ matrix.platform.runner }} strategy: matrix: @@ -115,6 +136,8 @@ jobs: path: dist macos: + needs: check-tag + if: ${{ needs.check-tag.outputs.run == 'true' }} runs-on: ${{ matrix.platform.runner }} strategy: matrix: @@ -141,6 +164,8 @@ jobs: path: dist sdist: + needs: check-tag + if: ${{ needs.check-tag.outputs.run == 'true' }} runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -158,14 +183,14 @@ jobs: release: name: Release runs-on: ubuntu-latest - if: ${{ (github.event_name == 'release' && github.ref_type == 'tag' && startsWith(github.ref, 'refs/tags/tket2-py-v') ) || (github.event_name == 'workflow_dispatch' && github.ref_type == 'tag' && startsWith(github.ref, 'refs/tags/tket2-py-v') ) }} needs: [linux, musllinux, windows, macos, sdist] + if: ${{ (github.event_name == 'release' && github.ref_type == 'tag' && startsWith(github.ref, 'refs/tags/tket2-py-v') ) || (github.event_name == 'workflow_dispatch' && github.ref_type == 'tag' && startsWith(github.ref, 'refs/tags/tket2-py-v') ) }} steps: - uses: actions/download-artifact@v4 - name: Publish to PyPI uses: PyO3/maturin-action@v1 env: - MATURIN_PYPI_TOKEN: ${{ secrets.PYPI_PUBLISH }} + MATURIN_PYPI_TOKEN: ${{ secrets.PYPI_PUBLISH_TKET2 }} with: command: upload args: --non-interactive --skip-existing wheels-*/*