Browse Source

build: build and sign sdist in travis using an RSA sign-only key (#1701)

* deploy: automatically deploy sdist and wheel builds to PyPI.

* build: limit deploys to streamlink repo

* build: remove pypi methods from release script

* build: build and sign sdist in travis using an RSA sign-only key

* build: combine the build and sign with pypi deploy
pull/1708/head
beardypig 3 years ago
committed by Forrest
parent
commit
c408ec6dee
  1. 3
      .gitignore
  2. 26
      .travis.yml
  3. 19
      script/release.sh
  4. 33
      script/sdistsign.sh
  5. BIN
      signing.key.enc

3
.gitignore

@ -44,6 +44,9 @@ share/
pip-selfcheck.json
.pytest_cache/
# ignore any key files
*.key
# coverage
.coverage
coverage.xml

26
.travis.yml

@ -1,11 +1,16 @@
language: python
env:
global:
- STREAMLINK_DIST_DIR=${TRAVIS_BUILD_DIR}/dist
- STREAMLINK_INSTALLER_DIST_DIR=${STREAMLINK_DIST_DIR}/nsis
- SDIST_KEY_FILE="${TRAVIS_BUILD_DIR}/signing.key"
matrix:
include:
- python: '2.7'
- python: '3.4'
- python: '3.5'
env: BUILD_DOCS=yes BUILD_INSTALLER=yes STREAMLINK_INSTALLER_DIST_DIR=$TRAVIS_BUILD_DIR/dist/nsis
env: BUILD_DOCS=yes BUILD_INSTALLER=yes BUILD_SDIST=yes DEPLOY_PYPI=yes
- python: '3.6'
- python: '3.7-dev'
allow_failures:
@ -23,7 +28,6 @@ install:
script:
- pytest --cov
# test building the docs
- if [[ $BUILD_DOCS == 'yes' ]]; then make --directory=docs html; fi
- if [[ $BUILD_INSTALLER == 'yes' ]]; then ./script/makeinstaller.sh; fi
@ -49,12 +53,23 @@ deploy:
on:
tags: true
condition: $BUILD_INSTALLER = yes
repo: streamlink/streamlink
- provider: releases
api_key: "${RELEASES_API_KEY}"
file: "${STREAMLINK_DIST_DIR}/streamlink-${TRAVIS_TAG}*"
file_glob: true
skip_cleanup: true
on:
tags: true
condition: "$BUILD_SDIST = yes"
repo: streamlink/streamlink
- provider: script
script: python script/github_releases.py
skip_cleanup: true
on:
tags: true
condition: $BUILD_INSTALLER == yes
repo: streamlink/streamlink
- provider: bintray
file: build/bintray-nightly.json
user: "${BINTRAY_USER}"
@ -63,6 +78,13 @@ deploy:
on:
branch: master
condition: $BUILD_INSTALLER == yes && $TRAVIS_EVENT_TYPE == cron
repo: streamlink/streamlink
- provider: script
script: ./script/sdistsign.sh
on:
tags: true
condition: $BUILD_SDIST == yes
repo: streamlink/streamlink
after_deploy:
- if [[ "$BUILD_INSTALLER" == 'yes' && "$TRAVIS_EVENT_TYPE" == 'cron' ]]; then ./script/bintrayupdate.sh; fi

19
script/release.sh

@ -182,17 +182,6 @@ push() {
echo "!!!"
}
upload_pypi_test() {
cd $CLI
python setup.py sdist upload -r pypitest
cd ..
}
upload_pypi() {
cd $CLI
python setup.py sdist upload -r pypi
cd ..
}
clean() {
rm -rf $CLI $CLI-$1 $CLI-$1.tar.gz $CLI-$1.tar.gz.asc $CLI-$1.exe changes.txt
@ -234,8 +223,6 @@ main() {
"Create PR"
"Tarball and sign - requires gpg key"
"Upload the tarball and source code to GitHub release page"
"Test upload to pypi"
"Upload to pypi"
"Clean"
"Quit")
select opt in "${options[@]}"
@ -260,12 +247,6 @@ main() {
"Upload the tarball and source code to GitHub release page")
push $VERSION
;;
"Test upload to pypi")
upload_pypi_test
;;
"Upload to pypi")
upload_pypi
;;
"Clean")
clean $VERSION
;;

33
script/sdistsign.sh

@ -0,0 +1,33 @@
#!/usr/bin/env bash
set -e
KEY_ID=2E390FA0
KEY_FILE=${SDIST_KEY_FILE:-signing.key}
version=$(python setup.py --version)
dist_dir=${STREAMLINK_DIST_DIR:-dist}
temp_keyring=$(mktemp -d) && trap "rm -rf ${temp_keyring}" EXIT || exit 255
if [[ -n "${TRAVIS}" ]]; then
openssl aes-256-cbc -K ${encrypted_eeb8b970d3a3_key} -iv ${encrypted_eeb8b970d3a3_iv} -in signing.key.enc -out "${SDIST_KEY_FILE}" -d
fi
echo "build: Installing twine and wheel" >&2
pip -q install twine wheel
echo "build: Building streamlink sdist and wheel" >&2
python setup.py -q sdist bdist_wheel --dist-dir "${dist_dir}"
echo "build: Signing sdist and wheel files" >&2
gpg --homedir "${temp_keyring}" --import "${KEY_FILE}" 2>&1 > /dev/null
gpg --homedir "${temp_keyring}" --trust-model always --default-key "${KEY_ID}" --detach-sign --armor "${dist_dir}/streamlink-${version}.tar.gz"
gpg --homedir "${temp_keyring}" --trust-model always --default-key "${KEY_ID}" --detach-sign --armor "${dist_dir}/streamlink-${version}-py2.py3-none-any.whl"
if [[ "${DEPLOY_PYPI}" == "yes" ]]; then
echo "build: Uploading sdist and wheel to PyPI" >&2
twine upload --username "${PYPI_USER}" --password "${PYPI_PASSWORD}" \
"${dist_dir}/streamlink-${version}.tar.gz" \
"${dist_dir}/streamlink-${version}.tar.gz.asc" \
"${dist_dir}/streamlink-${version}-py2.py3-none-any.whl" \
"${dist_dir}/streamlink-${version}-py2.py3-none-any.whl.asc"
fi

BIN
signing.key.enc

Binary file not shown.
Loading…
Cancel
Save