mirror of
https://github.com/yt-dlp/yt-dlp.git
synced 2025-12-31 20:11:26 +00:00
ab3ff2d5dd
* NOTE: the release workflows' new handling of secrets may be a breaking change for forks that are using any secrets other than GPG_SIGNING_KEY or ARCHIVE_REPO_TOKEN. Previously, the release workflow would try to resolve a token secret name based on the `target` or `source` input, e.g. NIGHTLY_ARCHIVE_REPO_TOKEN or CUSTOM_ARCHIVE_REPO_TOKEN, and then fall back to using the ARCHIVE_REPO_TOKEN secret if the resolved token secret name was not found in the repository. This behavior has been replaced by the release workflow always using the ARCHIVE_REPO_TOKEN secret as the token for publishing releases to any external archive repository. * Add zizmor CI job for auditing workflows * Pin all actions to commit hashes instead of symbolic references * Explicitly set GITHUB_TOKEN permissions at the job level * Use actions/checkout with `persist-credentials: false` whenever possible * Remove/replace template expansions in workflow scripts * Remove all usage of actions/cache from build/release workflows * Remove the cache-warmer.yml workflow * Remove the unused download.yml workflow * Set concurrency limits for any workflows that are triggered by PRs * Avoid loading the entire secrets context * Replace usage of `secrets: inherit` with explicit `secrets:` blocks * Pin all external docker images to hash that are used by the build workflow * Explicitly set `shell: bash` for some steps to avoid pwsh or set pipefail * Ensure any pwsh steps will fail on non-zero exit codes Authored by: bashonly
73 lines
2.2 KiB
YAML
73 lines
2.2 KiB
YAML
name: Release (nightly)
|
|
on:
|
|
schedule:
|
|
- cron: '23 23 * * *'
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
check_nightly:
|
|
name: Check for new commits
|
|
if: vars.BUILD_NIGHTLY
|
|
permissions:
|
|
contents: read
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
commit: ${{ steps.check_for_new_commits.outputs.commit }}
|
|
steps:
|
|
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
|
with:
|
|
fetch-depth: 0
|
|
persist-credentials: false
|
|
- name: Check for new commits
|
|
id: check_for_new_commits
|
|
shell: bash
|
|
run: |
|
|
relevant_files=(
|
|
"yt_dlp/*.py"
|
|
':!yt_dlp/version.py'
|
|
"bundle/*.py"
|
|
"bundle/docker/compose.yml"
|
|
"bundle/docker/linux/*"
|
|
"pyproject.toml"
|
|
"Makefile"
|
|
".github/workflows/build.yml"
|
|
".github/workflows/release.yml"
|
|
".github/workflows/release-nightly.yml"
|
|
)
|
|
echo "commit=$(git log --format=%H -1 --since="24 hours ago" -- "${relevant_files[@]}")" | tee "$GITHUB_OUTPUT"
|
|
|
|
release:
|
|
name: Publish Github release
|
|
needs: [check_nightly]
|
|
if: ${{ needs.check_nightly.outputs.commit }}
|
|
permissions:
|
|
contents: write # May be needed to publish release
|
|
id-token: write # Needed for trusted publishing
|
|
uses: ./.github/workflows/release.yml
|
|
with:
|
|
prerelease: true
|
|
source: ${{ (github.repository != 'yt-dlp/yt-dlp' && vars.NIGHTLY_ARCHIVE_REPO) || 'nightly' }}
|
|
target: 'nightly'
|
|
secrets:
|
|
ARCHIVE_REPO_TOKEN: ${{ secrets.ARCHIVE_REPO_TOKEN }}
|
|
GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }}
|
|
|
|
publish_pypi:
|
|
name: Publish to PyPI
|
|
needs: [release]
|
|
if: vars.NIGHTLY_PYPI_PROJECT
|
|
permissions:
|
|
id-token: write # Needed for trusted publishing
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Download artifacts
|
|
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
|
|
with:
|
|
path: dist
|
|
name: build-pypi
|
|
- name: Publish to PyPI
|
|
uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
|
|
with:
|
|
verbose: true
|