split deploy step into 3 to manage permissions

* the build step builds using baipp * the deploy step does only the pypi upload * the release-notes step udpdates the release notes ## needed followups * [ ] upstream release from artifact to pypi-publish * [ ] generate content of release notes in baipp step
pytest-dev · Apr 18, 2023 · e567afb · e567afb
1 parent ef211c3
commit e567afb
Showing 1 changed file with 26 additions and 12 deletions.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -13,39 +13,53 @@ on:
 permissions: {}
 
 jobs:
-
-  deploy:
-    if: github.repository == 'pytest-dev/pytest'
-
+  build:
     runs-on: ubuntu-latest
-    timeout-minutes: 30
+    timeout-minutes: 10
     environment: deploy
-    permissions:
-      contents: write
-      id-token: write # for pypi oidc publish
-
     steps:
     - uses: actions/checkout@v3
       with:
         fetch-depth: 0
         persist-credentials: false
-
     - name: Build and Check Package
       uses: hynek/build-and-inspect-python-package@v1.5
 
+  deploy:
+    if: github.repository == 'pytest-dev/pytest'
+    needs: [build]
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    environment: deploy
+    permissions:
+      id-token: write # for pypi oidc publish
+    steps:
     - name: Download Package
       uses: actions/download-artifact@v3
       with:
         name: Packages
         path: dist
-
     - name: Publish package to PyPI
       uses: pypa/gh-action-pypi-publish@release/v1
 
+  release-notes:
+
+    # todo: generate the content in the build  job
+    needs: [deploy]
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    environment: deploy
+    permissions:
+      contents: write
+    steps:
+    - uses: actions/checkout@v3
+      with:
+        fetch-depth: 0
+        persist-credentials: false
     - name: Set up Python
       uses: actions/setup-python@v4
       with:
-        python-version: "3.7"
+        python-version: "3.8"
 
     - name: Install tox
       run: |