ci: harden tag/version check in TestPyPI and PyPI workflows #5
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release (PyPI) | ||
| on: | ||
| # Manual run for publishing to PyPI | ||
| workflow_dispatch: | ||
| # Optional: publish on tag push (vX.Y.Z) | ||
| push: | ||
| tags: ["v*"] | ||
| jobs: | ||
| publish: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| id-token: write # Required for OIDC Trusted Publishing | ||
| contents: read | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: "3.11" | ||
| - uses: astral-sh/setup-uv@v3 | ||
| - name: Install deps | ||
| run: uv sync --all-extras --dev | ||
| - name: Build dists | ||
| run: uv run python -m build | ||
| - name: Verify tag matches version (only on tag) | ||
| if: startsWith(github.ref, 'refs/tags/') | ||
| shell: bash | ||
| run: | | ||
| TAG="${GITHUB_REF_NAME#v}" | ||
| PY_VER=$(python - <<'PY' | ||
| import tomllib | ||
| print(tomllib.load(open('pyproject.toml','rb'))['project']['version']) | ||
| PY | ||
| ) | ||
| if [ -z "$TAG" ]; then | ||
| echo "No tag found in GITHUB_REF_NAME"; exit 1; | ||
| fi | ||
| [ "$PY_VER" = "$TAG" ] || { echo "Version $PY_VER != tag $TAG"; exit 1; } | ||
| - name: Publish distribution 📦 to PyPI (OIDC) | ||
| uses: pypa/gh-action-pypi-publish@release/v1 | ||
| with: | ||
| verbose: true | ||
