Add PyPI release (#118)

* add pypi publishing and pre-release testing

Signed-off-by: Alex Goodman <[email protected]>

* update installation and release docs with pypi info

Signed-off-by: Alex Goodman <[email protected]>

* clean dist before publish

Signed-off-by: Alex Goodman <[email protected]>

* require poetry dynamic version plugin on build and publish make targets

Signed-off-by: Alex Goodman <[email protected]>

* split up publishing events from valiadtion

Signed-off-by: Alex Goodman <[email protected]>

---------

Signed-off-by: Alex Goodman <[email protected]>

Author: wagoodman

.github/actions/bootstrap/action.yaml

@@ -75,9 +75,10 @@ runs:
         python-version: ${{ inputs.python-version }}
 
     - name: Install poetry
-      uses: abatilo/[email protected]
-      with:
-        poetry-version: ${{ inputs.poetry-version }}
+      shell: bash
+      run: |
+        pipx install poetry==${{ inputs.poetry-version }}
+        poetry self add "poetry-dynamic-versioning[plugin]"
 
     - name: Cache Poetry virtualenv
       uses: actions/cache@v3

.github/workflows/release.yaml

@@ -53,7 +53,7 @@ jobs:
           echo "Nightly Quality Gate Status: ${{ steps.nightly-quality-gate.conclusion }}"
           false
 
-  release:
+  tag:
     needs:
       - quality-gate
     runs-on: ubuntu-20.04
@@ -69,6 +69,48 @@ jobs:
           # in order to properly resolve the version from git
           fetch-depth: 0
 
+      - name: Tag release
+        run: |
+          git tag ${{ github.event.inputs.version }}
+          git push origin --tags
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  release-pypi:
+    needs:
+      - tag
+    runs-on: ubuntu-20.04
+    environment: release
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          # in order to properly resolve the version from git
+          fetch-depth: 0
+
+      - name: Bootstrap environment
+        uses: ./.github/actions/bootstrap
+
+      - name: Publish to PyPI
+        run: make ci-publish-pypi
+        env:
+          POETRY_PYPI_TOKEN_PYPI: ${{ secrets.VUNNEL_PYPI_TOKEN }}
+
+  release-docker:
+    needs:
+      - tag
+    runs-on: ubuntu-20.04
+    environment: release
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          # in order to properly resolve the version from git
+          fetch-depth: 0
+
       - name: Bootstrap environment
         uses: ./.github/actions/bootstrap
 
@@ -77,19 +119,31 @@ jobs:
           echo ${{ secrets.GITHUB_TOKEN }} | oras login ghcr.io --username ${{ github.actor }} --password-stdin
           echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io --username ${{ github.actor }} --password-stdin
 
-      - name: Tag release
-        run: |
-          git tag ${{ github.event.inputs.version }}
-          git push origin --tags
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
       - name: Promote commit image to release
         run: |
           make ci-promote-release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+  release-github:
+    needs:
+      - tag
+    runs-on: ubuntu-20.04
+    environment: release
+    permissions:
+      contents: read
+      packages: write
+      issues: read
+      pull-requests: read
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          # in order to properly resolve the version from git
+          fetch-depth: 0
+
+      - name: Bootstrap environment
+        uses: ./.github/actions/bootstrap
+
       - name: Create github release
         run: |
           make changelog

.github/workflows/validations.yaml

@@ -15,8 +15,6 @@ jobs:
     runs-on: ubuntu-20.04
     permissions:
       contents: read
-      # package write permission is needed for publishing commit images
-      packages: write
     steps:
       - uses: actions/checkout@v3
         with:
@@ -39,11 +37,35 @@ jobs:
       - name: Build assets
         run: poetry run make build
 
+  Publish-PreProd:
+    runs-on: ubuntu-20.04
+    needs: [Validations]
+    if: github.ref == 'refs/heads/main'
+    permissions:
+      contents: read
+      # package write permission is needed for publishing commit images
+      packages: write
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          # in order to properly resolve the version from git
+          fetch-depth: 0
+
+      - name: Bootstrap environment
+        uses: ./.github/actions/bootstrap
+
       - name: Login to ghcr.io
-        if: github.ref == 'refs/heads/main'
         run: |
           echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io --username ${{ github.actor }} --password-stdin
 
+      - name: Build assets
+        run: poetry run make build
+
       - name: Publish commit image
-        if: github.ref == 'refs/heads/main'
         run: make ci-publish-commit
+
+      - name: Publish to test PyPI
+        run: make ci-publish-testpypi
+        env:
+          # note: "..._TESTPYPI" suffix should match the name of the testpypi repository (see the Makefile target)
+          POETRY_PYPI_TOKEN_TESTPYPI: ${{ secrets.TEST_PYPI_TOKEN }}

Makefile

@@ -12,6 +12,7 @@ GRYPE_DB_PATH ?= ../grype-db
 CRANE = $(TEMP_DIR)/crane
 CHRONICLE = $(TEMP_DIR)/chronicle
 GLOW = $(TEMP_DIR)/glow
+PUBLISH_CMD = poetry publish --build -n
 
 # Tool versions #################################
 CHRONICLE_VERSION = v0.6.0
@@ -123,8 +124,12 @@ unit: virtual-env-check  ## Run unit tests
 
 ## Build-related targets #################################
 
+.PHONY: check-build-deps
+check-build-deps:
+	@poetry self show plugins | grep poetry-dynamic-versioning || echo "install poetry-dynamic-versioning plugin with 'poetry plugin add poetry-dynamic-versioning[plugin]'"
+
 .PHONY: build
-build:  ## Run build assets
+build: check-build-deps  ## Run build assets
 	git fetch --tags
 	rm -rf dist
 	poetry build
@@ -149,6 +154,15 @@ ci-promote-release: ci-check
 	$(CRANE) tag $(IMAGE_NAME):$(COMMIT_TAG) $(PACKAGE_VERSION)
 	$(CRANE) tag $(IMAGE_NAME):$(COMMIT_TAG) latest
 
+.PHONY: ci-publish-testpypi
+ci-publish-testpypi: clean-dist check-build-deps
+	poetry config repositories.testpypi https://test.pypi.org/legacy/
+	$(PUBLISH_CMD) -r testpypi
+
+.PHONY: ci-publish-pypi
+ci-publish-pypi: ci-check clean-dist check-build-deps
+	$(PUBLISH_CMD)
+
 .PHONY: changelog
 changelog:
 	@$(CHRONICLE) -vvv -n . --version-file VERSION > CHANGELOG.md
@@ -159,6 +173,12 @@ release:
 	@.github/scripts/trigger-release.sh
 
 
+## Cleanup #################################
+
+.PHONY: clean-dist
+clean-dist:
+	rm -rf dist
+
 ## Halp! #################################
 
 .PHONY: help

README.md

@@ -20,21 +20,18 @@ Supported data sources:
 With pip:
 
 ```bash
-pip install git+https://github.com/anchore/vunnel@main
-
-# or use a git tag
-pip install git+https://github.com/anchore/[email protected]
+pip install vunnel
 ```
 
 With docker:
 
 ```bash
 docker run \
   --rm -it \
-  -v $(pwd)/data:/data \                 # keep the processed data on the host
-  -v $(pwd)/.vunnel.yaml:/.vunnel.yaml   # if you have a vunnel config
-    ghcr.io/anchore/vunnel:latest        # a git tag can be used as the version
-      run nvd                            # arguments for vunnel
+  -v $(pwd)/data:/data \
+  -v $(pwd)/.vunnel.yaml:/.vunnel.yaml \
+    ghcr.io/anchore/vunnel:latest  \
+      run nvd
 ```
 Where:
   - the `data` volume keeps the processed data on the host

RELEASE.md

@@ -8,11 +8,12 @@ There are two times when assets are released:
 
 - when a new commit reaches main:
     - a new `ghcr.io/anchore/vunnel:[GIT-COMMIT]` docker image is published
+    - a build is published to the [testpypi project](https://test.pypi.org/project/vunnel/)
 
 - when a release is triggered:
     - the commit on main is tagged with the given version
-    - the existing commit-based image is additionally tagged as `ghcr.io/anchore/vunnel:[VERSION]`
-
+    - the existing commit-based image is additionally tagged as `ghcr.io/anchore/vunnel:[VERSION]` and `ghcr.io/anchore/vunnel:latest`
+    - a build is published to the [pypi project](https://pypi.org/project/vunnel/)
 
 ## Creating a new release
 

pyproject.toml

@@ -138,7 +138,7 @@ fail_under = 80
 [tool.poetry-dynamic-versioning]
 enable = true
 vcs = "git"
-metadata = true
+metadata = false
 style = "semver"
 dirty = true