pythonhere/.github/workflows/build-release.yml at master · b3b/pythonhere · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
on:
  push:
    tags:
      - "[0-9]*.[0-9]*.[0-9]*"

permissions:
  contents: write
  id-token: write
  attestations: write

env:
  BUILDOZER_BUILD_LOG: buildozer-build.log
  BUILDOZER_IMAGE: kivy/buildozer@sha256:fcfb08f4f7beecfdea10e23968c16933b935a2c820e012d8415f318cd8586aab
  RUST_TOOLCHAIN: 1.83.0

jobs:
  release:
    runs-on: ubuntu-22.04
    steps:
      - uses: "actions/checkout@v6"

      - name: Update version from tag
        run: |
          VERSION="${GITHUB_REF_NAME}"
          echo "Version is: ${VERSION}"
          [[ "${VERSION}" =~ ^[0-9]+[.][0-9]+[.][0-9]+$ ]]
          echo "__version__ = \"${VERSION}\"" > pythonhere/version_here.py

      - name: Set up Python
        uses: "actions/setup-python@v6"
        with:
          python-version: "3.10"
      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install build twine
      - name: Build package
        run: python -m build --sdist --wheel
      - name: List result
        run: ls -l dist
      - name: Check distribution
        run: python -m twine check dist/*

      - name: Extract release notes from changelog
        run: |
          python scripts/release/extract-changelog-section.py "${GITHUB_REF_NAME}"
          cat release-notes.rst

      - name: Prepare Android release signing key
        env:
          ANDROID_RELEASE_KEYSTORE_BASE64: ${{ secrets.ANDROID_RELEASE_KEYSTORE_BASE64 }}
          P4A_RELEASE_KEYSTORE_PASSWD: ${{ secrets.P4A_RELEASE_KEYSTORE_PASSWD }}
          P4A_RELEASE_KEYALIAS: ${{ secrets.P4A_RELEASE_KEYALIAS }}
          P4A_RELEASE_KEYALIAS_PASSWD: ${{ secrets.P4A_RELEASE_KEYALIAS_PASSWD }}
        run: |
          test -n "${ANDROID_RELEASE_KEYSTORE_BASE64}"
          test -n "${P4A_RELEASE_KEYSTORE_PASSWD}"
          test -n "${P4A_RELEASE_KEYALIAS}"
          test -n "${P4A_RELEASE_KEYALIAS_PASSWD}"
          mkdir -p .release-signing/android
          printf '%s' "${ANDROID_RELEASE_KEYSTORE_BASE64}" | base64 --decode > .release-signing/android/pythonhere-release.keystore
          chmod 600 .release-signing/android/pythonhere-release.keystore

      - name: Prepare Buildozer release spec
        run: |
          grep -qx 'title = PythonHereDev' buildozer.spec
          sed -i 's/^title = PythonHereDev$/title = PythonHere/' buildozer.spec
          sed -n '1,8p' buildozer.spec

      - name: Install Rust
        run: |
          rustup toolchain install "$RUST_TOOLCHAIN" --profile minimal
          rustup default "$RUST_TOOLCHAIN"
          rustc --version
          cargo --version

      - name: Build Android release APK with Buildozer Docker image
        shell: bash
        env:
          P4A_RELEASE_KEYSTORE: /home/user/hostcwd/.release-signing/android/pythonhere-release.keystore
          P4A_RELEASE_KEYSTORE_PASSWD: ${{ secrets.P4A_RELEASE_KEYSTORE_PASSWD }}
          P4A_RELEASE_KEYALIAS: ${{ secrets.P4A_RELEASE_KEYALIAS }}
          P4A_RELEASE_KEYALIAS_PASSWD: ${{ secrets.P4A_RELEASE_KEYALIAS_PASSWD }}
        run: |
          set -o pipefail
          mkdir -p .buildozer bin
          sudo chown -R 1000:1000 .buildozer bin

          docker run --rm \
            -e RUSTUP_HOME=/home/user/.rustup \
            -e CARGO_HOME=/home/user/.cargo \
            -e PATH=/home/user/.cargo/bin:/home/user/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
            -e P4A_RELEASE_KEYSTORE="${P4A_RELEASE_KEYSTORE}" \
            -e P4A_RELEASE_KEYSTORE_PASSWD="${P4A_RELEASE_KEYSTORE_PASSWD}" \
            -e P4A_RELEASE_KEYALIAS="${P4A_RELEASE_KEYALIAS}" \
            -e P4A_RELEASE_KEYALIAS_PASSWD="${P4A_RELEASE_KEYALIAS_PASSWD}" \
            -v "$PWD":/home/user/hostcwd \
            -v "$HOME/.rustup":/home/user/.rustup \
            -v "$HOME/.cargo":/home/user/.cargo \
            -w /home/user/hostcwd \
            "$BUILDOZER_IMAGE" \
            android release 2>&1 | tee "$BUILDOZER_BUILD_LOG"

      - name: Prepare APK release assets
        id: apk
        run: |
          apk_name="pythonhere-${GITHUB_REF_NAME}-arm64-v8a-release.apk"
          apk="$(find bin -name '*.apk' -type f | head -n 1)"

          if [[ -z "$apk" ]]; then
            echo "::error::No APK found"
            exit 1
          fi

          sudo ls -l "$apk"
          sudo cp "$apk" "${apk_name}"
          sudo chown "$(id -u):$(id -g)" "${apk_name}"
          sha256sum "${apk_name}" > "${apk_name}.sha256"
          echo "filename=${apk_name}" >> "$GITHUB_OUTPUT"
          echo "sha256=${apk_name}.sha256" >> "$GITHUB_OUTPUT"
          ls -lh "${apk_name}" "${apk_name}.sha256"
          cat "${apk_name}.sha256"

      - name: Generate APK provenance attestation
        uses: actions/attest@v4
        with:
          subject-path: |
            ${{ steps.apk.outputs.filename }}
            ${{ steps.apk.outputs.sha256 }}

      - name: Create draft GitHub Release
        id: create_release
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          if ! release_json="$(gh api "/repos/${GITHUB_REPOSITORY}/releases/tags/${GITHUB_REF_NAME}" 2>/dev/null)"; then
            release_json="$(
              gh api \
                --method POST \
                "/repos/${GITHUB_REPOSITORY}/releases" \
                -f tag_name="${GITHUB_REF_NAME}" \
                -f name="Release ${GITHUB_REF_NAME}" \
                -F body=@release-notes.rst \
                -F draft=true
            )"
          else
            gh api \
              --method PATCH \
              "/repos/${GITHUB_REPOSITORY}/releases/$(printf '%s' "${release_json}" | python -c 'import json, sys; print(json.load(sys.stdin)["id"])')" \
              -F body=@release-notes.rst \
              >/dev/null
          fi
          release_id="$(printf '%s' "${release_json}" | python -c 'import json, sys; print(json.load(sys.stdin)["id"])')"
          echo "release_id=${release_id}" >> "$GITHUB_OUTPUT"

      - name: Upload APK to draft GitHub Release
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          APK_FILE: ${{ steps.apk.outputs.filename }}
          APK_SHA256_FILE: ${{ steps.apk.outputs.sha256 }}
        run: |
          gh release upload "${GITHUB_REF_NAME}" "${APK_FILE}" "${APK_SHA256_FILE}" --clobber

      - name: Upload package to PyPI
        env:
          TWINE_USERNAME: __token__
          TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN }}
        run: twine upload --skip-existing dist/*

      - name: Publish GitHub Release
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          RELEASE_ID: ${{ steps.create_release.outputs.release_id }}
        run: |
          gh api \
            --method PATCH \
            "/repos/${GITHUB_REPOSITORY}/releases/${RELEASE_ID}" \
            -F draft=false

      - name: Upload Buildozer build log
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: buildozer-build-log
          path: ${{ env.BUILDOZER_BUILD_LOG }}
          if-no-files-found: ignore
          retention-days: 8