⚙️ CLI helpers for GitHub Actions + reuseable workflows
Project description
gha-utils
CLI + reusable workflows
gha-utils
stands for GitHub Action workflows Utilities.
Maintaining project takes time. This repository contains the code of the gha-utils
CLI and a collection of reusable workflows to:
- maintain a Python project, its CLI, doc, QA, etc.
- maintain an Awesome List project.
gha-utils
CLI
Executables
Standalone executables of gha-utils
's latest version are available as direct downloads for several platforms and architectures:
Platform | x86_64 |
arm64 |
---|---|---|
Linux | Download gha-utils-linux-x64.bin |
|
macOS | Download gha-utils-macos-x64.bin |
Download gha-utils-macos-arm64.bin |
Windows | Download gha-utils-windows-x64.exe |
Run dev version
$ git clone https://github.com/kdeldycke/workflows
$ cd workflows
$ python -m pip install uv
$ uv venv
$ source .venv/bin/activate
$ uv pip install .
$ uv run gha-utils
Reusable workflows collection
This repository contains workflows to automate most of the boring tasks.
These workflows are mostly used for Python projects and their documentation, but not only. They're all reusable GitHub actions workflows.
Reasons for a centralized workflow repository:
- reusability of course: no need to update dozens of repository where 95% of workflows are the same
- centralize all dependencies pertaining to automation: think of the point-release of an action that triggers dependabot upgrade to all your repositories depending on it
Guidelines
I don't want to copy-n-past, keep in sync and maintain another N
th CI/CD file at the root of my repositories.
So my policy is: move every repository-specific config in a pyproject.toml
file, or hide the gory details in a reused workflow.
.github/workflows/docs.yaml
jobs
-
Autofix typos
-
Optimize images
-
Keep
.mailmap
up to date -
Update dependency graph of Python projects
- Requires:
- Python package with a
pyproject.toml
file
- Python package with a
- Requires:
-
Build Sphinx-based documentation and publish it to GitHub Pages
- Requires:
- Python package with a
pyproject.toml
file - All Sphinx dependencies in a
docs
extra dependency group:[project.optional-dependencies] docs = [ "furo == 2024.1.29", "myst-parser ~= 3.0.0", "sphinx >= 6", ... ]
- Sphinx configuration file at
docs/conf.py
- Python package with a
- Requires:
-
Sync awesome projects from
awesome-template
repository
Why all these requirements/*.txt
files?
Let's look for example at the lint-yaml
job from .github/workflows/lint.yaml
. Here we only need the yamllint
CLI. This CLI is distributed on PyPi. So before executing it, we could have simply run the following step:
- name: Install yamllint
run: |
pip install yamllint
Instead, we install it via the requirements/yamllint.txt
file.
Why? Because I want the version of yamllint
to be pinned. By pinning it, I make the workflow stable, predictable and reproducible.
So why use a dedicated requirements file? Why don't we simply add the version? Like this:
- name: Install yamllint
run: |
pip install yamllint==1.35.1
That would indeed pin the version. But it requires the maintainer (me) to keep track of new release and update manually the version string. That's a lot of work. And I'm lazy. So this should be automated.
To automate that, the only practical way I found was to rely on dependabot. But dependabot cannot update arbitrary versions in run:
YAML blocks. It only supports requirements.txt
and pyproject.toml
files for Python projects.
So to keep track of new versions of dependencies while keeping them stable, we've hard-coded all Python libraries and CLIs in the requirements/*.txt
files. All with pinned versions.
And for the case we need to install all dependencies in one go, we have a requirements.txt
file at the root that is referencing all files from the requirements/
subfolder.
Permissions and token
This repository updates itself via GitHub actions. It particularly updates its own YAML files in .github/workflows
. That's forbidden by default. So we need extra permissions.
Usually, to grant special permissions to some jobs, you use the permissions
parameter in workflow files. It looks like this:
on: (...)
jobs:
my-job:
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
steps: (...)
But the contents: write
permission doesn't allow write access to the workflow files in the .github
subfolder. There is actions: write
, but it only covers workflow runs, not their YAML source file. Even a permissions: write-all
doesn't work. So you cannot use the permissions
parameter to allow a repository's workflow update its own workflow files.
You will always end up with this kind or errors:
! [remote rejected] branch_xxx -> branch_xxx (refusing to allow a GitHub App to create or update workflow `.github/workflows/my_workflow.yaml` without `workflows` permission)
error: failed to push some refs to 'https://github.com/kdeldycke/my-repo'
[!NOTE] That's also why the Settings > Actions > General > Workflow permissions parameter on your repository has no effect on this issue, even with the
Read and write permissions
set:
To bypass the limitation, we rely on a custom access token. By convention, we call it WORKFLOW_UPDATE_GITHUB_PAT
. It will be used, in place of the default secrets.GITHUB_TOKEN
, in steps in which we need to change the workflow YAML files.
To create this custom WORKFLOW_UPDATE_GITHUB_PAT
:
- From your GitHub user, go to
Settings
>Developer Settings
>Personal Access Tokens
>Fine-grained tokens
- Click on the
Generate new token
button - Choose a good token name like
workflow-self-update
to make your intention clear - Choose
Only select repositories
and the list the repositories in needs of updating their workflow YAML files - In the
Repository permissions
drop-down, sets:Contents
:Access: **Read and Write**
Metadata
(mandatory):Access: **Read-only**
Pull Requests
:Access: **Read and Write**
Workflows
:Access: **Read and Write**
[!NOTE] This is the only place where I can have control over the
Workflows
permission, which is not supported by thepermissions:
parameter in YAML files.
- Now save these parameters and copy the
github_pat_XXXX
secret token - Got to your repo >
Settings
>Security
>Secrets and variables
>Actions
>Secrets
>Repository secrets
and clickNew repository secrets
- Name your secret
WORKFLOW_UPDATE_GITHUB_PAT
and copy thegithub_pat_XXXX
token in theSecret
field
Now re-run your actions and they should be able to update the workflow files in .github
folder without the refusing to allow a GitHub App to create or update workflow
error.
Release management
It turns out Release Engineering is a full-time job, and full of edge-cases.
Rust has cargo-dist
. Go has... ? But there is no equivalent for Python.
So I made up a release.yaml
workflow, which:
- Extracts project metadata from
pyproject.toml
- Generates a build matrix of all commits / os / arch / CLI entry points
- Build Python wheel with Twine
- Compile binaries of all CLI with Nuitka
- Tag the release commit in Git
- Publish new version to PyPi
- Publish a GitHub release
- Attach and rename build artifacts to it
Changelog
A detailed changelog is available.
Used in
Check these projects to get real-life examples of usage and inspiration:
- Awesome Falsehood - Falsehoods Programmers Believe in.
- Awesome Engineering Team Management - How to transition from software development to engineering management.
- Awesome IAM - Identity and Access Management knowledge for cloud platforms.
- Awesome Billing - Billing & Payments knowledge for cloud platforms.
- Meta Package Manager - A unifying CLI for multiple package managers.
- Mail Deduplicate - A CLI to deduplicate similar emails.
- dotfiles - macOS dotfiles for Python developers.
- Click Extra - Extra colorization and configuration loading for Click.
- Wiki bot - A bot which provides features from Wikipedia like summary, title searches, location API etc.
- workflows - Itself. Eat your own dog-food.
- Stock Analysis - Simple to use interfaces for basic technical analysis of stocks.
- GeneticTabler - Time Table Scheduler using Genetic Algorithms.
- Excel Write - Optimised way to write in excel files.
Feel free to send a PR to add your project in this list if you are relying on these scripts.
Release process
All steps of the release process and version management are automated in the
changelog.yaml
and
release.yaml
workflows.
All there's left to do is to:
- check the open draft
prepare-release
PR and its changes, - click the
Ready for review
button, - click the
Rebase and merge
button, - let the workflows tag the release and set back the
main
branch into a development state.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file gha_utils-4.0.1.tar.gz
.
File metadata
- Download URL: gha_utils-4.0.1.tar.gz
- Upload date:
- Size: 52.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/5.1.0 CPython/3.12.4
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | f28d947b270a6344382d82d9e260f641a56a365508e8f9ec02d2bec608e6b010 |
|
MD5 | ce3f98d9671a77a2fd6564ab56d8d3d5 |
|
BLAKE2b-256 | 2f2979e0411e9aa684e06efd2bcf4dbfdcba4b83c00d5b598db3e5f8365d8131 |
File details
Details for the file gha_utils-4.0.1-py3-none-any.whl
.
File metadata
- Download URL: gha_utils-4.0.1-py3-none-any.whl
- Upload date:
- Size: 32.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/5.1.0 CPython/3.12.4
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | d4e97a62f12ea6732d8a99d42578a91f0ae169419cdce28974c3776c1f10b558 |
|
MD5 | 210a38f5e13dac3a25cfb6239ea3570d |
|
BLAKE2b-256 | 4035ecf8ce4ce20ca4feb20fa8df52dc52fbe351604bc84b5a6d21df23632196 |