1+ name : LBox Publish
2+
3+ on :
4+ workflow_dispatch :
5+ inputs :
6+ tag :
7+ description : ' Release Tag'
8+ required : true
9+
10+ concurrency :
11+ group : ${{ github.workflow }}-${{ github.ref }}
12+ cancel-in-progress : true
13+
14+ permissions :
15+ id-token : write
16+
17+ jobs :
18+ path-filter :
19+ runs-on : ubuntu-latest
20+ outputs :
21+ lbox : ${{ true }}
22+ test-matrix : ${{ steps.matrix.outputs.test-matrix }}
23+ package-matrix : ${{ steps.matrix.outputs.publish-matrix }}
24+ steps :
25+ - uses : actions/checkout@v4
26+ with :
27+ # ref: ${{ inputs.tag }}
28+ ref : ${{ inputs.tag }}
29+ - uses : dorny/paths-filter@v3
30+ id : filter
31+ with :
32+ ref : ${{ inputs.tag }}
33+ list-files : ' json'
34+ filters : |
35+ lbox:
36+ - 'libs/lbox*/**'
37+ id : matrix
38+ uses : ./.github/actions/lbox-matrix
39+ with :
40+ files-changed : ${{ steps.filter.outputs.lbox_files }}
41+ build :
42+ runs-on : ubuntu-latest
43+ needs : ['path-filter', 'test-build']
44+ outputs :
45+ hashes : ${{ steps.hash.outputs.hashes_lbox-clients }}
46+ strategy :
47+ fail-fast : false
48+ matrix :
49+ include : ${{ fromJSON(needs.path-filter.outputs.package-matrix) }}
50+ steps :
51+ - uses : actions/checkout@v4
52+ with :
53+ # ref: ${{ inputs.tag }}
54+ ref : ${{ inputs.tag }}
55+ - name : Install the latest version of rye
56+ uses : eifinger/setup-rye@v2
57+ with :
58+ version : ${{ vars.RYE_VERSION }}
59+ enable-cache : true
60+ - name : Rye Setup
61+ run : |
62+ rye config --set-bool behavior.use-uv=true
63+ name : Create build
64+ working-directory : libs/${{ matrix.package }}
65+ run : |
66+ rye sync
67+ rye build
68+ name : " Generate hashes"
69+ id : hash
70+ run : |
71+ cd dist && echo "hashes_${{ matrix.package }}=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
72+ echo "hashes_${{ matrix.package }}=$(sha256sum * | base64 -w0)"
73+ uses : actions/upload-artifact@v4
74+ with :
75+ name : build-${{ matrix.package }}
76+ path : ./dist
77+ provenance_python :
78+ needs : [build]
79+ permissions :
80+ actions : read
81+ contents : write
82+ id-token : write # Needed to access the workflow's OIDC identity.
83+ uses : slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
84+ with :
85+ base64-subjects : " ${{ needs.build.outputs.hashes }}"
86+ upload-assets : true
87+ upload-tag-name : ${{ inputs.tag }} # Tag from the initiation of the workflow
88+ provenance-name : lbox-clients.intoto.jsonl
89+
90+ test-build :
91+ needs : ['path-filter']
92+ if : ${{ needs.path-filter.outputs.lbox == 'true' }}
93+ runs-on : ubuntu-latest
94+ strategy :
95+ fail-fast : false
96+ matrix :
97+ include : ${{ fromJSON(needs.path-filter.outputs.test-matrix) }}
98+ concurrency :
99+ group : lbox-staging-${{ matrix.python-version }}-${{ matrix.package }}
100+ cancel-in-progress : false
101+ steps :
102+ - uses : actions/checkout@v4
103+ with :
104+ token : ${{ secrets.ACTIONS_ACCESS_TOKEN }}
105+ # ref: ${{ inputs.tag }}
106+ ref : ${{ inputs.tag }}
107+ - uses : ./.github/actions/python-package-shared-setup
108+ with :
109+ rye-version : ${{ vars.RYE_VERSION }}
110+ python-version : ${{ matrix.python-version }}
111+ - name : Format
112+ run : rye format --check -v -p ${{ matrix.package }}
113+ - name : Linting
114+ run : rye lint -v -p ${{ matrix.package }}
115+ - name : Unit
116+ working-directory : libs/${{ matrix.package }}
117+ run : rye run unit
118+ - name : Integration
119+ working-directory : libs/${{ matrix.package }}
120+ env :
121+ LABELBOX_TEST_API_KEY : ${{ secrets[matrix.api-key] }}
122+ DA_GCP_LABELBOX_API_KEY : ${{ secrets[matrix.da-test-key] }}
123+ LABELBOX_TEST_ENVIRON : ' staging'
124+ run : rye run integration
125+ pypi-publish :
126+ runs-on : ubuntu-latest
127+ needs : ['build', 'test-build', 'path-filter']
128+ strategy :
129+ fail-fast : false
130+ matrix :
131+ include : ${{ fromJSON(needs.path-filter.outputs.package-matrix) }}
132+ environment :
133+ name : publish-${{ matrix.package }}
134+ url : ' https://pypi.org/project/${{ matrix.package }}'
135+ permissions :
136+ # IMPORTANT: this permission is mandatory for trusted publishing
137+ id-token : write
138+ steps :
139+ - uses : actions/download-artifact@v4
140+ with :
141+ name : build-${{ matrix.package }}
142+ path : ./artifact
143+ - name : Publish package distributions to PyPI
144+ uses : pypa/gh-action-pypi-publish@release/v1
145+ with :
146+ packages-dir : artifact/
147+ container-publish :
148+ runs-on : ubuntu-latest
149+ needs : ['build', 'path-filter']
150+ if : ${{ needs.path-filter.outputs.lbox == 'true' }}
151+ strategy :
152+ fail-fast : false
153+ matrix :
154+ include : ${{ fromJSON(needs.path-filter.outputs.package-matrix) }}
155+ permissions :
156+ # IMPORTANT: this permission is mandatory for trusted publishing
157+ packages : write
158+ steps :
159+ - uses : actions/checkout@v4
160+ with :
161+ # ref: ${{ inputs.tag }}
162+ ref : ${{ inputs.tag }}
163+ - name : Set up Docker Buildx
164+ uses : docker/setup-buildx-action@v3
165+ - name : Log in to the Container registry
166+ uses : docker/login-action@v3
167+ with :
168+ registry : ghcr.io
169+ username : ${{ github.actor }}
170+ password : ${{ secrets.GITHUB_TOKEN }}
171+ - name : Build and push
172+ uses : docker/build-push-action@v5
173+ id : build_container
174+ with :
175+ context : .
176+ file : ./libs/${{ matrix.package }}/Dockerfile
177+ github-token : ${{ secrets.GITHUB_TOKEN }}
178+ push : true
179+ platforms : |
180+ linux/amd64
181+ linux/arm64
182+ tags : |
183+ ghcr.io/labelbox/${{ matrix.package }}:latest
184+ ghcr.io/labelbox/${{ matrix.package }}:${{ inputs.tag }}
185+ name : Output image
186+ id : image
187+ run : |
188+ echo "ghcr.io/labelbox/${{ matrix.package }}:latest" >> "$GITHUB_STEP_SUMMARY"
189+ echo "ghcr.io/labelbox/${{ matrix.package }}:${{ inputs.tag }}" >> "$GITHUB_STEP_SUMMARY"
0 commit comments