Merge aabe83c06d into 15c56dba36

requirements: bump pypi-attestations to 0.0.15

.github/workflows/publish-major-minor.yml

@@ -0,0 +1,62 @@
+name: "Publish Major-Minor-Tags"
+on:
+  push:
+    tags:
+      - "v*"
+
+jobs:
+  push-tags:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up Python 3.8
+        uses: actions/setup-python@v2
+        with:
+          python-version: 3.8
+      - name: Install packaging
+        run: python -m pip install -U packaging --user
+      - name: Get versions
+        id: get_versions
+        shell: python
+        run: |
+          from packaging.version import parse
+
+          tag_ref = "${{ github.ref }}"
+          tag_name = tag_ref.split("/")[-1]
+          version = parse(tag_name)
+          print(f"tag_name: {tag_name}")
+          print(f"version: {version}")
+          if version.is_prerelease:
+              print("No tags created (dev or pre version)!")
+              exit(0)
+
+          print("Creating new major and minor tags!")
+          print(f"::set-output name=original_tag_name::{tag_name}")
+          print(f"::set-output name=major_version::v{version.major}")
+          print(f"::set-output name=minor_version::v{version.major}.{version.minor}")      
+      - name: Setup git user as [bot]
+        run: |
+          git config user.email 'github-actions[bot]@users.noreply.github.com'
+          git config user.name 'github-actions[bot]'
+      - name: Create major + minor tags
+        if: steps.get_versions.outputs.original_tag_name != ''
+        env:
+          original_tag_name: ${{ steps.get_versions.outputs.original_tag_name }}
+          major_version: ${{ steps.get_versions.outputs.major_version }}
+          minor_version: ${{ steps.get_versions.outputs.minor_version }}
+        run: |
+          git tag --annotate '${{ env.major_version }}' \
+            --message='Major version tag of: ${{ env.original_tag_name }}' \
+            --message="Original tag SHA1: $(git rev-parse ${{ env.original_tag_name }})"
+          git tag --annotate '${{ env.minor_version }}' \
+            --message='Minor version tag of: ${{ env.original_tag_name }}' \
+            --message="Original tag SHA1: $(git rev-parse ${{ env.original_tag_name }})"
+      - name: Push major + minor tags
+        if: steps.get_versions.outputs.original_tag_name != ''
+        env:
+          major_version: ${{ steps.get_versions.outputs.major_version }}
+          minor_version: ${{ steps.get_versions.outputs.minor_version }}
+        run: |
+          git push --force --atomic origin \
+            '${{ env.major_version }}' \
+            '${{ env.minor_version }}'

action.yml

@@ -130,24 +130,44 @@ runs:
       PR_REF: ${{ github.event.pull_request.head.ref }}
       PR_REPO: ${{ github.event.pull_request.head.repo.full_name }}
       PR_REPO_ID: ${{ github.event.pull_request.base.repo.id }}
-  - name: Check out action repo
+  - name: Discover pre-installed Python
-    uses: actions/checkout@v4
+    id: pre-installed-python
+    run: |
+      # 🔎 Discover pre-installed Python
+      echo "python-path=$(command -v python3 || :)" | tee -a "${GITHUB_OUTPUT}"
+    shell: bash
+  - name: Install Python 3
+    if: steps.pre-installed-python.outputs.python-path == ''
+    id: new-python
+    uses: actions/setup-python@v5
     with:
-      path: action-repo
+      python-version: 3.x
-      ref: ${{ steps.set-repo-and-ref.outputs.ref }}
-      repository: ${{ steps.set-repo-and-ref.outputs.repo }}
   - name: Create Docker container action
     run: |
       # Create Docker container action
-      python create-docker-action.py
+      ${{
+        steps.pre-installed-python.outputs.python-path == ''
+        && steps.new-python.outputs.python-path
+        || steps.pre-installed-python.outputs.python-path
+      }} '${{ github.action_path }}/create-docker-action.py'
     env:
       REF: ${{ steps.set-repo-and-ref.outputs.ref }}
       REPO: ${{ steps.set-repo-and-ref.outputs.repo }}
       REPO_ID: ${{ steps.set-repo-and-ref.outputs.repo-id }}
     shell: bash
-    working-directory: action-repo
   - name: Run Docker container
-    uses: ./action-repo/.github/actions/run-docker-container
+    # The generated trampoline action must exist in the allowlisted
+    # runner-defined working directory so it can be referenced by the
+    # relative path starting with `./`.
+    #
+    # This mutates the end-user's workspace slightly but uses a path
+    # that is unlikely to clash with somebody else's use.
+    #
+    # We cannot use randomized paths because the composite action
+    # syntax does not allow accessing variables in `uses:`. This
+    # means that we end up having to hardcode this path both here and
+    # in `create-docker-action.py`.
+    uses: ./.github/.tmp/.generated-actions/run-pypi-publish-in-docker-container
     with:
       user: ${{ inputs.user }}
       password: ${{ inputs.password }}

attestations.py

@@ -54,6 +54,7 @@ def debug(msg: str):
 def collect_dists(packages_dir: Path) -> list[Path]:
     # Collect all sdists and wheels.
     dist_paths = [sdist.resolve() for sdist in packages_dir.glob('*.tar.gz')]
+    dist_paths.extend(sdist.resolve() for sdist in packages_dir.glob('*.zip'))
     dist_paths.extend(whl.resolve() for whl in packages_dir.glob('*.whl'))
 
     # Make sure everything that looks like a dist actually is one.

create-docker-action.py

@@ -10,10 +10,12 @@ REPO = os.environ['REPO']
 REPO_ID = os.environ['REPO_ID']
 REPO_ID_GH_ACTION = '178055147'
 
+ACTION_SHELL_CHECKOUT_PATH = pathlib.Path(__file__).parent.resolve()
+
 
 def set_image(ref: str, repo: str, repo_id: str) -> str:
     if repo_id == REPO_ID_GH_ACTION:
-        return '../../../Dockerfile'
+        return str(ACTION_SHELL_CHECKOUT_PATH / 'Dockerfile')
     docker_ref = ref.replace('/', '-')
     return f'docker://ghcr.io/{repo}:{docker_ref}'
 
@@ -70,6 +72,20 @@ action = {
     },
 }
 
-action_path = pathlib.Path('.github/actions/run-docker-container/action.yml')
+# The generated trampoline action must exist in the allowlisted
+# runner-defined working directory so it can be referenced by the
+# relative path starting with `./`.
+#
+# This mutates the end-user's workspace slightly but uses a path
+# that is unlikely to clash with somebody else's use.
+#
+# We cannot use randomized paths because the composite action
+# syntax does not allow accessing variables in `uses:`. This
+# means that we end up having to hardcode this path both here and
+# in `action.yml`.
+action_path = pathlib.Path(
+    '.github/.tmp/.generated-actions/'
+    'run-pypi-publish-in-docker-container/action.yml',
+)
 action_path.parent.mkdir(parents=True, exist_ok=True)
 action_path.write_text(json.dumps(action, ensure_ascii=False), encoding='utf-8')

requirements/runtime.in

@@ -10,7 +10,7 @@ id ~= 1.0
 requests
 
 # NOTE: Used to generate attestations.
-pypi-attestations ~= 0.0.13
+pypi-attestations ~= 0.0.15
 sigstore ~= 3.5.1
 
 # NOTE: Used to detect the PyPI package name from the distribution files

requirements/runtime.txt

@@ -93,7 +93,7 @@ pyjwt==2.8.0
     # via sigstore
 pyopenssl==24.1.0
     # via sigstore
-pypi-attestations==0.0.13
+pypi-attestations==0.0.15
     # via -r runtime.in
 python-dateutil==2.9.0.post0
     # via betterproto