ci: use container and tagged actions

nikaro · Sep 22, 2024 · c95a976 · c95a976
1 parent 8167c6e
commit c95a976
Show file tree

Hide file tree

Showing 5 changed files with 60 additions and 129 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
@@ -18,53 +18,39 @@ jobs:
     name: Release
     needs: [ci]
     runs-on: ubuntu-latest
+    container: ghcr.io/nikaro/gha:latest
     permissions:
       contents: write
       id-token: write
     environment: release
     steps:
       - name: Checkout
-        env:
-          BRANCH: ${{ github.head_ref || github.ref_name }}
-          GH_TOKEN: ${{ github.token }}
-        run: |-
-          gh repo clone ${{ github.repository }} ${{ github.workspace }} -- --branch "$BRANCH"
-          git config --global user.email "github-actions[bot]@users.noreply.github.com"
-          git config --global user.name "github-actions[bot]"
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
 
-      - name: Install tools
-        run: |
-          echo "/home/linuxbrew/.linuxbrew/bin" >> "$GITHUB_PATH"
-          /home/linuxbrew/.linuxbrew/bin/brew install \
-            commitizen \
-            go-task \
-            uv \
+      - name: Setup uv
+        uses: astral-sh/setup-uv@v3
 
       - name: Bump
-        run: |-
-          echo "PREVIOUS_REVISION=$(cz version --project)" >>"$GITHUB_ENV"
-          task bump --yes
-          echo "REVISION=$(cz version --project)" >>"$GITHUB_ENV"
-
-      - name: Push tags
-        if: env.PREVIOUS_REVISION != env.REVISION
-        env:
-          BRANCH: ${{ github.head_ref || github.ref_name }}
-          REMOTE_REPO: https://${{ github.actor }}:${{ github.token }}@github.com/${{ github.repository }}.git
-        run: git push "$REMOTE_REPO" "HEAD:${BRANCH}" --tags
+        uses: commitizen-tools/commitizen-action@0.21.0
+        with:
+          changelog_increment_filename: _changelog.md
+          github_token: ${{ github.token }}
+          no_raise: 3,21
 
       - name: Build package
         if: env.PREVIOUS_REVISION != env.REVISION
         run: task build --yes
 
       - name: Release
         if: env.PREVIOUS_REVISION != env.REVISION
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: task release --yes
+        uses: softprops/action-gh-release@v2
+        with:
+          body_path: _changelog.md
+          name: ${{ env.REVISION }}
+          files: ./dist/*
 
       - name: Publish package to PyPI
         if: env.PREVIOUS_REVISION != env.REVISION
         uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          skip-existing: true
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -15,73 +15,67 @@ jobs:
   lint:
     name: Lint
     runs-on: ubuntu-latest
+    container: ghcr.io/nikaro/gha:latest
     permissions:
       contents: read
     steps:
       - name: Checkout
-        uses: actions/checkout@main
+        uses: actions/checkout@v4
 
-      - name: Install tools
-        run: |
-          echo "/home/linuxbrew/.linuxbrew/bin" >> "$GITHUB_PATH"
-          /home/linuxbrew/.linuxbrew/bin/brew install \
-            actionlint \
-            check-jsonschema \
-            fd \
-            go-task \
-            jq \
-            prettier \
-            shellcheck \
-            shfmt \
-            uv \
-            yamlfmt \
-            yamllint \
+      - name: Setup uv
+        uses: astral-sh/setup-uv@v3
 
       - name: Lint
         run: task lint --yes
 
   test:
     name: Test
     runs-on: ubuntu-latest
+    container: ghcr.io/nikaro/gha:latest
     permissions:
       contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@main
 
-      - name: Install tools
-        run: |
-          echo "$(pwd)/.venv/bin" >> "$GITHUB_PATH"
-          echo "/home/linuxbrew/.linuxbrew/bin" >> "$GITHUB_PATH"
-          /home/linuxbrew/.linuxbrew/bin/brew install \
-            go-task \
-            uv \
-
-      - name: Install dependencies
-        run: task sync --yes
+      - name: Setup uv
+        uses: astral-sh/setup-uv@v3
 
       - name: Test
         run: task test --yes
 
-      - name: Build
-        run: task build --yes
-
       - name: Upload results to Codecov
-        uses: codecov/codecov-action@main
+        uses: codecov/codecov-action@v4
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
 
       - name: Upload test results to Codecov
         if: ${{ !cancelled() }}
-        uses: codecov/test-results-action@main
+        uses: codecov/test-results-action@v1
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
 
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    container: ghcr.io/nikaro/gha:latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@main
+
+      - name: Setup uv
+        uses: astral-sh/setup-uv@v3
+
+      - name: Build
+        run: task build --yes
+
   check:
     name: Check
     permissions: {}
     runs-on: ubuntu-latest
-    needs: [lint, test]
+    needs: [lint, test, build]
     if: always()
     steps:
       - name: Ensure no jobs failed

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -32,32 +32,28 @@ jobs:
   deploy:
     name: Deploy
     runs-on: ubuntu-latest
+    container: ghcr.io/nikaro/gha:latest
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
     steps:
       - name: Checkout
-        env:
-          BRANCH: ${{ github.head_ref || github.ref_name }}
-          GH_TOKEN: ${{ github.token }}
-        run: |-
-          gh repo clone ${{ github.repository }} ${{ github.workspace }} -- --branch "$BRANCH"
-          git config --global user.email "github-actions[bot]@users.noreply.github.com"
-          git config --global user.name "github-actions[bot]"
-      - name: Install tools
-        run: |
-          echo "/home/linuxbrew/.linuxbrew/bin" >> "$GITHUB_PATH"
-          /home/linuxbrew/.linuxbrew/bin/brew install \
-            go-task \
-            uv \
+        uses: actions/checkout@main
+
+      - name: Setup uv
+        uses: astral-sh/setup-uv@v3
+
       - name: Build package
         run: task gendoc --yes
+
       - name: Setup Pages
-        uses: actions/configure-pages@main
+        uses: actions/configure-pages@v5
+
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@main
+        uses: actions/upload-pages-artifact@v3
         with:
           path: './site'
+
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@main
+        uses: actions/deploy-pages@v4
diff --git a/Taskfile.yml b/Taskfile.yml
@@ -90,17 +90,6 @@ tasks:
       - ./tests/**/*.py
     cmd: uv run pytest --cov-report=term-missing --cov-report=html --junitxml=junit.xml --override-ini='junit_family=legacy' --cov=sopsy ./tests/
 
-  bump:
-    desc: Bump version
-    vars:
-      RC_IGNORE: 3,21
-    status:
-      - test -f ./_changelog.md
-      - git show --name-only | grep -q CHANGELOG.md
-    preconditions:
-      - cz --no-raise {{.RC_IGNORE}} bump --dry-run --check-consistency --changelog --changelog-to-stdout
-    cmd: cz --no-raise {{.RC_IGNORE}} bump --changelog --changelog-to-stdout > ./_changelog.md
-
   build:
     desc: Build project
     deps: [sync]
@@ -114,46 +103,6 @@ tasks:
       - ./dist/*.tar.gz
     cmd: uv build
 
-  release:
-    desc: Publish GitHub release
-    deps: [bump, build]
-    env:
-      LATEST_RELEASE:
-        sh: gh release list --limit 1 --json tagName --jq '.[].tagName'
-      REVISION:
-        sh: echo ${REVISION:-$(git describe --tags --abbrev=0)}
-    status:
-      - test "$LATEST_RELEASE" = "$REVISION"
-    preconditions:
-      - test -n "$GH_TOKEN"
-      - test -n "$REVISION"
-    cmds:
-      - gh release create --notes-file ./_changelog.md --verify-tag "$REVISION" ./dist/*
-      - defer: rm -rf ./_changelog.md
-
-  publish:
-    desc: Upload package on PyPI
-    deps: [build]
-    env:
-      PGP_ID:
-        sh: echo ${PGP_ID:-47F86D99}
-      PYPI_USER:
-        sh: echo ${PYPI_USER:-nka}
-    preconditions:
-      - test -n "$PGP_ID"
-      - test -n "$PYPI_USER"
-      - test -n "$PYPI_TOKEN"
-    sources:
-      - ./dist/*.whl
-      - ./dist/*.tar.gz
-    cmd: |-
-      twine upload \
-        --username "$PYPI_USER "\
-        --password "$PYPI_TOKEN" \
-        --sign --identity "$PGP_ID" \
-        --skip-existing \
-        --non-interactive
-
   gendoc:
     desc: Generate documentation
     deps: [test]