Split publish.yml jobs for improved security (#117)

Signed-off-by: Glenn Jocher <[email protected]>
ultralytics · Dec 8, 2024 · f861884 · f861884
1 parent 985eb79
commit f861884
Show file tree

Hide file tree

Showing 2 changed files with 70 additions and 46 deletions.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -13,32 +13,23 @@ on:
         description: Publish to PyPI
 
 jobs:
-  publish:
+  check:
     if: github.repository == 'ultralytics/mkdocs' && github.actor == 'glenn-jocher'
-    name: Publish
     runs-on: ubuntu-latest
-    environment: # for GitHub Deployments tab
-      name: Release - PyPI
-      url: https://pypi.org/p/mkdocs-ultralytics-plugin
     permissions:
-      id-token: write # for PyPI trusted publishing
+      contents: write
+    outputs:
+      increment: ${{ steps.check_pypi.outputs.increment }}
+      current_tag: ${{ steps.check_pypi.outputs.current_tag }}
+      previous_tag: ${{ steps.check_pypi.outputs.previous_tag }}
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          token: ${{ secrets._GITHUB_TOKEN }}
-      - name: Git config
-        run: |
-          git config --global user.name "UltralyticsAssistant"
-          git config --global user.email "[email protected]"
-      - name: Set up Python environment
-        uses: actions/setup-python@v5
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
         with:
           python-version: "3.x"
       - uses: astral-sh/setup-uv@v4
-      - name: Install dependencies
-        run: uv pip install --system --no-cache ultralytics-actions build twine toml
-      - name: Check PyPI version
+      - run: uv pip install --system --no-cache ultralytics-actions
+      - id: check_pypi
         shell: python
         run: |
           import os
@@ -49,30 +40,63 @@ jobs:
           os.system(f'echo "previous_tag=v{online_version}" >> $GITHUB_OUTPUT')
           if publish:
               print('Ready to publish new version to PyPI ✅.')
-        id: check_pypi
-      - name: Build package
-        if: (github.event_name == 'push' || github.event.inputs.pypi == 'true') && steps.check_pypi.outputs.increment == 'True'
-        run: python -m build
-      - name: Publish to PyPI
-        continue-on-error: true
-        if: (github.event_name == 'push' || github.event.inputs.pypi == 'true') && steps.check_pypi.outputs.increment == 'True'
-        uses: pypa/gh-action-pypi-publish@release/v1
-      - name: Publish new tag
-        continue-on-error: true
-        if: (github.event_name == 'push' || github.event.inputs.pypi == 'true')  && steps.check_pypi.outputs.increment == 'True'
-        run: |
-          git tag -a "${{ steps.check_pypi.outputs.current_tag }}" -m "$(git log -1 --pretty=%B)"  # i.e. "v0.1.2 commit message"
-          git push origin "${{ steps.check_pypi.outputs.current_tag }}"
-      - name: Publish new release
-        continue-on-error: true
-        if: (github.event_name == 'push' || github.event.inputs.pypi == 'true')  && steps.check_pypi.outputs.increment == 'True'
+      - name: Tag and Release
+        if: steps.check_pypi.outputs.increment == 'True'
         env:
-          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
-          GITHUB_TOKEN: ${{ secrets._GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           CURRENT_TAG: ${{ steps.check_pypi.outputs.current_tag }}
           PREVIOUS_TAG: ${{ steps.check_pypi.outputs.previous_tag }}
-        run: ultralytics-actions-summarize-release
-        shell: bash
+          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
+        run: |
+          git config --global user.name "UltralyticsAssistant"
+          git config --global user.email "[email protected]"
+          git tag -a "$CURRENT_TAG" -m "$(git log -1 --pretty=%B)"
+          git push origin "$CURRENT_TAG"
+          ultralytics-actions-summarize-release
+          uv cache prune --ci
+
+  build:
+    needs: check
+    if: needs.check.outputs.increment == 'True'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.x"
+      - uses: astral-sh/setup-uv@v4
+      - run: uv pip install --system --no-cache build
+      - run: python -m build
+      - uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/
+      - run: uv cache prune --ci
+
+  publish:
+    needs: [check, build]
+    if: false # needs.check.outputs.increment == 'True'
+    runs-on: ubuntu-latest
+    environment: # for GitHub Deployments tab
+      name: Release - PyPI
+      url: https://pypi.org/p/mkdocs-ultralytics-plugin
+    permissions:
+      id-token: write # for PyPI trusted publishing
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+      - uses: pypa/gh-action-pypi-publish@release/v1
+
+  notify:
+    needs: [check, publish]
+    if: false # always() && needs.check.outputs.increment == 'True'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
       - name: Extract PR Details
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -82,16 +106,16 @@ jobs:
           PR_TITLE=$(echo "${PR_JSON}" | jq -r '.title')
           echo "PR_NUMBER=${PR_NUMBER}" >> "${GITHUB_ENV}"
           echo "PR_TITLE=${PR_TITLE}" >> "${GITHUB_ENV}"
-      - name: Notify on Slack (Success)
-        if: success() && github.event_name == 'push' && steps.check_pypi.outputs.increment == 'True'
+      - name: Notify Success
+        if: needs.publish.result == 'success' && github.event_name == 'push'
         uses: slackapi/[email protected]
         with:
           webhook-type: incoming-webhook
           webhook: ${{ secrets.SLACK_WEBHOOK_URL_YOLO }}
           payload: |
-            text: "<!channel> GitHub Actions success for ${{ github.workflow }} ✅\n\n\n*Repository:* https://github.com/${{ github.repository }}\n*Action:* https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}\n*Author:* ${{ github.actor }}\n*Event:* NEW `${{ github.repository }} ${{ steps.check_pypi.outputs.current_tag }}` pip package published 😃\n*Job Status:* ${{ job.status }}\n*Pull Request:* <https://github.com/${{ github.repository }}/pull/${{ env.PR_NUMBER }}> ${{ env.PR_TITLE }}\n"
-      - name: Notify on Slack (Failure)
-        if: failure()
+            text: "<!channel> GitHub Actions success for ${{ github.workflow }} ✅\n\n\n*Repository:* https://github.com/${{ github.repository }}\n*Action:* https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}\n*Author:* ${{ github.actor }}\n*Event:* NEW `${{ github.repository }} ${{ needs.check.outputs.current_tag }}` pip package published 😃\n*Job Status:* ${{ job.status }}\n*Pull Request:* <https://github.com/${{ github.repository }}/pull/${{ env.PR_NUMBER }}> ${{ env.PR_TITLE }}\n"
+      - name: Notify Failure
+        if: needs.publish.result != 'success'
         uses: slackapi/[email protected]
         with:
           webhook-type: incoming-webhook

diff --git a/pyproject.toml b/pyproject.toml
@@ -24,7 +24,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "mkdocs-ultralytics-plugin"
-version = "0.1.14"
+version = "0.1.15"
 description = "An MkDocs plugin that provides Ultralytics Docs customizations at https://docs.ultralytics.com."
 readme = "README.md"
 requires-python = ">=3.8"