release.yml

name: Manual

on:
  push:
    tags:
      - "v[0-9]+.[0-9]+.[0-9]+"
jobs:
  review_secrets:
    name: security-detect-secrets
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          submodules: false
          fetch-depth: "0"
      - name: Trufflehog Actions Scan
        uses: edplato/trufflehog-actions-scan@v0.9j-beta
        with:
          scanArguments: "--max_depth 30 -x .github/workflows/exclude-patterns.txt"

  semgrep:
    runs-on: ubuntu-latest
    name: security-sast-semgrep
    steps:
      - uses: actions/checkout@v2
      - name: Semgrep
        id: semgrep
        uses: returntocorp/semgrep-action@v1
        with:
          publishToken: ${{ secrets.SEMGREP_APP_TOKEN }}

  build:
    name: build
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Setup python
        uses: actions/setup-python@v2
        with:
          python-version: 3.7
      - name: Run image
        uses: abatilo/actions-poetry@v2.0.0
        with:
          poetry-version: "1.1.11"
      - name: Build
        run: |
          poetry install
          poetry build
      - uses: actions/upload-artifact@v2.2.4
        with:
          name: dist
          path: dist
      - uses: actions/upload-artifact@v2.2.4
        with:
          name: output
          path: output

  run-unit-tests:
    name: test-unit
    strategy:
      matrix:
        os: [ubuntu-latest, macos-latest]
        python: ["3.7", "3.8", "3.9"]
        poetry-version: ["1.1.11"]
      fail-fast: false
    runs-on: ${{ matrix.os }}
    needs:
      - build
    steps:
      - uses: actions/checkout@v2
      - name: Setup python
        uses: actions/setup-python@v2
        with:
          python-version: ${{ matrix.python }}
      - name: Run image
        uses: abatilo/actions-poetry@v2.0.0
        with:
          poetry-version: ${{ matrix.poetry-version }}
      - name: run tests
        run: |
          poetry install
          poetry run pytest --junitxml=test-results/results.xml --cov=./ --cov-report=xml tests
      - uses: actions/upload-artifact@v2.2.4
        with:
          name: unit tests test-results
          path: test-results
      - uses: codecov/codecov-action@v2
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          flags: ${{ matrix.os }}, ${{ matrix.poetry-version }}
          fail_ci_if_error: true # optional (default = false)
  publish:
    name: Build Release
    needs:
      #- pre-commit
      - review_secrets
      - semgrep
      - build
      - run-unit-tests
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
        with:
          submodules: false
          # Very important: semantic-release won't trigger a tagged
          # build if this is not set false
          persist-credentials: false
      - name: Setup python
        uses: actions/setup-python@v2
        with:
          python-version: "3.7"
      - name: Run image
        uses: abatilo/actions-poetry@v2.0.0
        with:
          poetry-version: "1.1.11"
      - name: Build
        run: |
          poetry install
          poetry build
      - name: Semantic Release
        uses: cycjimmy/semantic-release-action@v2.6.0
        with:
          semantic_version: 17
          extra_plugins: |
            @semantic-release/exec
            @semantic-release/git
            @google/semantic-release-replace-plugin
        env:
          GITHUB_TOKEN: ${{ secrets.SEMREL_TOKEN }}
          PYPI_USERNAME: ${{ secrets.PYPI_USERNAME }}
          PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }}

  update-semver:
    name: Move Respository semver tags
    if: startsWith(github.ref, 'refs/tags/v')
    needs: publish
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: haya14busa/action-update-semver@v1