Restructure ci/cd workflows to make more robust (WIP)

Implements suggestion from
theupdateframework#1961

Also adds permissions to CD workflow
(creating releases requires contents: write)

TODO:
- proof-read
- write commit message
- PR

Signed-off-by: Lukas Puehringer <[email protected]>

Author: lukpueh

.github/workflows/_test.yml

@@ -0,0 +1,90 @@
+on:
+  workflow_call:
+  # Permissions inherited from caller workflow
+
+
+jobs:
+  tests:
+    name: Tests
+    strategy:
+      fail-fast: false
+      # Run regular TUF tests on each OS/Python combination, plus special tests
+      # (sslib master) and linters on Linux/Python3.x only.
+      matrix:
+        python-version: ["3.7", "3.8", "3.9", "3.10"]
+        os: [ubuntu-latest, macos-latest, windows-latest]
+        toxenv: [py]
+        include:
+          - python-version: 3.x
+            os: ubuntu-latest
+            toxenv: with-sslib-master
+            experimental: true
+          - python-version: 3.x
+            os: ubuntu-latest
+            toxenv: lint
+
+    env:
+      # Set TOXENV env var to tell tox which testenv (see tox.ini) to use
+      # NOTE: The Python 2.7 runner has two Python versions on the path (see
+      # setup-python below), so we tell tox explicitly to use the 'py27'
+      # testenv. For all other runners the toxenv configured above suffices.
+      TOXENV: ${{ matrix.toxenv }}
+
+    runs-on: ${{ matrix.os }}
+
+    steps:
+      - name: Checkout TUF
+        uses: actions/checkout@dcd71f646680f2efd8db4afa5ad64fdcba30e748
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@98f2ad02fd48d057ee3b4d4f66525b231c3e52b6
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: 'pip'
+          cache-dependency-path: 'requirements*.txt'
+
+      - name: Install dependencies
+        run: |
+          python3 -m pip install --upgrade pip
+          python3 -m pip install --upgrade tox coveralls
+
+      - name: Run tox (${{ env.TOXENV }})
+        # See TOXENV environment variable for the testenv to be executed here
+        run: tox
+
+      - name: Publish on coveralls.io
+        # A failure to publish coverage results on coveralls should not
+        # be a reason for a job failure.
+        continue-on-error: true
+        # TODO: Maybe make 'lint' a separate job instead of case handling here
+        if: ${{ env.TOXENV != 'lint' }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          COVERALLS_FLAG_NAME: ${{ runner.os }} / Python ${{ matrix.python-version }} / ${{ env.TOXENV }}
+          COVERALLS_PARALLEL: true
+        # Use cp workaround to publish coverage reports with relative paths
+        # FIXME: Consider refactoring the tests to not require the test
+        # aggregation script being invoked from the `tests` directory, so
+        # that `.coverage` is written to and .coveragrc can also reside in
+        # the project root directory as is the convention.
+        run: |
+          cp tests/.coverage .
+          coveralls --service=github --rcfile=tests/.coveragerc
+
+  coveralls-fin:
+    # Always run when all 'tests' jobs have finished even if they failed
+    # TODO: Replace always() with a 'at least one job succeeded' expression
+    if: always()
+    needs: tests
+    runs-on: ubuntu-latest
+    container: python:3-slim
+    steps:
+      - name: Install dependencies
+        run: |
+          python3 -m pip install --upgrade pip
+          python3 -m pip install --upgrade coveralls
+      - name: Finalize publishing on coveralls.io
+        continue-on-error: true
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: coveralls --finish

.github/workflows/cd.yml

@@ -1,21 +1,22 @@
 name: CD
 concurrency: cd
 
-# Trigger workflow on any completed CI (see further checks below)
 on:
-  workflow_run:
-    workflows: [CI]
-    types: [completed]
+  push:
+    tags:
+      - v*
+
+permissions:
+  contents: write
 
 jobs:
+  test:
+    uses: ./.github/workflows/_test.yml
+
   build:
     name: Build
     runs-on: ubuntu-latest
-    # Skip unless CI was successful and ran on release tag, a ref starting with 'v'.
-    # NOTE: We assume CI does not trigger on branches that start with 'v' (see #1961)
-    if: >-
-      github.event.workflow_run.conclusion == 'success' &&
-      startsWith(github.event.workflow_run.head_branch, 'v')
+    needs: test
     outputs:
       release_id: ${{ steps.gh-release.outputs.id }}
     steps:
@@ -39,8 +40,8 @@ jobs:
         name: Publish GitHub release candiate
         uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
         with:
-          name: ${{ github.event.workflow_run.head_branch }}-rc
-          tag_name: ${{ github.event.workflow_run.head_branch }}
+          name: ${{ github.ref_name }}-rc
+          tag_name: ${{ github.ref }}
           body: "Release waiting for review..."
           files: dist/*
 
@@ -69,6 +70,7 @@ jobs:
         uses: pypa/gh-action-pypi-publish@717ba43cfbb0387f6ce311b169a825772f54d295
         with:
           user: __token__
+          repository_url: https://test.pypi.org/legacy/
           password: ${{ secrets.PYPI_API_TOKEN }}
 
       - name: Finalize GitHub release
@@ -79,9 +81,8 @@ jobs:
               owner: context.repo.owner,
               repo: context.repo.repo,
               release_id: '${{ needs.build.outputs.release_id }}',
-              name: '${{ github.event.workflow_run.head_branch }}',
+              name: '${{ github.ref_name }}',
               body: 'See [CHANGELOG.md](https://github.com/' +
-                     context.repo.owner + '/' + context.repo.repo + '/blob/' +
-                     '${{ github.event.workflow_run.head_branch }}'+
-                     '/docs/CHANGELOG.md) for details.'
+                     context.repo.owner + '/' + context.repo.repo +
+                    '/blob/${{ github.ref_name }}/docs/CHANGELOG.md) for details.'
             })

.github/workflows/ci.yml

@@ -1,12 +1,9 @@
 name: CI
 
 on:
-  # NOTE: CD relies on this configuration (see #1961)
   push:
     branches:
-      - develop
-    tags:
-      - v*
+      - robust-ci-cd
 
   pull_request:
   workflow_dispatch:
@@ -15,87 +12,5 @@ permissions:
   contents: read
 
 jobs:
-  tests:
-    name: Tests
-    strategy:
-      fail-fast: false
-      # Run regular TUF tests on each OS/Python combination, plus special tests
-      # (sslib master) and linters on Linux/Python3.x only.
-      matrix:
-        python-version: ["3.7", "3.8", "3.9", "3.10"]
-        os: [ubuntu-latest, macos-latest, windows-latest]
-        toxenv: [py]
-        include:
-          - python-version: 3.x
-            os: ubuntu-latest
-            toxenv: with-sslib-master
-            experimental: true
-          - python-version: 3.x
-            os: ubuntu-latest
-            toxenv: lint
-
-    env:
-      # Set TOXENV env var to tell tox which testenv (see tox.ini) to use
-      # NOTE: The Python 2.7 runner has two Python versions on the path (see
-      # setup-python below), so we tell tox explicitly to use the 'py27'
-      # testenv. For all other runners the toxenv configured above suffices.
-      TOXENV: ${{ matrix.toxenv }}
-
-    runs-on: ${{ matrix.os }}
-
-    steps:
-      - name: Checkout TUF
-        uses: actions/checkout@dcd71f646680f2efd8db4afa5ad64fdcba30e748
-
-      - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@98f2ad02fd48d057ee3b4d4f66525b231c3e52b6
-        with:
-          python-version: ${{ matrix.python-version }}
-          cache: 'pip'
-          cache-dependency-path: 'requirements*.txt'
-
-      - name: Install dependencies
-        run: |
-          python3 -m pip install --upgrade pip
-          python3 -m pip install --upgrade tox coveralls
-
-      - name: Run tox (${{ env.TOXENV }})
-        # See TOXENV environment variable for the testenv to be executed here
-        run: tox
-
-      - name: Publish on coveralls.io
-        # A failure to publish coverage results on coveralls should not
-        # be a reason for a job failure.
-        continue-on-error: true
-        # TODO: Maybe make 'lint' a separate job instead of case handling here
-        if: ${{ env.TOXENV != 'lint' }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          COVERALLS_FLAG_NAME: ${{ runner.os }} / Python ${{ matrix.python-version }} / ${{ env.TOXENV }}
-          COVERALLS_PARALLEL: true
-        # Use cp workaround to publish coverage reports with relative paths
-        # FIXME: Consider refactoring the tests to not require the test
-        # aggregation script being invoked from the `tests` directory, so
-        # that `.coverage` is written to and .coveragrc can also reside in
-        # the project root directory as is the convention.
-        run: |
-          cp tests/.coverage .
-          coveralls --service=github --rcfile=tests/.coveragerc
-
-  coveralls-fin:
-    # Always run when all 'tests' jobs have finished even if they failed
-    # TODO: Replace always() with a 'at least one job succeeded' expression
-    if: always()
-    needs: tests
-    runs-on: ubuntu-latest
-    container: python:3-slim
-    steps:
-      - name: Install dependencies
-        run: |
-          python3 -m pip install --upgrade pip
-          python3 -m pip install --upgrade coveralls
-      - name: Finalize publishing on coveralls.io
-        continue-on-error: true
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: coveralls --finish
+  test:
+    uses: ./.github/workflows/_test.yml