tauri-plugin-python/.github/workflows/release.yml at main · marcomq/tauri-plugin-python · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
name: Release

on:
  push:
    tags:
      - 'v*'
  # Manual "Run workflow" button to (re)publish the current version
  # without pushing a new tag or bumping the version.
  workflow_dispatch:

env:
  CARGO_TERM_COLOR: always

jobs:
  release:
    name: Release
    runs-on: ubuntu-22.04
    permissions:
      contents: write
    steps:
      - uses: actions/checkout@v4

      - uses: dtolnay/rust-toolchain@stable

      - uses: Swatinem/rust-cache@v2

      - name: install dependencies (ubuntu)
        run: |
          sudo apt-get update
          sudo apt-get install -y libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev patchelf

      # PyO3 (default backend) embeds CPython, so a Python interpreter must be
      # available to build & run the verification build / tests.
      - uses: actions/setup-python@v5
        with:
          python-version: '3.x'

      - name: build release
        run: cargo build --release --all-targets

      - name: test
        run: cargo test --release

      # Only create a GitHub Release for real tag pushes, not manual re-runs.
      - name: Create GitHub Release
        if: startsWith(github.ref, 'refs/tags/')
        uses: softprops/action-gh-release@v2
        with:
          generate_release_notes: true
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  publish-crates-io:
    name: Publish to crates.io
    runs-on: ubuntu-22.04
    needs: release
    environment: release
    permissions:
      # Required for crates.io Trusted Publishing (OIDC).
      contents: read
      id-token: write
    steps:
      - uses: actions/checkout@v4

      - uses: dtolnay/rust-toolchain@stable

      - uses: Swatinem/rust-cache@v2

      - name: install dependencies (ubuntu)
        run: |
          sudo apt-get update
          sudo apt-get install -y libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev patchelf

      # cargo publish runs a verification build; PyO3 needs a Python interpreter.
      - uses: actions/setup-python@v5
        with:
          python-version: '3.x'

      # Exchange the GitHub OIDC token for a short-lived crates.io token.
      # Sets CARGO_REGISTRY_TOKEN in the environment for subsequent steps.
      - name: Authenticate to crates.io (Trusted Publishing)
        uses: rust-lang/crates-io-auth-action@v1
        id: auth

      # Skip if this version is already on crates.io so re-running the
      # workflow (or moving the tag) doesn't fail on a duplicate publish.
      - name: Publish to crates.io
        run: |
          NAME=$(cargo metadata --no-deps --format-version=1 | python3 -c "import json,sys; print(json.load(sys.stdin)['packages'][0]['name'])")
          VERSION=$(cargo metadata --no-deps --format-version=1 | python3 -c "import json,sys; print(json.load(sys.stdin)['packages'][0]['version'])")
          if curl -sf "https://crates.io/api/v1/crates/$NAME/$VERSION" > /dev/null; then
            echo "crates.io already has $NAME@$VERSION — skipping publish."
          else
            cargo publish
          fi
        env:
          CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}

  publish-npm:
    name: Publish to npm
    runs-on: ubuntu-22.04
    needs: release
    environment: release
    permissions:
      # Required for npm Trusted Publishing (OIDC): GitHub mints a short-lived
      # identity token that npm verifies — no NPM_TOKEN/OTP needed.
      contents: read
      id-token: write
    steps:
      - uses: actions/checkout@v4

      - uses: pnpm/action-setup@v4

      - uses: actions/setup-node@v4
        with:
          node-version: lts/*
          registry-url: 'https://registry.npmjs.org'

      # Trusted Publishing (OIDC) requires npm >= 11.5.1; the version bundled
      # with the LTS Node release is older.
      - name: Upgrade npm
        run: npm install -g npm@latest

      - name: install dependencies
        run: pnpm install

      # npm publish runs `prepublishOnly` (pnpm build) to produce dist-js/.
      # Use the npm CLI (not pnpm) so OIDC trusted publishing is used.
      # Skip if this version is already on npm so re-running doesn't fail
      # on a duplicate publish.
      - name: Publish to npm
        run: |
          NAME=$(node -p "require('./package.json').name")
          VERSION=$(node -p "require('./package.json').version")
          if [ -n "$(npm view "$NAME@$VERSION" version 2>/dev/null)" ]; then
            echo "npm already has $NAME@$VERSION — skipping publish."
          else
            npm publish --access public
          fi