ci(release): make signing non-blocking and robust #20

Workflow file for this run

.github/workflows/release.yml at bf4185c

	name: Release

	on:
	push:
	tags:
	- 'v*'

	jobs:
	pypi:
	runs-on: ubuntu-latest
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	- name: Set up Python
	uses: actions/setup-python@v5
	with:
	python-version: '3.11'
	- name: Pin build tools and set SOURCE_DATE_EPOCH
	run: \|
	echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV
	python -m pip install -U pip
	python -m pip install build==1.2.1 wheel==0.44.0 twine==5.1.1 cyclonedx-bom==4.4.0 hatchling==1.25.0
	- name: Build package
	working-directory: sup-lang
	run: \|
	python -m build --no-isolation
	- name: Check artifacts and generate SBOM & checksums
	run: \|
	twine check sup-lang/dist/*
	cyclonedx-py environment -o sbom.json
	sha256sum sup-lang/dist/* > SHA256SUMS
	- name: Publish to PyPI
	uses: pypa/gh-action-pypi-publish@release/v1
	with:
	password: ${{ secrets.PYPI_API_TOKEN }}
	packages-dir: sup-lang/dist
	skip-existing: true
	- name: Sign artifacts (if secrets present)
	continue-on-error: true
	env:
	GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
	GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
	run: \|
	if [ -n "${GPG_PRIVATE_KEY}" ] && [ -n "${GPG_PASSPHRASE}" ]; then
	printf "%s" "$GPG_PRIVATE_KEY" \| gpg --batch --import \|\| { echo "Invalid GPG_PRIVATE_KEY; skipping signing"; exit 0; }
	for f in sup-lang/dist/*; do
	gpg --batch --yes --pinentry-mode loopback --passphrase "$GPG_PASSPHRASE" --detach-sign --armor "$f" \|\| echo "Sign failed for $f; continuing"
	done
	else
	echo "GPG secrets not set; skipping signing."
	fi
	- name: Upload release artifacts
	uses: softprops/action-gh-release@v2
	with:
	files: \|
	sup-lang/dist/*
	sup-lang/dist/*.asc
	SHA256SUMS
	sbom.json
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

	vsix:
	runs-on: ubuntu-latest
	needs: pypi
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	- name: Set up Node.js
	uses: actions/setup-node@v4
	with:
	node-version: '18'
	- name: Package VS Code extension
	working-directory: sup-lang/vscode-extension
	run: \|
	npm i -g @vscode/vsce ovsx
	vsce package --no-yarn
	- name: Upload VSIX to release
	uses: softprops/action-gh-release@v2
	with:
	files: sup-lang/vscode-extension/*.vsix
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	- name: Publish to VS Code Marketplace
	working-directory: sup-lang/vscode-extension
	env:
	VSCE_PAT: ${{ secrets.VSCE_PAT }}
	run: \|
	VSIX=$(ls -t *.vsix \| head -n1)
	vsce publish --packagePath "$VSIX" -p "$VSCE_PAT"
	- name: Publish to Open VSX
	working-directory: sup-lang/vscode-extension
	env:
	OVSX_PAT: ${{ secrets.OVSX_PAT }}
	run: \|
	VSIX=$(ls -t *.vsix \| head -n1)
	ovsx publish "$VSIX" -p "$OVSX_PAT"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ci(release): make signing non-blocking and robust #20

Workflow file

ci(release): make signing non-blocking and robust #20

Uh oh!

Workflow file for this run