Skip to content

Commit 5be5d60

Browse files
bdracobdraco
authored
ci: scope release env and OIDC permissions to master (#1799)
1 parent 5333fc5 commit 5be5d60

1 file changed

Lines changed: 33 additions & 13 deletions

File tree

.github/workflows/ci.yml

Lines changed: 33 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -150,16 +150,43 @@ jobs:
150150
run: poetry run pytest --no-cov -vvvvv --codspeed tests/benchmarks
151151
mode: instrumentation
152152

153-
release:
153+
# Dry run on PRs and non-master pushes. No environment, no publish
154+
# permissions, no OIDC, so PR runs carry no release blast radius.
155+
release-dry-run:
154156
needs:
155157
- test
156158
- lint
157-
if: ${{ github.repository_owner }} == "python-zeroconf"
159+
if: github.ref_name != 'master' && github.repository_owner == 'python-zeroconf'
160+
runs-on: ubuntu-latest
161+
permissions:
162+
contents: read
163+
steps:
164+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
165+
with:
166+
fetch-depth: 0
167+
ref: ${{ github.ref }}
168+
169+
- name: Create local branch name
170+
env:
171+
BRANCH: ${{ github.head_ref || github.ref_name }}
172+
run: git switch -C "$BRANCH"
173+
174+
- name: Test release
175+
uses: python-semantic-release/python-semantic-release@350c48fcb3ffcdfd2e0a235206bc2ecea6b69df0 # v10.5.3
176+
with:
177+
no_operation_mode: true
158178

179+
# Real release, only on master. The release environment and write/OIDC
180+
# permissions are scoped to this job so they never apply to PR runs.
181+
release:
182+
needs:
183+
- test
184+
- lint
185+
if: github.ref_name == 'master' && github.repository_owner == 'python-zeroconf'
159186
runs-on: ubuntu-latest
160187
environment: release
161188
concurrency:
162-
group: release-${{ github.head_ref || github.ref }}
189+
group: release-${{ github.ref }}
163190
cancel-in-progress: false
164191
permissions:
165192
id-token: write
@@ -175,20 +202,13 @@ jobs:
175202
ref: ${{ github.ref }}
176203

177204
- name: Create local branch name
178-
run: git switch -C ${{ github.head_ref || github.ref_name }}
179-
180-
# Do a dry run of PSR
181-
- name: Test release
182-
uses: python-semantic-release/python-semantic-release@350c48fcb3ffcdfd2e0a235206bc2ecea6b69df0 # v10.5.3
183-
if: github.ref_name != 'master'
184-
with:
185-
no_operation_mode: true
205+
env:
206+
BRANCH: ${{ github.ref_name }}
207+
run: git switch -C "$BRANCH"
186208

187-
# On main branch: actual PSR + upload to PyPI & GitHub
188209
- name: Release
189210
uses: python-semantic-release/python-semantic-release@350c48fcb3ffcdfd2e0a235206bc2ecea6b69df0 # v10.5.3
190211
id: release
191-
if: github.ref_name == 'master'
192212
with:
193213
github_token: ${{ secrets.GITHUB_TOKEN }}
194214

0 commit comments

Comments
 (0)