GitHub Actions workflows (#30)

* set up initial GitHub Actions workflows

* adjust release tox targets to not rely on .pypirc

* pass through twine configuration values

* fix PyPI publish step name

.github/workflows/ci_static-analysis.yaml

@@ -0,0 +1,4 @@
+# This workflow runs static analysis checks on pull requests.
+name: Static Analysis
+
+on: [pull_request]

.github/workflows/ci_tests.yaml

@@ -0,0 +1,4 @@
+# This workflow runs tests on pull requests.
+name: Static Analysis
+
+on: [pull_request]

.github/workflows/gitflow_pr-router.yaml

@@ -0,0 +1,26 @@
+# This workflow routes pull requests to the correct branch
+name: pull request router
+
+on: [pull_request]
+
+jobs:
+  send to develop:
+    # Move any PRs to master that do *not* come from development
+    if: github.base_ref == 'master' && github.head_ref != 'development'
+    runs-on: ubuntu-latest
+    steps:
+      - name: switch
+        uses: actions/github-script@0.4.0
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            github.pulls.update({
+              pull_number: context.issue.number,
+              base: 'development',
+              ...context.repo
+            })
+            github.issues.createComment({
+              issue_number: context.issue.number,
+              body: 'Moving target to development branch.',
+              ...context.repo
+            })

.github/workflows/gitflow_promote-to-master.yaml

@@ -0,0 +1,22 @@
+# This workflow promotes pushes to development to master
+name: Promote development to master
+
+on:
+  push:
+    branches:
+      - development
+
+jobs:
+  promote-to-master:
+    name: Promote dev branch to master
+    runs-on: ubuntu-latest
+    steps:
+      - name: promote
+        uses: vsoch/pull-request-action@master
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BRANCH_PREFIX: development
+          PULL_REQUEST_BRANCH: master
+          PULL_REQUEST_TITLE: Promote development to master
+          PULL_REQUEST_BODY: |
+            Automatic promotion from development to master.

.github/workflows/ops_pr-post-merge.yaml

@@ -0,0 +1,14 @@
+# This workflow runs any cleanup or other behavior after a PR has been merged.
+on:
+  pull_request:
+    types:
+      - closed
+
+jobs:
+  cleanup:
+    runs-on: ubuntu-latest
+    steps:
+      - name: clean up source branch
+        uses: jessfraz/branch-cleanup-action@master
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/ops_publish-to-pypi.yaml

@@ -0,0 +1,43 @@
+# This workflow publishes to PyPI whenever we publish a GitHub release.
+name: Publish to PyPI
+
+on:
+  releases:
+    types:
+      - published
+
+jobs:
+  test-release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-python@v1
+        with:
+          python-version: 3.x
+      - run: |
+          python -m pip install --upgrade pip
+          pip install --upgrade -r ci-requirements.txt
+      - name: publish to test-PyPI
+        env:
+          TOXENV: test-release
+          TWINE_PASSWORD: ${{ secrets.TEST_PYPI_TOKEN }}
+        run: tox -- -vv
+  release:
+    # Only run if test-release succeeded.
+    needs: test-release
+    # I'm putting this as a separate job rather than another step
+    # so that we can be certain that there is no cross-contamination.
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-python@v1
+        with:
+          python-version: 3.x
+      - run: |
+          python -m pip install --upgrade pip
+          pip install --upgrade -r ci-requirements.txt
+      - name: publish to PyPI
+        env:
+          TOXENV: release
+          TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN }}
+        run: tox -- -vv

tox.ini

@@ -20,6 +20,12 @@ commands = pytest --basetemp={envtmpdir} -l --cov base64io {posargs}
 
 [testenv]
 sitepackages = False
+passenv =
+    # Pass through PyPI variables to tell secrets-helper where to look
+    PYPI_SECRET_ARN TEST_PYPI_SECRET_ARN \
+    # Pass through twine password -- remove this once secrets-helper is fixed
+    # https://github.com/awslabs/secrets-helper/issues/15
+    TWINE_PASSWORD
 deps =
     py26: -rtest/requirements/legacy
     py27: -rtest/requirements/modern
@@ -262,19 +268,24 @@ commands =
 [testenv:test-release]
 basepython = {[testenv:default-python]basepython}
 skip_install = true
+setenv =
+    TWINE_USERNAME = __token__
 deps =
     {[testenv:build]deps}
     twine
 commands =
     {[testenv:build]commands}
-    twine upload --skip-existing --repository testpypi dist/*
+    twine upload --skip-existing dist/*
 
 [testenv:release]
 basepython = {[testenv:default-python]basepython}
 skip_install = true
+setenv =
+    TWINE_REPOSITORY_URL = https://test.pypi.org/legacy/
+    TWINE_USERNAME = __token__
 deps =
     {[testenv:build]deps}
     twine
 commands =
     {[testenv:build]commands}
-    twine upload --skip-existing --repository pypi dist/*
+    twine upload --skip-existing dist/*