ci: homogenize github actions workflows + use trusted publisher (#67)

mgovers · Thijss · web-flow · commit 054e7bfdfa27 · 2025-06-16T15:49:55.000+02:00
* homogenize github actions workflows + use trusted publisher Signed-off-by: Martijn Govers <Martijn.Govers@Alliander.com> * always release for testing purposes Signed-off-by: Martijn Govers <Martijn.Govers@Alliander.com> * fix syntax Signed-off-by: Martijn Govers <Martijn.Govers@Alliander.com> * fix typo Signed-off-by: Martijn Govers <Martijn.Govers@Alliander.com> * revert test changes Signed-off-by: Martijn Govers <Martijn.Govers@Alliander.com> * Update .github/workflows/build-test-release.yml Signed-off-by: Martijn Govers <Martijn.Govers@Alliander.com> Co-authored-by: Thijs Baaijen <13253091+Thijss@users.noreply.github.com> Signed-off-by: Martijn Govers <martygovers@hotmail.com> * fix ci-passed cfr. PowerGridModel/power-grid-model#1015 Signed-off-by: Martijn Govers <Martijn.Govers@Alliander.com> * Feat/test new pypi (#69) * move comments Signed-off-by: Thijs Baaijen <13253091+Thijss@users.noreply.github.com> * enable test pypi Signed-off-by: Thijs Baaijen <13253091+Thijss@users.noreply.github.com> * Fix typing issue for numpy 2.3 and python 3.11 (#70) Signed-off-by: Thijs Baaijen <13253091+Thijss@users.noreply.github.com> --------- Signed-off-by: Thijs Baaijen <13253091+Thijss@users.noreply.github.com> --------- Signed-off-by: Martijn Govers <Martijn.Govers@Alliander.com> Signed-off-by: Martijn Govers <martygovers@hotmail.com> Signed-off-by: Thijs Baaijen <13253091+Thijss@users.noreply.github.com> Co-authored-by: Thijs Baaijen <13253091+Thijss@users.noreply.github.com>
diff --git a/.github/workflows/build-test-release.yml b/.github/workflows/build-test-release.yml
@@ -3,16 +3,9 @@
 # SPDX-License-Identifier: MPL-2.0
 
 
-name: Build, Test, Sonar and Publish
+name: Build, Test and Release
 
 on:
-  push:
-    branches:
-      - main
-  # run pipeline on pull request
-  pull_request:
-  # run pipeline on merge queue
-  merge_group:
   # run pipeline from another workflow
   workflow_call:
     inputs:
@@ -45,15 +38,20 @@ jobs:
       - name: Checkout source code
         uses: actions/checkout@v4
 
-      - name: Setup Python 3.11
+      - name: Setup Python 3.13
         uses: actions/setup-python@v5
         with:
-          python-version: "3.11"
+          python-version: "3.13"
+
+      - name: Set PyPI version
+        uses: PowerGridModel/pgm-version-bump@main
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build
         run: |
-          pip install requests build
-          python set_pypi_version.py
+          cat PYPI_VERSION
+          pip install build
           python -m build --outdir wheelhouse .
 
       - name: Save version
@@ -66,39 +64,6 @@ jobs:
           name: power-grid-model-ds
           path: wheelhouse/
 
-  sonar-cloud:
-    permissions:
-      contents: write
-    runs-on: ubuntu-latest
-    steps:
-
-      - name: Checkout source code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
-
-      - name: Setup Python 3.11
-        uses: actions/setup-python@v5
-        with:
-          python-version: "3.11"
-
-      - name: Install in develop mode
-        run: |
-          pip install -e .[dev]
-
-      - name: Test and Coverage
-        run: |
-          coverage run -m pytest 
-          coverage xml 
-          coverage report --fail-under=80
-
-      - name: SonarCloud Scan
-        if: ${{ (github.event_name == 'push') || (github.event.pull_request.head.repo.owner.login == 'PowerGridModel') }}
-        uses: SonarSource/sonarqube-scan-action@v5
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-
   tests:
     needs: build-python
     strategy:
@@ -129,27 +94,22 @@ jobs:
       - name: Unit test and coverage
         run: pytest --verbose
 
-  publish:
+  github-release:
     needs:
       - build-python
       - tests
-      - sonar-cloud
     permissions:
       contents: write
-    env:
-      TWINE_USERNAME: ${{ secrets.PYPI_USER }}
-      TWINE_PASSWORD: ${{ secrets.PYPI_PASS }}
     runs-on: ubuntu-latest
     steps:
+      - name: Setup Python 3.13
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
 
       - name: Checkout source code
         uses: actions/checkout@v4  # needed by 'Prevent automatic major/minor release'
 
-      - name: Setup Python 3.11
-        uses: actions/setup-python@v5
-        with:
-          python-version: "3.11"
-
       - name: Load built wheel file
         uses: actions/download-artifact@v4
         with:
@@ -174,20 +134,20 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Upload wheels
-        if: (github.event_name == 'push') || ((github.event_name == 'workflow_dispatch') && (github.event.inputs.create_release == 'true'))
-        run: |
-          pip install twine
-          echo "Publish to PyPI..."
-          twine upload --verbose wheelhouse/*
+      - name: Get tag
+        id: tag
+        run: echo "tag=v${{ needs.build-python.outputs.version }}" >> $GITHUB_OUTPUT
+
+      - name: Display tag
+        run: echo "${{ steps.tag.outputs.tag }}"
 
       - name: Release
-        if: (github.event_name == 'push') || ((github.event_name == 'workflow_dispatch') && (github.event.inputs.create_release == 'true'))
+        if: (inputs.create_release)
         uses: softprops/action-gh-release@v2
         with:
           files: |
             ./wheelhouse/*
-          tag_name: v${{ needs.build-python.outputs.version }}
+          tag_name: ${{ steps.tag.outputs.tag }}
           prerelease: ${{github.ref != 'refs/heads/main'}}
           generate_release_notes: true
           target_commitish: ${{ github.sha }}
diff --git a/.github/workflows/check-code-quality.yml b/.github/workflows/check-code-quality.yml
@@ -6,13 +6,6 @@
 name: Check Code Quality
 
 on:
-  push:
-    branches:
-      - main
-  # run pipeline on pull request
-  pull_request:
-  # run pipeline on merge queue
-  merge_group:
   # run pipeline from another workflow
   workflow_call:
 
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,100 @@
+# SPDX-FileCopyrightText: Contributors to the Power Grid Model project <powergridmodel@lfenergy.org>
+#
+# SPDX-License-Identifier: MPL-2.0
+
+
+name: CI Build
+
+on:
+  push:
+    branches:
+      - main  # run pipeline on pull request
+  pull_request:
+  merge_group:  # run pipeline on merge queue
+  workflow_dispatch:  # run this workflow manually from the Actions tab
+    inputs:
+      create_release:
+        type: boolean
+        description: Create a (pre-)release when CI passes
+        default: false
+        required: true
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-ci-build
+  cancel-in-progress: true
+
+jobs:
+  ci-started:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo "ci started"
+
+  build-test-release:
+    name: build-test-release
+    uses: "./.github/workflows/build-test-release.yml"
+    permissions:
+      contents: write
+    with:
+      create_release: ${{ (github.event_name == 'workflow_dispatch' && inputs.create_release) || (github.event_name == 'push') }}
+
+  check-code-quality:
+    uses: "./.github/workflows/check-code-quality.yml"
+
+  reuse-compliance:
+    uses: "./.github/workflows/reuse-compliance.yml"
+
+  ci-passed:
+    runs-on: ubuntu-latest
+    needs: [ci-started, build-test-release, check-code-quality, reuse-compliance]
+    if: always()
+
+    steps:
+      # this explicit check is needed cfr. https://github.com/orgs/community/discussions/75568
+      - name: "Check whether all jobs passed"
+        run: echo '${{ toJSON(needs) }}' | jq -e 'to_entries | all(.value.result == "success")'
+      - run: echo "ci passed"
+
+  publish:
+    name: Publish to PyPI
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write  # Required for Trusted Publishing
+    needs: build-test-release
+    if: (github.event_name == 'workflow_dispatch' && inputs.create_release) || github.event_name == 'push'
+
+    steps:
+      - name: Download assets from GitHub release
+        uses: robinraju/release-downloader@v1
+        with:
+          repository: ${{ github.repository }}
+          # download the latest release
+          latest: true
+          # don't download pre-releases
+          preRelease: false
+          fileName: "*"
+          # don't download GitHub-generated source tar and zip files
+          tarBall: false
+          zipBall: false
+          # create a directory to store the downloaded assets
+          out-file-path: assets-to-publish
+          # don't extract downloaded files
+          extract: false
+
+      - name: List downloaded assets
+        run: ls -la assets-to-publish
+
+      - name: Upload assets to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          # To test, use the TestPyPI:
+          repository-url: https://test.pypi.org/legacy/
+          # You must also create an account and project on TestPyPI,
+          # as well as set the trusted-publisher in the project settings:
+          # https://docs.pypi.org/trusted-publishers/adding-a-publisher/
+          # To publish to the official PyPI repository, just keep
+          # repository-url commented out.
+          packages-dir: assets-to-publish
+          skip-existing: true
+          print-hash: true
+          verbose: true
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -15,8 +15,8 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  main:
-    uses: "./.github/workflows/build-test-and-sonar.yml"
+  build-test-release:
+    uses: "./.github/workflows/build-test-release.yml"
     permissions:
       contents: write
     with:
diff --git a/.github/workflows/reuse-compliance.yml b/.github/workflows/reuse-compliance.yml
@@ -6,13 +6,6 @@
 name: REUSE Compliance Check
 
 on:
-  push:
-    branches:
-      - main
-  # run pipeline on pull request
-  pull_request:
-  # run pipeline on merge queue
-  merge_group:
   # run pipeline from another workflow
   workflow_call:
   # run this workflow manually from the Actions tab
diff --git a/.github/workflows/sonar.yml b/.github/workflows/sonar.yml
@@ -0,0 +1,53 @@
+# SPDX-FileCopyrightText: Contributors to the Power Grid Model project <powergridmodel@lfenergy.org>
+#
+# SPDX-License-Identifier: MPL-2.0
+
+name: Sonar Cloud
+
+on:
+  # run pipeline on push event of main branch
+  push:
+    branches:
+      - main
+  # run pipeline on pull request
+  pull_request:
+  # run pipeline on merge queue
+  merge_group:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-sonar
+  cancel-in-progress: true
+
+jobs:
+  sonar-cloud:
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+
+      - name: Checkout source code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
+
+      - name: Setup Python 3.11
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install in develop mode
+        run: |
+          pip install -e .[dev]
+
+      - name: Test and Coverage
+        run: |
+          coverage run -m pytest 
+          coverage xml 
+          coverage report --fail-under=80
+
+      - name: SonarCloud Scan
+        if: ${{ (github.event_name == 'push') || (github.event.pull_request.head.repo.owner.login == 'PowerGridModel') }}
+        uses: SonarSource/sonarqube-scan-action@v5
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
diff --git a/README.md b/README.md
@@ -9,9 +9,7 @@ SPDX-License-Identifier: MPL-2.0
 [![Downloads](https://static.pepy.tech/badge/power-grid-model-ds)](https://pepy.tech/project/power-grid-model-ds)
 [![Downloads](https://static.pepy.tech/badge/power-grid-model-ds/month)](https://pepy.tech/project/power-grid-model-ds)
 
-[![Build and Test Python](https://github.com/PowerGridModel/power-grid-model-ds/actions/workflows/build-test-and-sonar.yml/badge.svg)](https://github.com/PowerGridModel/power-grid-model-ds/actions/workflows/build-test-and-sonar.yml)
-[![Check Code Quality](https://github.com/PowerGridModel/power-grid-model-ds/actions/workflows/check-code-quality.yml/badge.svg)](https://github.com/PowerGridModel/power-grid-model-ds/actions/workflows/check-code-quality.yml)
-[![REUSE Compliance Check](https://github.com/PowerGridModel/power-grid-model-ds/actions/workflows/reuse-compliance.yml/badge.svg)](https://github.com/PowerGridModel/power-grid-model-ds/actions/workflows/reuse-compliance.yml)
+[![CI Build](https://github.com/PowerGridModel/power-grid-model-ds/actions/workflows/ci.yml/badge.svg)](https://github.com/PowerGridModel/power-grid-model-ds/actions/workflows/ci.yml)
 [![docs](https://readthedocs.org/projects/power-grid-model-ds/badge/)](https://power-grid-model-ds.readthedocs.io/en/stable/)
 
 [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=PowerGridModel_power-grid-model-ds&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=PowerGridModel_power-grid-model-ds)
@@ -25,7 +23,7 @@ SPDX-License-Identifier: MPL-2.0
 
 [![DOI](https://zenodo.org/badge/DOI/10.5281/zenodo.14825565.svg)](https://zenodo.org/record/14825565)
 
-[![](https://github.com/PowerGridModel/.github/blob/main/artwork/svg/color.svg)](#)
+[![Power Grid Model logo](https://github.com/PowerGridModel/.github/blob/main/artwork/svg/color.svg)](#)
 
 # Power Grid Model Data Science (DS)
 
diff --git a/set_pypi_version.py b/set_pypi_version.py
