From 66fc8df1b2ab5e0c4b8dc34da7f67aff0ac08294 Mon Sep 17 00:00:00 2001 From: Jens Troeger Date: Mon, 7 Apr 2025 22:07:13 +1000 Subject: [PATCH 1/3] fix(ci): make unique and improve Github workflow job ids to make it easier to reference them from Github settings Refs: a4da94f0f1fd7a5d3b15b9d58a8fe5589159f5f4 --- .github/workflows/_build.yaml | 4 +-- .github/workflows/_generate-rebase.yaml | 2 +- .github/workflows/_release-notifications.yaml | 2 +- .github/workflows/codeql-analysis.yaml | 4 +-- .github/workflows/dependabot-automerge.yaml | 2 +- .github/workflows/pr-change-set.yaml | 2 +- .../workflows/pr-conventional-commits.yaml | 2 +- .github/workflows/release.yaml | 32 +++++++++---------- .github/workflows/scorecards-analysis.yaml | 2 +- .github/workflows/sync-with-upstream.yaml | 2 +- 10 files changed, 27 insertions(+), 27 deletions(-) diff --git a/.github/workflows/_build.yaml b/.github/workflows/_build.yaml index 39bbbaae..6684072b 100644 --- a/.github/workflows/_build.yaml +++ b/.github/workflows/_build.yaml @@ -29,7 +29,7 @@ on: description: Enable or disable running pip_audit to check installed packages for vulnerabilities outputs: artifacts-sha256: - value: ${{ jobs.build.outputs.artifacts-sha256 }} + value: ${{ jobs.build-package.outputs.artifacts-sha256 }} description: The hash of the artifacts permissions: contents: read @@ -38,7 +38,7 @@ env: ARTIFACT_PYTHON: '3.13' # The default Python version for release. jobs: - build: + build-package: # Uncomment the following to disable checks and tests for Draft pull requests. # if: github.event.pull_request.draft == false outputs: diff --git a/.github/workflows/_generate-rebase.yaml b/.github/workflows/_generate-rebase.yaml index 19a68c08..240e9061 100644 --- a/.github/workflows/_generate-rebase.yaml +++ b/.github/workflows/_generate-rebase.yaml @@ -29,7 +29,7 @@ permissions: contents: read jobs: - rebase: + rebase-branch: runs-on: ubuntu-latest steps: diff --git a/.github/workflows/_release-notifications.yaml b/.github/workflows/_release-notifications.yaml index 62b13355..00acfa24 100644 --- a/.github/workflows/_release-notifications.yaml +++ b/.github/workflows/_release-notifications.yaml @@ -25,7 +25,7 @@ on: permissions: {} jobs: - slack: + release-notification-slack: name: Slack release notification runs-on: ubuntu-latest steps: diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml index 36a31dcf..55af2ca7 100644 --- a/.github/workflows/codeql-analysis.yaml +++ b/.github/workflows/codeql-analysis.yaml @@ -1,7 +1,7 @@ # Run CodeQL over the package. For more configuration options see codeql/codeql-config.yaml # and: https://github.com/github/codeql-action -name: CodeQL +name: Analyze repository using CodeQL on: push: branches: @@ -20,7 +20,7 @@ permissions: contents: read jobs: - analyze: + analyze-codeql: name: Analyze runs-on: ubuntu-latest permissions: diff --git a/.github/workflows/dependabot-automerge.yaml b/.github/workflows/dependabot-automerge.yaml index a5a64613..e2c5cdd4 100644 --- a/.github/workflows/dependabot-automerge.yaml +++ b/.github/workflows/dependabot-automerge.yaml @@ -10,7 +10,7 @@ permissions: pull-requests: write jobs: - comment: + merge-dependabot-pr: if: ${{ github.event.review.state == 'approved' && github.event.pull_request.user.login == 'dependabot[bot]' }} runs-on: ubuntu-latest steps: diff --git a/.github/workflows/pr-change-set.yaml b/.github/workflows/pr-change-set.yaml index 8c09ad72..c8bbd6e4 100644 --- a/.github/workflows/pr-change-set.yaml +++ b/.github/workflows/pr-change-set.yaml @@ -15,7 +15,7 @@ permissions: contents: read jobs: - build: + pr-build-package: uses: ./.github/workflows/_build.yaml permissions: contents: read diff --git a/.github/workflows/pr-conventional-commits.yaml b/.github/workflows/pr-conventional-commits.yaml index 811bc182..c94eef81 100644 --- a/.github/workflows/pr-conventional-commits.yaml +++ b/.github/workflows/pr-conventional-commits.yaml @@ -17,7 +17,7 @@ permissions: contents: read jobs: - conventional-commits: + pr-check-conventional-commits: runs-on: ubuntu-latest steps: diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 0d4a1dbe..d36ab8ca 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -11,7 +11,7 @@ permissions: contents: read jobs: - check: + release-check: if: ${{ !startsWith(github.event.commits[0].message, 'bump:') }} uses: ./.github/workflows/_build.yaml permissions: @@ -21,8 +21,8 @@ jobs: # On pushes to the 'release' branch create a new release by bumping the version # and generating a change log. That's the new bump commit and associated tag. - bump: - needs: check + release-bump: + needs: [release-check] if: github.ref == 'refs/heads/release' runs-on: ubuntu-latest permissions: @@ -76,7 +76,7 @@ jobs: git push --tags # When triggered by the version bump commit, build the package and publish the release artifacts. - build: + release-build: if: github.ref == 'refs/heads/release' && startsWith(github.event.commits[0].message, 'bump:') uses: ./.github/workflows/_build.yaml permissions: @@ -87,7 +87,7 @@ jobs: # Create a new Release on Github from the verified build artifacts, and optionally # publish the artifacts to a PyPI server. release: - needs: [build] + needs: [release-build] name: Release outputs: release-tag: ${{ steps.upload-assets.outputs.release-tag }} @@ -118,7 +118,7 @@ jobs: # against the hashes computed by the build job. - name: Verify the artifact hash env: - ARTIFACT_HASH: ${{ needs.build.outputs.artifacts-sha256 }} + ARTIFACT_HASH: ${{ needs.release-build.outputs.artifacts-sha256 }} run: | set -euo pipefail echo "Hash of package should be $ARTIFACT_HASH." @@ -175,11 +175,11 @@ jobs: # provenance generator which depends on an external service Rekor (https://github.com/sigstore/rekor) # we build this generator from source for now. For more information see this discussion: # https://github.com/slsa-framework/slsa-github-generator/issues/942 - provenance: - needs: [build, release] + release-provenance: + needs: [release-build, release] uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 with: - base64-subjects: ${{ needs.build.outputs.artifacts-sha256 }} + base64-subjects: ${{ needs.release-build.outputs.artifacts-sha256 }} compile-generator: false # Do not build the provenance generator from source anymore. # Set private-repository to true for private repositories. Note that the repository name is # uploaded as part of the transparency log entry on the public Rekor instance (rekor.sigstore.dev). @@ -190,8 +190,8 @@ jobs: contents: write # To add assets to a release. # Publish the SLSA provenance as the GitHub release asset. - publish_provenance: - needs: [release, provenance] + release-publish_provenance: + needs: [release, release-provenance] name: Publish provenance runs-on: ubuntu-latest permissions: @@ -212,16 +212,16 @@ jobs: - name: Download provenance uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: - name: ${{ needs.provenance.outputs.provenance-name }} + name: ${{ needs.release-provenance.outputs.provenance-name }} - name: Upload provenance - run: gh release upload ${{ needs.release.outputs.release-tag }} ${{ needs.provenance.outputs.provenance-name }} + run: gh release upload ${{ needs.release.outputs.release-tag }} ${{ needs.release-provenance.outputs.provenance-name }} env: GH_TOKEN: ${{ secrets.REPO_ACCESS_TOKEN }} # Send out release notifications after the Release was published on GitHub. # Uncomment the `if` to disable sending release notifications. - notifications: + release-notifications: # if: ${{ false }} needs: [release] name: Send Release notifications @@ -237,7 +237,7 @@ jobs: # Publish the generated Markdown documentation to the repository's Wiki. # Uncomment the `if` to disable generating Wiki documentation. - wiki: + release-wiki: # if: ${{ false }} needs: [release] name: Publish Github Wiki documentation @@ -259,7 +259,7 @@ jobs: # After the bump commit was pushed to the release branch, rebase the main branch # (to_head argument) on top of the new release branch (from_base argument), to keep # the histories of both branches in sync. - rebase_main: + release-rebase-main: # if: ${{ false }} needs: [release] name: Rebase main branch on release diff --git a/.github/workflows/scorecards-analysis.yaml b/.github/workflows/scorecards-analysis.yaml index 767cf52c..e081db52 100644 --- a/.github/workflows/scorecards-analysis.yaml +++ b/.github/workflows/scorecards-analysis.yaml @@ -13,7 +13,7 @@ on: permissions: read-all jobs: - analysis: + analyze-scorecard: name: Scorecards analysis runs-on: ubuntu-latest permissions: diff --git a/.github/workflows/sync-with-upstream.yaml b/.github/workflows/sync-with-upstream.yaml index 8b29d998..7b83b9cf 100644 --- a/.github/workflows/sync-with-upstream.yaml +++ b/.github/workflows/sync-with-upstream.yaml @@ -12,7 +12,7 @@ permissions: contents: read jobs: - sync: + sync-with-upstream: if: github.repository != 'jenstroeger/python-package-template' runs-on: ubuntu-latest permissions: From ff49d27621b31ffa9c2ccf1a201891b29ae16241 Mon Sep 17 00:00:00 2001 From: Jens Troeger Date: Mon, 14 Apr 2025 15:32:07 +1000 Subject: [PATCH 2/3] chore: rename job ids to actionable names/verbs --- .github/workflows/_build.yaml | 4 +- .github/workflows/_release-notifications.yaml | 2 +- .github/workflows/pr-change-set.yaml | 2 +- .../workflows/pr-conventional-commits.yaml | 2 +- .github/workflows/release.yaml | 48 +++++++++---------- 5 files changed, 29 insertions(+), 29 deletions(-) diff --git a/.github/workflows/_build.yaml b/.github/workflows/_build.yaml index 6684072b..5fef7044 100644 --- a/.github/workflows/_build.yaml +++ b/.github/workflows/_build.yaml @@ -29,7 +29,7 @@ on: description: Enable or disable running pip_audit to check installed packages for vulnerabilities outputs: artifacts-sha256: - value: ${{ jobs.build-package.outputs.artifacts-sha256 }} + value: ${{ jobs.check-and-build-package.outputs.artifacts-sha256 }} description: The hash of the artifacts permissions: contents: read @@ -38,7 +38,7 @@ env: ARTIFACT_PYTHON: '3.13' # The default Python version for release. jobs: - build-package: + check-and-build-package: # Uncomment the following to disable checks and tests for Draft pull requests. # if: github.event.pull_request.draft == false outputs: diff --git a/.github/workflows/_release-notifications.yaml b/.github/workflows/_release-notifications.yaml index 00acfa24..f7608d6d 100644 --- a/.github/workflows/_release-notifications.yaml +++ b/.github/workflows/_release-notifications.yaml @@ -25,7 +25,7 @@ on: permissions: {} jobs: - release-notification-slack: + send-release-notification-slack: name: Slack release notification runs-on: ubuntu-latest steps: diff --git a/.github/workflows/pr-change-set.yaml b/.github/workflows/pr-change-set.yaml index c8bbd6e4..c0998431 100644 --- a/.github/workflows/pr-change-set.yaml +++ b/.github/workflows/pr-change-set.yaml @@ -15,7 +15,7 @@ permissions: contents: read jobs: - pr-build-package: + build-package: uses: ./.github/workflows/_build.yaml permissions: contents: read diff --git a/.github/workflows/pr-conventional-commits.yaml b/.github/workflows/pr-conventional-commits.yaml index c94eef81..28bc6e70 100644 --- a/.github/workflows/pr-conventional-commits.yaml +++ b/.github/workflows/pr-conventional-commits.yaml @@ -17,7 +17,7 @@ permissions: contents: read jobs: - pr-check-conventional-commits: + check-conventional-commits: runs-on: ubuntu-latest steps: diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index d36ab8ca..51c18f9a 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -11,7 +11,7 @@ permissions: contents: read jobs: - release-check: + check-package-for-release: if: ${{ !startsWith(github.event.commits[0].message, 'bump:') }} uses: ./.github/workflows/_build.yaml permissions: @@ -21,8 +21,8 @@ jobs: # On pushes to the 'release' branch create a new release by bumping the version # and generating a change log. That's the new bump commit and associated tag. - release-bump: - needs: [release-check] + bump-package-version: + needs: [check-package-for-release] if: github.ref == 'refs/heads/release' runs-on: ubuntu-latest permissions: @@ -76,7 +76,7 @@ jobs: git push --tags # When triggered by the version bump commit, build the package and publish the release artifacts. - release-build: + build-package-for-release: if: github.ref == 'refs/heads/release' && startsWith(github.event.commits[0].message, 'bump:') uses: ./.github/workflows/_build.yaml permissions: @@ -86,8 +86,8 @@ jobs: # Create a new Release on Github from the verified build artifacts, and optionally # publish the artifacts to a PyPI server. - release: - needs: [release-build] + release-package: + needs: [build-package-for-release] name: Release outputs: release-tag: ${{ steps.upload-assets.outputs.release-tag }} @@ -118,7 +118,7 @@ jobs: # against the hashes computed by the build job. - name: Verify the artifact hash env: - ARTIFACT_HASH: ${{ needs.release-build.outputs.artifacts-sha256 }} + ARTIFACT_HASH: ${{ needs.build-package-for-release.outputs.artifacts-sha256 }} run: | set -euo pipefail echo "Hash of package should be $ARTIFACT_HASH." @@ -175,11 +175,11 @@ jobs: # provenance generator which depends on an external service Rekor (https://github.com/sigstore/rekor) # we build this generator from source for now. For more information see this discussion: # https://github.com/slsa-framework/slsa-github-generator/issues/942 - release-provenance: - needs: [release-build, release] + generate-provenance: + needs: [build-package-for-release, release-package] uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 with: - base64-subjects: ${{ needs.release-build.outputs.artifacts-sha256 }} + base64-subjects: ${{ needs.build-package-for-release.outputs.artifacts-sha256 }} compile-generator: false # Do not build the provenance generator from source anymore. # Set private-repository to true for private repositories. Note that the repository name is # uploaded as part of the transparency log entry on the public Rekor instance (rekor.sigstore.dev). @@ -190,8 +190,8 @@ jobs: contents: write # To add assets to a release. # Publish the SLSA provenance as the GitHub release asset. - release-publish_provenance: - needs: [release, release-provenance] + release-provenance: + needs: [release-package, generate-provenance] name: Publish provenance runs-on: ubuntu-latest permissions: @@ -212,41 +212,41 @@ jobs: - name: Download provenance uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: - name: ${{ needs.release-provenance.outputs.provenance-name }} + name: ${{ needs.generate-provenance.outputs.provenance-name }} - name: Upload provenance - run: gh release upload ${{ needs.release.outputs.release-tag }} ${{ needs.release-provenance.outputs.provenance-name }} + run: gh release upload ${{ needs.release-package.outputs.release-tag }} ${{ needs.generate-provenance.outputs.provenance-name }} env: GH_TOKEN: ${{ secrets.REPO_ACCESS_TOKEN }} # Send out release notifications after the Release was published on GitHub. # Uncomment the `if` to disable sending release notifications. - release-notifications: + send-release-notifications: # if: ${{ false }} - needs: [release] + needs: [release-package] name: Send Release notifications uses: ./.github/workflows/_release-notifications.yaml permissions: contents: read with: repo-name: ${{ github.event.repository.name }} - release-tag: ${{ needs.release.outputs.release-tag }} - release-url: ${{ needs.release.outputs.release-url }} + release-tag: ${{ needs.release-package.outputs.release-tag }} + release-url: ${{ needs.release-package.outputs.release-url }} secrets: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} # Publish the generated Markdown documentation to the repository's Wiki. # Uncomment the `if` to disable generating Wiki documentation. - release-wiki: + publish-wiki: # if: ${{ false }} - needs: [release] + needs: [release-package] name: Publish Github Wiki documentation uses: ./.github/workflows/_wiki-documentation.yaml permissions: contents: read with: - release-tag: ${{ needs.release.outputs.release-tag }} - release-url: ${{ needs.release.outputs.release-url }} + release-tag: ${{ needs.release-package.outputs.release-tag }} + release-url: ${{ needs.release-package.outputs.release-url }} # Github disallows passing environment variables as arguments to a reusable # workflow, so we have to duplicate these values here. Related discussion # here: https://github.com/actions/toolkit/issues/931 @@ -259,9 +259,9 @@ jobs: # After the bump commit was pushed to the release branch, rebase the main branch # (to_head argument) on top of the new release branch (from_base argument), to keep # the histories of both branches in sync. - release-rebase-main: + rebase-main-branch: # if: ${{ false }} - needs: [release] + needs: [release-package] name: Rebase main branch on release uses: ./.github/workflows/_generate-rebase.yaml permissions: From 2adc4d51b0cf429e08f8735255b452511930ec6d Mon Sep 17 00:00:00 2001 From: Jens Troeger Date: Sat, 14 Jun 2025 22:36:00 +0100 Subject: [PATCH 3/3] chore: incorporate PR feedback --- .github/workflows/pr-change-set.yaml | 2 +- .github/workflows/release.yaml | 20 ++++++++++---------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/pr-change-set.yaml b/.github/workflows/pr-change-set.yaml index c0998431..fbb5f18f 100644 --- a/.github/workflows/pr-change-set.yaml +++ b/.github/workflows/pr-change-set.yaml @@ -15,7 +15,7 @@ permissions: contents: read jobs: - build-package: + check-and-build-package: uses: ./.github/workflows/_build.yaml permissions: contents: read diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 51c18f9a..c7d60ba3 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -11,7 +11,7 @@ permissions: contents: read jobs: - check-package-for-release: + check-and-build-package: if: ${{ !startsWith(github.event.commits[0].message, 'bump:') }} uses: ./.github/workflows/_build.yaml permissions: @@ -22,7 +22,7 @@ jobs: # On pushes to the 'release' branch create a new release by bumping the version # and generating a change log. That's the new bump commit and associated tag. bump-package-version: - needs: [check-package-for-release] + needs: [check-and-build-package] if: github.ref == 'refs/heads/release' runs-on: ubuntu-latest permissions: @@ -76,7 +76,7 @@ jobs: git push --tags # When triggered by the version bump commit, build the package and publish the release artifacts. - build-package-for-release: + check-and-build-package-for-release: if: github.ref == 'refs/heads/release' && startsWith(github.event.commits[0].message, 'bump:') uses: ./.github/workflows/_build.yaml permissions: @@ -87,7 +87,7 @@ jobs: # Create a new Release on Github from the verified build artifacts, and optionally # publish the artifacts to a PyPI server. release-package: - needs: [build-package-for-release] + needs: [check-and-build-package-for-release] name: Release outputs: release-tag: ${{ steps.upload-assets.outputs.release-tag }} @@ -118,7 +118,7 @@ jobs: # against the hashes computed by the build job. - name: Verify the artifact hash env: - ARTIFACT_HASH: ${{ needs.build-package-for-release.outputs.artifacts-sha256 }} + ARTIFACT_HASH: ${{ needs.check-and-build-package-for-release.outputs.artifacts-sha256 }} run: | set -euo pipefail echo "Hash of package should be $ARTIFACT_HASH." @@ -171,15 +171,15 @@ jobs: # TWINE_REPOSITORY_URL= # Generate the build provenance. The generator should be referenced with a semantic version. - # The build will fail if we reference it using the commit SHA. To avoid using a pre-built - # provenance generator which depends on an external service Rekor (https://github.com/sigstore/rekor) - # we build this generator from source for now. For more information see this discussion: + # The build will fail if we reference it using the commit SHA. In rare cases the external + # Rekor service (https://github.com/sigstore/rekor) is unavailable in which case the provenance + # generator should be compiled from source. For more information see this discussion: # https://github.com/slsa-framework/slsa-github-generator/issues/942 generate-provenance: - needs: [build-package-for-release, release-package] + needs: [check-and-build-package-for-release, release-package] uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 with: - base64-subjects: ${{ needs.build-package-for-release.outputs.artifacts-sha256 }} + base64-subjects: ${{ needs.check-and-build-package-for-release.outputs.artifacts-sha256 }} compile-generator: false # Do not build the provenance generator from source anymore. # Set private-repository to true for private repositories. Note that the repository name is # uploaded as part of the transparency log entry on the public Rekor instance (rekor.sigstore.dev).