Add GH workflow to build and release on PyPI (WIP)

.github/workflows/cd.yml

@@ -0,0 +1,90 @@
+name: CD
+concurrency: cd
+
+# Trigger workflow on release tag push
+on:
+  push:
+    # TODO: Should we restrict to vX.Y.Z tags?
+    # tags: v*
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    # if: ${{ github.ref_type == 'tag' }}
+    outputs:
+      release_id: ${{ steps.gh-release.outputs.id }}
+    steps:
+      - name: Checkout release tag
+        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
+
+      # - name: Set up Python
+      #   uses: actions/setup-python@0ebf233433c08fb9061af664d501c3f3ff0e9e20
+      #   with:
+      #     python-version: '3.x'
+
+      # - name: Install build dependency
+      #   run: python3 -m pip install --upgrade pip build
+
+      # - name: Build binary wheel and source tarball
+      #   run: python3 -m build --sdist --wheel --outdir dist/ .
+
+      - id: gh-release
+        name: Publish GitHub release candiate
+        uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
+        with:
+          name: ${{ github.ref_name }}-rc
+          tag_name: ${{ github.ref }}
+          # prerelease: true # <- verify_release script 'get_github_version' ignores pre-releases (and drafts)
+          body: "Release waiting for review..."
+          # files: dist/*
+
+      # - name: Store build artifacts
+      #   # NOTE: The release job could download the assets from the GitHub release page,
+      #   # published in the previous step. But using the GitHub upload/download actions
+      #   # seems more robust as there is no need to compute download URLs.
+      #   uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535
+      #   with:
+      #     name: build-artifacts
+      #     path: dist
+
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    needs: build
+    environment: release
+    steps:
+      # - name: Fetch build artifacts
+      #   uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
+      #   with:
+      #     name: build-artifacts
+      #     path: dist
+
+      # - name: Publish binary wheel and source tarball on PyPI
+      #   uses: pypa/gh-action-pypi-publish@717ba43cfbb0387f6ce311b169a825772f54d295
+      #   with:
+      #     user: __token__
+      #     # TODO: Change to PyPI and update token
+      #     repository_url: https://test.pypi.org/legacy/
+      #     password: ${{ secrets.TEST_PYPI_API_TOKEN }}
+
+      - name: Finalize GitHub release
+        uses: actions/github-script@9ac08808f993958e9de277fe43a64532a609130e
+        with:
+          script: |
+            console.log(${{needs.build.outputs.release_id}})
+#           await github.rest.repos.updateRelease({
+
+
+#             })
+
+# octokit.rest.repos.createRelease({
+#   owner,
+#   repo,
+#   tag_name,
+# });
+
+
+#           name: ${{ github.ref_name }}
+#           tag_name: ${{ github.ref }}
+#           body: "See CHANGELOG.md for details."

tuf/__init__.py

@@ -5,4 +5,4 @@
 """
 
 # This value is used in the requests user agent.
-__version__ = "1.0.0"
+__version__ = "1.0.1"

verify_release

@@ -9,6 +9,7 @@ Builds a release from current commit and verifies that the release artifacts
 on GitHub and PyPI match the built release artifacts.
 """
 
+import argparse
 import json
 import os
 import subprocess
@@ -27,8 +28,8 @@ except ImportError:
 # Project variables
 # Note that only these project artifacts are supported:
 # [f"{PYPI_PROJECT}-{VER}-none-any.whl",  f"{PYPI_PROJECT}-{VER}.tar.gz"]
-GITHUB_ORG = "theupdateframework"
-GITHUB_PROJECT = "python-tuf"
+GITHUB_ORG = "lukpueh"
+GITHUB_PROJECT = "tuf"
 PYPI_PROJECT = "tuf"
 
 
@@ -126,9 +127,17 @@ def progress(s: str) -> None:
 
 
 def main() -> int:
+    parser = argparse.ArgumentParser()
+    parser.add_argument(
+        "--skip-pypi",
+        action="store_true",
+        dest="skip_pypi",
+        help="Skip comparison with PyPI release.",
+    )
+    args = parser.parse_args()
+
     success = True
     with TemporaryDirectory() as build_dir:
-
         progress("Building release")
         build_version = build(build_dir)
         finished(f"Built release {build_version}")
@@ -143,16 +152,17 @@ def main() -> int:
         if github_version != build_version:
             finished(f"WARNING: GitHub latest version is {github_version}")
 
-        progress("Checking PyPI latest version")
-        pypi_version = get_pypi_pip_version()
-        if pypi_version != build_version:
-            finished(f"WARNING: PyPI latest version is {pypi_version}")
-
-        progress("Downloading release from PyPI")
-        if not verify_pypi_release(build_version, build_dir):
-            # This is expected while build is not reproducible
-            finished("ERROR: PyPI artifacts do not match built release")
-            success = False
+        if not args.skip_pypi:
+            progress("Checking PyPI latest version")
+            pypi_version = get_pypi_pip_version()
+            if pypi_version != build_version:
+                finished(f"WARNING: PyPI latest version is {pypi_version}")
+
+            progress("Downloading release from PyPI")
+            if not verify_pypi_release(build_version, build_dir):
+                # This is expected while build is not reproducible
+                finished("ERROR: PyPI artifacts do not match built release")
+                success = False
 
         progress("Downloading release from GitHub")
         if not verify_github_release(build_version, build_dir):