diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 7aac1a8..fd5c569 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -66,7 +66,7 @@ jobs: uploads.github.com:443 - name: Checkout repository - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml index 91213b6..14becc5 100644 --- a/.github/workflows/continuous-integration.yml +++ b/.github/workflows/continuous-integration.yml @@ -22,7 +22,7 @@ jobs: matrix: version: ["3.9", "3.10", "3.11", "3.12"] os: [windows-latest, macOS-13, macOS-latest, ubuntu-latest] - uses: sandialabs/sansmic/.github/workflows/pytest-workflow.yml@951ebbd277e18b0a5b88a4e67535e262bc59f979 + uses: sandialabs/sansmic/.github/workflows/pytest-workflow.yml@7952e59342a8c8d1c8ad833121049bac58277167 with: version: ${{ matrix.version }} os: ${{ matrix.os }} diff --git a/.github/workflows/continuous-release.yml b/.github/workflows/continuous-release.yml index a1f1771..98453dc 100644 --- a/.github/workflows/continuous-release.yml +++ b/.github/workflows/continuous-release.yml @@ -3,7 +3,7 @@ name: Check release on: - pull_request: + pull_request_target: permissions: contents: read @@ -14,8 +14,8 @@ jobs: concurrency: release permissions: - id-token: write pull-requests: write + id-token: write steps: - name: Setup | Harden Runner @@ -24,7 +24,7 @@ jobs: egress-policy: audit - name: Setup | Checkout Repository at workflow sha - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 ref: ${{ github.sha }} @@ -36,7 +36,7 @@ jobs: - name: Action | Semantic Version id: check # Adjust tag with desired version if applicable. - uses: python-semantic-release/python-semantic-release@657118d28ae4a74d8a387bedf5db2bb7bac0cb33 # v9.11.1 + uses: python-semantic-release/python-semantic-release@c1bcfdbb994243ac7cf419365d5894d6bfb2950e # v9.12.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} build: false @@ -46,12 +46,16 @@ jobs: tag: false vcs_release: false - - name: Action | Comment on PR with new version - run: | + - run: | echo "## The results of python-semantic-release are below." | tee -a "$GITHUB_STEP_SUMMARY" echo "* released: ${{ steps.check.outputs.released }}" | tee -a "$GITHUB_STEP_SUMMARY" echo "* is_prerelease: ${{ steps.check.outputs.is_prerelease }}" | tee -a "$GITHUB_STEP_SUMMARY" echo "* version: ${{ steps.check.outputs.version }}" | tee -a "$GITHUB_STEP_SUMMARY" echo "* tag: ${{ steps.check.outputs.tag }}" | tee -a "$GITHUB_STEP_SUMMARY" - # echo "The release number should be ${{ steps.check.outputs.version }}" >> release.md - gh pr comment ${{ github.event.pull_request.number }} --body "This PR should include a release: ${{ steps.check.outputs.released }}\n" + + - name: Action | Comment on PR with new version + if: ${{ steps.check.outputs.released == 'true' }} + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + gh pr comment ${{ github.event.pull_request.number }} --body "This PR will induce a release as v${{ steps.check.outputs.version }}\n" diff --git a/.github/workflows/continuous-testing.yml b/.github/workflows/continuous-testing.yml index 64ed108..9da3c5e 100644 --- a/.github/workflows/continuous-testing.yml +++ b/.github/workflows/continuous-testing.yml @@ -14,7 +14,7 @@ permissions: jobs: quick-test: - uses: sandialabs/sansmic/.github/workflows/pytest-workflow.yml@951ebbd277e18b0a5b88a4e67535e262bc59f979 + uses: sandialabs/sansmic/.github/workflows/pytest-workflow.yml@7952e59342a8c8d1c8ad833121049bac58277167 with: version: "3.12" os: ubuntu-latest diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 0a1a8ef..955b3b3 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -22,6 +22,6 @@ jobs: egress-policy: audit - name: 'Checkout Repository' - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: 'Dependency Review' - uses: actions/dependency-review-action@a6993e2c61fd5dc440b409aa1d6904921c5e1894 # v4.3.5 + uses: actions/dependency-review-action@4081bf99e2866ebe428fc0477b69eb4fcda7220a # v4.4.0 diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index c8a94ca..e802405 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -36,7 +36,7 @@ jobs: with: egress-policy: audit - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 @@ -47,7 +47,7 @@ jobs: git branch git remote -v - - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 + - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: '3.12' diff --git a/.github/workflows/pytest-workflow.yml b/.github/workflows/pytest-workflow.yml index f01c82b..5086476 100644 --- a/.github/workflows/pytest-workflow.yml +++ b/.github/workflows/pytest-workflow.yml @@ -42,10 +42,10 @@ jobs: uploader.codecov.io:443 - name: Check out the commit - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Python - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 + uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: ${{ inputs.version }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4f1c084..a351f18 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -27,12 +27,12 @@ jobs: steps: - name: Setup | Install python - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 + uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: '3.12' - name: Setup | Checkout Code - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Setup | Install Dependencies run: | @@ -77,7 +77,7 @@ jobs: egress-policy: audit - name: Setup | Checkout Code - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Action | Build Wheels uses: pypa/cibuildwheel@7940a4c0e76eb2030e473a5f864f291f63ee879b # v2.21.0 @@ -99,7 +99,7 @@ jobs: egress-policy: audit - name: Setup | Checkout Code - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 # Optional, use if you use setuptools_scm submodules: true # Optional, use if you have submodules @@ -195,18 +195,10 @@ jobs: path: dist merge-multiple: true - - name: Setup | Download the standalone executable - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - pattern: sansmic-*-standalone-win_amd64 - path: dist - merge-multiple: true - - name: Action | Sign the dists with Sigstore uses: sigstore/gh-action-sigstore-python@f514d46b907ebcd5bedc05145c03b69c1edd8b46 # v3.0.0 with: inputs: >- - ./dist/*.zip ./dist/*.tar.gz ./dist/*.whl @@ -230,3 +222,38 @@ jobs: gh release upload '${{ github.ref_name }}' dist/** --repo '${{ github.repository }}' + + release-standalone: + needs: + - github-release + - build_executable + name: >- + Sign the standalone with Sigstore and upload to GitHub Release + runs-on: ubuntu-latest + if: ${{ startsWith(github.ref, 'refs/tags/') && github.repository == 'sandialabs/sansmic' }} + steps: + - name: Setup | Download the standalone executable + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 + with: + pattern: sansmic-*-standalone-win_amd64 + path: dist/ + merge-multiple: false + + - name: Zip up dist directory + run: | + cd dist + zip ../sansmic-${{ env.sansmic_version }}-standalone-win_amd64.zip * + + - name: Action | Sign the dists with Sigstore + uses: sigstore/gh-action-sigstore-python@f514d46b907ebcd5bedc05145c03b69c1edd8b46 # v3.0.0 + with: + inputs: >- + ./sansmic-${{ env.sansmic_version }}-standalone-win_amd64.zip + + - name: Action | Upload artifact signatures to GitHub Release + env: + GITHUB_TOKEN: ${{ github.token }} + run: >- + gh release upload + '${{ github.ref_name }}' sansmic-${{ env.sansmic_version }}-standalone-win_amd64.zip + --repo '${{ github.repository }}' diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index abf8fb7..55251ad 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -50,7 +50,7 @@ jobs: www.bestpractices.dev:443 - name: "Checkout code" - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false diff --git a/.github/workflows/semantic-release.yml b/.github/workflows/semantic-release.yml index ac882c6..53e3bbe 100644 --- a/.github/workflows/semantic-release.yml +++ b/.github/workflows/semantic-release.yml @@ -26,7 +26,7 @@ jobs: egress-policy: audit - name: Setup | Checkout Repository at workflow sha - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 ref: ${{ github.sha }} diff --git a/.github/workflows/test-linux.yml b/.github/workflows/test-linux.yml index 2077ace..5190f1d 100644 --- a/.github/workflows/test-linux.yml +++ b/.github/workflows/test-linux.yml @@ -16,7 +16,7 @@ jobs: fail-fast: false matrix: version: ["3.9", "3.10", "3.11", "3.12"] - uses: sandialabs/sansmic/.github/workflows/pytest-workflow.yml@951ebbd277e18b0a5b88a4e67535e262bc59f979 + uses: sandialabs/sansmic/.github/workflows/pytest-workflow.yml@7952e59342a8c8d1c8ad833121049bac58277167 with: version: ${{ matrix.version }} os: ubuntu-latest diff --git a/.github/workflows/test-macOS_arm.yml b/.github/workflows/test-macOS_arm.yml index 93757f9..acd5f31 100644 --- a/.github/workflows/test-macOS_arm.yml +++ b/.github/workflows/test-macOS_arm.yml @@ -16,7 +16,7 @@ jobs: fail-fast: false matrix: version: ["3.9", "3.10", "3.11", "3.12"] - uses: sandialabs/sansmic/.github/workflows/pytest-workflow.yml@951ebbd277e18b0a5b88a4e67535e262bc59f979 + uses: sandialabs/sansmic/.github/workflows/pytest-workflow.yml@7952e59342a8c8d1c8ad833121049bac58277167 with: version: ${{ matrix.version }} os: macOS-latest diff --git a/.github/workflows/test-macOS_intel.yml b/.github/workflows/test-macOS_intel.yml index 18d987b..43a111a 100644 --- a/.github/workflows/test-macOS_intel.yml +++ b/.github/workflows/test-macOS_intel.yml @@ -16,7 +16,7 @@ jobs: fail-fast: false matrix: version: ["3.9", "3.10", "3.11", "3.12"] - uses: sandialabs/sansmic/.github/workflows/pytest-workflow.yml@951ebbd277e18b0a5b88a4e67535e262bc59f979 + uses: sandialabs/sansmic/.github/workflows/pytest-workflow.yml@7952e59342a8c8d1c8ad833121049bac58277167 with: version: ${{ matrix.version }} os: macOS-13 diff --git a/.github/workflows/test-windows.yml b/.github/workflows/test-windows.yml index b7a1843..3cba306 100644 --- a/.github/workflows/test-windows.yml +++ b/.github/workflows/test-windows.yml @@ -16,7 +16,7 @@ jobs: fail-fast: false matrix: version: ["3.9", "3.10", "3.11", "3.12"] - uses: sandialabs/sansmic/.github/workflows/pytest-workflow.yml@951ebbd277e18b0a5b88a4e67535e262bc59f979 + uses: sandialabs/sansmic/.github/workflows/pytest-workflow.yml@7952e59342a8c8d1c8ad833121049bac58277167 with: version: ${{ matrix.version }} os: windows-latest diff --git a/pyproject.toml b/pyproject.toml index 8f321f5..a1293d8 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -98,10 +98,15 @@ match = "(main|master|staging)" prerelease_token = "rc" prerelease = false +[tool.semantic_release.branches.merge] +match = "[0-9]+/merge" +prerelease_token = "rc" +prerelease = false + [tool.semantic_release.changelog] template_dir = "templates" changelog_file = "CHANGELOG.md" -exclude_commit_patterns = ["build", "ci", "chore", "^Bump", "release"] +exclude_commit_patterns = ["build", "ci", "chore", "^Bump", "release", "^Merge branch"] [tool.semantic_release.changelog.environment] block_start_string = "{%"