Use Trusted Publishing for uploads to PyPI #139
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build + Deploy | |
| on: | |
| push: | |
| branches: [main] | |
| tags: ["v*.*.*"] | |
| pull_request: | |
| branches: [main] | |
| env: | |
| # skip 3.8, 3.9 (EOL); skip free-threaded 3.14 (untested yet) | |
| CIBW_SKIP: cp38-* cp39-* cp314t-* | |
| # enable PyPy builds on all platforms | |
| CIBW_ENABLE: pypy | |
| CIBW_MANYLINUX_X86_64_IMAGE: manylinux2014 | |
| CIBW_MANYLINUX_I686_IMAGE: manylinux2014 | |
| CIBW_MANYLINUX_PYPY_X86_64_IMAGE: manylinux2014 | |
| CIBW_TEST_EXTRAS: testing | |
| CIBW_TEST_COMMAND: pytest {project}/tests | |
| BUILD_SKIA_FROM_SOURCE: 0 | |
| SKIA_LIBRARY_DIR: "build/download" | |
| CIBW_ENVIRONMENT: BUILD_SKIA_FROM_SOURCE=0 SKIA_LIBRARY_DIR=build/download | |
| jobs: | |
| build_wheels: | |
| runs-on: ${{ matrix.os }} | |
| env: | |
| CIBW_ARCHS: ${{ matrix.arch }} | |
| CIBW_BUILD: ${{ matrix.cibw_build_filter || '' }} | |
| defaults: | |
| run: | |
| shell: bash | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [ubuntu-latest, windows-latest] | |
| arch: [auto64] | |
| include: | |
| # CPython universal2 wheels (x86_64 + arm64) for macOS | |
| - os: macos-latest | |
| arch: universal2 | |
| cibw_build_filter: "cp*" | |
| # PyPy x86_64 wheels for macOS (PyPy doesn't support universal2) | |
| - os: macos-15-intel | |
| arch: x86_64 | |
| cibw_build_filter: "pp*" | |
| # PyPy arm64 wheels for macOS (PyPy doesn't support universal2) | |
| - os: macos-latest | |
| arch: arm64 | |
| cibw_build_filter: "pp*" | |
| - os: windows-latest | |
| arch: x86 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - name: Set up Python 3.x | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.x" | |
| - name: Download pre-compiled libskia | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} | |
| run: | | |
| if [ "$BUILD_SKIA_FROM_SOURCE" == "0" ]; then | |
| pip install setuptools githubrelease | |
| if ! [[ $CIBW_ARCHS =~ ^auto ]]; then | |
| # translate cibuildwheel arch names to download_libskia.py names | |
| case "$CIBW_ARCHS" in | |
| x86_64) cpu_arch="--cpu-arch=x64" ;; | |
| *) cpu_arch="--cpu-arch=$CIBW_ARCHS" ;; | |
| esac | |
| fi | |
| python ci/download_libskia.py -d "${SKIA_LIBRARY_DIR}" $cpu_arch | |
| fi | |
| - name: Install dependencies | |
| run: pip install cibuildwheel | |
| - name: Build and Test Wheels | |
| run: python -m cibuildwheel --output-dir wheelhouse | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: skia_pathops-${{ matrix.os }}-${{ matrix.arch }} | |
| path: wheelhouse/*.whl | |
| build_aarch64_wheels: | |
| # native ARM64 runner, much faster than qemu | |
| runs-on: ubuntu-24.04-arm | |
| env: | |
| CIBW_ARCHS: aarch64 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - name: Download pre-compiled libskia | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} | |
| run: | | |
| if [ "$BUILD_SKIA_FROM_SOURCE" == "0" ]; then | |
| pip install setuptools githubrelease | |
| python ci/download_libskia.py -d "${SKIA_LIBRARY_DIR}" --cpu-arch "arm64" | |
| fi | |
| - name: Install dependencies | |
| run: pip install cibuildwheel | |
| - name: Build and Test Wheels | |
| run: python -m cibuildwheel --output-dir wheelhouse | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: skia_pathops-linux-aarch64 | |
| path: wheelhouse/*.whl | |
| deploy: | |
| # only run if the commit is tagged... | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| # ... and all build jobs completed successfully | |
| needs: [build_wheels, build_aarch64_wheels] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| # Required for trusted publishing to PyPI | |
| id-token: write | |
| # Required for creating GitHub releases | |
| contents: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - name: Download artifacts from build jobs | |
| uses: actions/download-artifact@v4 | |
| with: | |
| path: dist/ | |
| merge-multiple: true | |
| - name: Extract release notes from annotated tag message | |
| id: release_notes | |
| env: | |
| # e.g. v0.1.0a1, v1.2.0b2 or v2.3.0rc3, but not v1.0.0 | |
| PRERELEASE_TAG_PATTERN: "v[[:digit:]]+\\.[[:digit:]]+\\.[[:digit:]]+([ab]|rc)[[:digit:]]+" | |
| run: | | |
| # GH checkout action doesn't preserve tag annotations, we must fetch them | |
| # https://github.com/actions/checkout/issues/290 | |
| git fetch --tags --force | |
| # strip leading 'refs/tags/' to get the tag name | |
| TAG_NAME="${GITHUB_REF##*/}" | |
| # Dump tag message to temporary .md file (excluding the PGP signature at the bottom) | |
| TAG_MESSAGE=$(git tag -l --format='%(contents)' $TAG_NAME | sed -n '/-----BEGIN PGP SIGNATURE-----/q;p') | |
| echo "$TAG_MESSAGE" > "${{ runner.temp }}/release_notes.md" | |
| # if the tag has a pre-release suffix mark the Github Release accordingly | |
| if egrep -q "$PRERELEASE_TAG_PATTERN" <<< "$TAG_NAME"; then | |
| echo "Tag contains a pre-release suffix" | |
| echo "IS_PRERELEASE=true" >> "$GITHUB_ENV" | |
| else | |
| echo "Tag does not contain pre-release suffix" | |
| echo "IS_PRERELEASE=false" >> "$GITHUB_ENV" | |
| fi | |
| - name: Create GitHub release | |
| id: create_release | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| body_path: "${{ runner.temp }}/release_notes.md" | |
| draft: false | |
| prerelease: ${{ env.IS_PRERELEASE }} | |
| - name: Build source distribution | |
| run: pipx run build --sdist | |
| - name: Publish to PyPI | |
| uses: pypa/gh-action-pypi-publish@release/v1 |