From 382413dc083402beae39e55fc21ca69668efafea Mon Sep 17 00:00:00 2001 From: Ivan Date: Sun, 23 Nov 2025 11:45:41 -0600 Subject: [PATCH] Update to support immutable github releases/tags --- .github/workflows/publish.yml | 36 ++++++++++++++++++++++++++--------- 1 file changed, 27 insertions(+), 9 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index e757654..5afa768 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -1,5 +1,14 @@ name: Publish Python 🐍 distribution 📦 to PyPI +# This workflow creates immutable releases: +# 1. Build packages +# 2. Publish to PyPI (only on tag push) +# 3. After successful PyPI publish: +# - Sign artifacts +# - Check if GitHub release exists (idempotent) +# - Create release with all artifacts atomically +# This ensures releases cannot be modified once published. + on: push: tags: @@ -83,18 +92,27 @@ jobs: inputs: >- ./dist/*.tar.gz ./dist/*.whl - - name: Create GitHub Release + - name: Check if release exists + id: check_release + env: + GITHUB_TOKEN: ${{ github.token }} + run: | + if gh release view "$GITHUB_REF_NAME" --repo "$GITHUB_REPOSITORY" >/dev/null 2>&1; then + echo "exists=true" >> $GITHUB_OUTPUT + echo "Release $GITHUB_REF_NAME already exists, skipping creation" + else + echo "exists=false" >> $GITHUB_OUTPUT + echo "Release $GITHUB_REF_NAME does not exist, will create" + fi + continue-on-error: true + - name: Create GitHub Release with artifacts + if: steps.check_release.outputs.exists != 'true' env: GITHUB_TOKEN: ${{ github.token }} run: >- gh release create "$GITHUB_REF_NAME" --repo "$GITHUB_REPOSITORY" - --notes "" - - name: Upload artifact signatures to GitHub Release - env: - GITHUB_TOKEN: ${{ github.token }} - run: >- - gh release upload - "$GITHUB_REF_NAME" dist/** - --repo "$GITHUB_REPOSITORY" \ No newline at end of file + --title "Release $GITHUB_REF_NAME" + --notes "PyPI: https://pypi.org/project/rns-page-node/$GITHUB_REF_NAME/" + dist/* \ No newline at end of file