11name : wipac ci/cd
22
3- on : [ push ]
3+ on :
4+ push :
5+ # only on branch pushes
6+ branches : [ '**' ]
7+ tags-ignore : [ '**' ]
48
59concurrency :
610 group : ${{ github.workflow }}-${{ github.ref }}
711 # don't cancel on main/master/default
812 cancel-in-progress : ${{ format('refs/heads/{0}', github.event.repository.default_branch) != github.ref }}
913
10- env :
11- BOT_NAME : wipacdevbot # needed to "Allow specified actors to bypass required pull requests" (pushing to main)
12- 13-
1414jobs :
1515
1616 py-versions :
1717 runs-on : ubuntu-latest
1818 outputs :
1919 matrix : ${{ steps.versions.outputs.matrix }}
2020 steps :
21- - uses : actions/checkout@v4
21+ - uses : actions/checkout@v5
22+ with :
23+ ref : ${{ github.sha }} # lock to triggered commit (github.ref is dynamic)
2224 - id : versions
23- uses : WIPACrepo/wipac-dev-py-versions-action@v2.5
25+ uses : WIPACrepo/wipac-dev-py-versions-action@v2.7
2426
2527
2628 # ############################################################################
@@ -29,14 +31,23 @@ jobs:
2931
3032
3133 flake8 :
34+ needs : [ py-versions ]
3235 runs-on : ubuntu-latest
36+ strategy :
37+ fail-fast : false
38+ matrix :
39+ py3 : ${{ fromJSON(needs.py-versions.outputs.matrix) }}
3340 steps :
34- - uses : actions/checkout@v4
41+ - uses : actions/checkout@v5
42+ with :
43+ ref : ${{ github.sha }} # lock to triggered commit (github.ref is dynamic)
3544 - uses : actions/setup-python@v5
36- -
uses :
WIPACrepo/[email protected] 45+ with :
46+ python-version : ${{ matrix.py3 }}
47+ -
uses :
WIPACrepo/[email protected] 3748 with :
3849 max-function-length : 400
39- max-complexity : 25
50+ max-complexity : 25 # ideal is ~10-15
4051
4152 mypy :
4253 needs : [ py-versions ]
@@ -46,78 +57,49 @@ jobs:
4657 matrix :
4758 py3 : ${{ fromJSON(needs.py-versions.outputs.matrix) }}
4859 steps :
49- - uses : actions/checkout@v4
60+ - uses : actions/checkout@v5
61+ with :
62+ ref : ${{ github.sha }} # lock to triggered commit (github.ref is dynamic)
5063 - uses : actions/setup-python@v5
5164 with :
5265 python-version : ${{ matrix.py3 }}
5366 -
uses :
WIPACrepo/[email protected] 5467
68+
5569 # ############################################################################
5670 # PACKAGING
5771 # ############################################################################
5872
59-
60- writable-branch-detect :
61- runs-on : ubuntu-latest
62- outputs :
63- OKAY : ${{ steps.detect.outputs.OKAY }}
64- steps :
65- - name : is this a bot-writable branch?
66- id : detect
67- # dependabot can't access normal secrets
68- # & don't run non-branch triggers (like tags)
69- # & we don't want to trigger an update on PR's merge to main/master/default (which is a branch)
70- run : |
71- set -euo pipefail
72- if [[ \
73- ${{github.actor}} != 'dependabot[bot]' && \
74- ${{github.ref_type}} == 'branch' && \
75- ${{format('refs/heads/{0}', github.event.repository.default_branch)}} != ${{github.ref}} \
76- ]]; then
77- echo "OKAY=true" >> "$GITHUB_OUTPUT"
78- echo "yes, this branch is compatible"
79- else
80- echo "OKAY=false" >> "$GITHUB_OUTPUT"
81- echo "no, this branch is incompatible"
82- fi
83-
8473 py-setup :
85- needs : [ writable-branch-detect ]
8674 runs-on : ubuntu-latest
8775 steps :
88- - if : needs.writable-branch-detect.outputs.OKAY == 'true'
89- uses : actions/checkout@v4
76+ - uses : actions/checkout@v5
9077 with :
9178 token : ${{ secrets.PERSONAL_ACCESS_TOKEN }}
92- - if : needs.writable-branch-detect.outputs.OKAY == 'true'
93- uses : WIPACrepo/wipac-dev-py-setup-action@v4.1
79+ ref : ${{ github.ref }} # dont lock to sha (action needs to push)
80+ - uses : WIPACrepo/wipac-dev-py-setup-action@v5.2
9481 with :
82+ mode : PACKAGING_AND_PYPI
9583 python_min : 3.9
9684 python_max : 3.13
9785 pypi_name : icecube-skyreader
9886 author : WIPAC Developers
9987100- keywords : IceCube "skymap scanner" skymap HEALPix neutrino reconstruction
101- git_committer_name : ${{ env.BOT_NAME }} # b/c 'main' push-protections
102- git_committer_email : ${{ env.BOT_EMAIL }} # b/c 'main' push-protections
88+ keywords_comma : " IceCube, skymap scanner, skymap, HEALPix, neutrino, reconstruction"
10389
10490 py-dependencies :
105- needs : [ writable-branch-detect ]
10691 runs-on : ubuntu-latest
10792 steps :
108- - if : needs.writable-branch-detect.outputs.OKAY == 'true'
109- uses : actions/checkout@v4
93+ - uses : actions/checkout@v5
11094 with :
111- token : ${{ secrets.PERSONAL_ACCESS_TOKEN }}
112- - if : needs.writable-branch-detect.outputs.OKAY == 'true'
113- 95+ ref : ${{ github.sha }} # lock to triggered commit (github.ref is dynamic)
96+ -
uses :
WIPACrepo/[email protected] 11497
11598
11699 # ############################################################################
117100 # TESTS
118101 # ############################################################################
119102
120-
121103 unit-tests :
122104 needs : [ py-versions ]
123105 runs-on : ubuntu-latest
@@ -127,52 +109,51 @@ jobs:
127109 py3 : ${{ fromJSON(needs.py-versions.outputs.matrix) }}
128110 steps :
129111 - uses : actions/checkout@v3
112+ with :
113+ ref : ${{ github.sha }} # lock to triggered commit (github.ref is dynamic)
130114 - uses : actions/setup-python@v3
131115 with :
132116 python-version : ${{ matrix.py3 }}
133117
134118 - name : pip install
135119 run : |
136- set -euo pipefail
120+ set -euo pipefail; echo "now: $(date -u +"%Y-%m-%dT%H:%M:%S.%3N")"
137121 pip install --upgrade pip wheel setuptools
138122 pip install .[tests]
139123
140124name : test
141125 run : |
142- set -euo pipefail
126+ set -euo pipefail; echo "now: $(date -u +"%Y-%m-%dT%H:%M:%S.%3N")"
143127 pytest -vvv tests/unit
144128
145129name : dump comparison json files
146130 if : always()
147131 run : |
148- set -euo pipefail
132+ set -euo pipefail; echo "now: $(date -u +"%Y-%m-%dT%H:%M:%S.%3N")"
149133 more *.json | cat
150134
151- release :
152- # only run on main/master/default
135+ # ###########################################################################
136+ # TAG + RELEASE
137+ # ############################################################################
138+
139+ tag-and-release :
140+ # only run on main/default
153141 if : format('refs/heads/{0}', github.event.repository.default_branch) == github.ref
154- needs : [ flake8, mypy, py-setup, py-dependencies, unit-tests ]
155- runs-on : ubuntu-latest
156- concurrency : release # prevent any possible race conditions
157- permissions :
158- id-token : write
159- contents : write # to allow pushing to the repo
160- steps :
161- - uses : actions/checkout@v4
162- with :
163- fetch-depth : 0
164- # Python-Package Version Bump
165- -
uses :
python-semantic-release/[email protected] 166- id : psr-psr
167- with :
168- github_token : ${{ secrets.GITHUB_TOKEN }}
169- # PyPI Release
170- 171- if : steps.psr-psr.outputs.released == 'true'
172- with :
173- password : ${{ secrets.WIPAC_PYPI_TOKEN }}
174- # GitHub Release
175- -
uses :
python-semantic-release/[email protected] 176- if : steps.psr-psr.outputs.released == 'true'
177- with :
178- github_token : ${{ secrets.GITHUB_TOKEN }}
142+ needs : [
143+ py-versions,
144+ mypy,
145+ py-setup,
146+ py-dependencies,
147+ unit-tests
148+ ]
149+ uses :
WIPACrepo/wipac-dev-workflows/.github/workflows/[email protected] 150+ permissions : # for GITHUB_TOKEN
151+ contents : write
152+ with :
153+ project-type : python
154+ python-version : " ${{ fromJSON(needs.py-versions.outputs.matrix)[0] }}"
155+ release-artifacts : |
156+ py-dependencies-logs
157+ publish-to-pypi : true
158+ secrets :
159+ PYPI_TOKEN : ${{ secrets.PYPI_TOKEN }}
0 commit comments