Skip to content

Audit GHA workflows with zizmor (#1136) #3580

Audit GHA workflows with zizmor (#1136)

Audit GHA workflows with zizmor (#1136) #3580

Workflow file for this run

name: PyPI
on:
push:
branches:
- main
- auto-release
pull_request:
branches: [main]
release:
types: [published]
# Cancels all previous workflow runs for pull requests that have not completed.
concurrency:
# The concurrency group contains the workflow name and the branch name for pull requests
# or the commit hash for any other events.
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
cancel-in-progress: true
jobs:
# The job to build precompiled pypi wheels.
make_sdist:
name: Make SDist
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
submodules: true
persist-credentials: false
- name: Build SDist
run: pipx run build --sdist
- uses: actions/upload-artifact@v4
with:
name: sdist
path: dist/*.tar.gz
run_checks:
name: Build & inspect our package.
# Note: the resulting builds are not actually published.
# This is purely for additional testing and diagnostic purposes.
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false
- uses: hynek/build-and-inspect-python-package@v2
build_wheels:
name: Build wheels for ${{ matrix.platform }}
runs-on: ${{ matrix.platform }}
strategy:
matrix:
platform:
- macos-12
- windows-2022
- ubuntu-20.04
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false
- name: Build wheels
uses: pypa/[email protected]
- uses: actions/upload-artifact@v4
with:
name: wheels-${{ matrix.platform }}
path: ./wheelhouse/*.whl
build_universal_wheel:
name: Build universal wheel for Pyodide
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install dependencies
run: pip install numpy versioneer wheel
- name: Build universal wheel
run: |
PYODIDE=1 python setup.py bdist_wheel --universal
- uses: actions/upload-artifact@v4
with:
name: universal_wheel
path: dist/*.whl
check_dist:
name: Check dist
needs: [make_sdist,build_wheels]
runs-on: ubuntu-22.04
steps:
- uses: actions/download-artifact@v4
with:
name: sdist
path: dist
- uses: actions/download-artifact@v4
with:
pattern: wheels-*
path: dist
merge-multiple: true
- name: Check SDist
run: |
mkdir -p test-sdist
cd test-sdist
python -m venv venv-sdist
venv-sdist/bin/python -m pip install ../dist/pytensor-*.tar.gz
# check import
venv-sdist/bin/python -c "import pytensor;print(pytensor.__version__)"
# check import cython module
venv-sdist/bin/python -c 'from pytensor.scan import scan_perform; print(scan_perform.get_version())'
- run: pipx run twine check --strict dist/*
upload_pypi:
name: Upload to PyPI on release
needs: [check_dist]
runs-on: ubuntu-latest
if: github.event_name == 'release' && github.event.action == 'published'
steps:
- uses: actions/download-artifact@v4
with:
name: sdist
path: dist
- uses: actions/download-artifact@v4
with:
pattern: wheels-*
path: dist
merge-multiple: true
- uses: actions/download-artifact@v4
with:
name: universal_wheel
path: dist
- uses: pypa/[email protected]
with:
user: __token__
password: ${{ secrets.pypi_password }}