runtime/.github/workflows/publish-python-sdk.yml at main · exospherehost/runtime · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
name: Build & publish to PyPI

on:
  push:
    branches:
      - main
    paths:
      - "python-sdk/exospherehost/_version.py"
      - ".github/workflows/publish-python-sdk.yml"

permissions:
  contents: read
  id-token: write

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.12'

      - name: Install uv
        uses: astral-sh/setup-uv@v6
        with:
          enable-cache: true

      - name: Install dev dependencies with uv
        working-directory: python-sdk
        run: |
          uv sync --group dev

      - name: Install python-sdk package (editable)
        working-directory: python-sdk
        run: |
          uv pip install -e .

      - name: Run tests with pytest and coverage
        working-directory: python-sdk
        run: |
          uv run pytest --cov=exospherehost --cov-report=xml --cov-report=term-missing -v --junitxml=pytest-report.xml

      - name: Upload coverage reports to Codecov
        uses: codecov/codecov-action@v5
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          slug: exospherehost/exospherehost
          files: python-sdk/coverage.xml
          flags: python-sdk-unittests
          name: python-sdk-coverage-report
          fail_ci_if_error: true

      - name: Upload test results
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: python-sdk-test-results
          path: python-sdk/pytest-report.xml
          retention-days: 1

  publish:
    runs-on: ubuntu-latest
    needs: test
    defaults:
      run:
        working-directory: python-sdk
    if: github.repository == 'exospherehost/exospherehost'

    steps:
      - uses: actions/checkout@v4

      - uses: astral-sh/setup-uv@v6
        name: Install uv
        with:
          enable-cache: true

      - run: uv python install

      - run: uv sync --locked --dev

      - name: Check version for beta indicator
        run: |
          uv run python -c "
          import sys
          sys.path.append('.')
          from exospherehost._version import version
          if 'b' not in version:
              print(f'ERROR: Version {version} does not contain beta indicator (b). Major releases are only allowed through GitHub releases.')
              sys.exit(1)
          print(f'Version {version} is valid for PyPI publishing (contains beta indicator)')
          "

      - name: Generate requirements file for SBOM
        run: |
          # Try to use uv to export only production dependencies without the current package
          # Use --no-dev to exclude dev dependencies and generate a clean requirements file
          uv export --locked --no-dev --format=requirements-txt --output-file=requirements-full.txt
          # Debug: Show what's in the requirements file
          echo "Contents of requirements-full.txt:"
          cat requirements-full.txt
          # Filter out any editable local package references
          # This handles: -e ., -e ./, -e ../, -e file://..., file://... etc.
          grep -v -E '^-e\s+\.$|^-e\s+\.\/$|^-e\s+\.\.\/$|^-e\s+file:|^file:' requirements-full.txt > requirements.txt || echo "# No dependencies after filtering" > requirements.txt
          echo "Contents of filtered requirements.txt:"
          cat requirements.txt
          echo "Generated requirements.txt for SBOM creation from lockfile (excluding editable local package)"

      - name: Install SBOM generation tools
        run: |
          uv tool install cyclonedx-bom
          echo "Installed cyclonedx-bom version:"
          uv tool run --from cyclonedx-bom cyclonedx-py --version
          uv tool install pip-audit
          echo "Installed pip-audit version:"
          uv tool run pip-audit --version

      - name: Generate SBOM with CycloneDX
        run: |
          uv tool run --from cyclonedx-bom cyclonedx-py requirements --of json --output-file sbom-cyclonedx.json requirements.txt
          echo "Generated CycloneDX SBOM in JSON format"

      - name: Generate vulnerability report with pip-audit
        run: |
          uv tool run pip-audit --format json --output vulnerability-report.json --requirement requirements.txt || true
          echo "Generated vulnerability report (non-blocking)"

      - run: uv build

      - name: Sign the package
        run: |
          python -m pip install -U pypi-attestations
          python -m pypi_attestations sign dist/*

      - name: Publish to PyPI with provenance
        run: |
          python -m pip install -U twine
          python -m twine upload --attestations dist/*

      - name: Upload SBOM artifacts
        uses: actions/upload-artifact@v4
        with:
          name: sbom-artifacts-beta-${{ github.sha }}
          path: |
            python-sdk/sbom-cyclonedx.json
            python-sdk/requirements.txt
            python-sdk/vulnerability-report.json
          retention-days: 1