.github/workflows/release.yaml

name: Release Workflow

run-name: ${{ (github.event.release.prerelease && 'Beta') || 'Prod'}} Release for ${{ github.repository }} - ${{ github.event.release.tag_name }}

on:
  release:
    # Triggered on Pre-Releases and Releases
    types: [released, prereleased]

# Only allow one release at the time
concurrency:
  group: deploy-${{ github.repository }}-release-${{ github.event.release.prerelease }}

jobs:
  define-environment:
    runs-on: ubuntu-latest

    outputs:
      version: ${{ steps.get-environment.outputs.version }}
    steps:
      - uses: step-security/harden-runner@v2
        with:
          disable-sudo: true
          egress-policy: audit
      - name: Configure Environment
        id: get-environment
        run: |
          wget -O /usr/local/bin/semver https://raw.githubusercontent.com/fsaintjacques/semver-tool/master/src/semver
          chmod +x /usr/local/bin/semver
          if [[ $(semver validate ${{ github.event.release.tag_name }}) == "invalid" ]]; then
            echo "::error title=Invalid Release::Release must be tagged with a valid SemVer version"
            exit 1
          fi
          echo "version=$(semver get release ${{ github.event.release.tag_name }})" >> $GITHUB_OUTPUT

  build:
    name: Build Package
    needs: define-environment
    uses: ./.github/workflows/build.yaml
    secrets: 'inherit'
    with:
      version: ${{ needs.define-environment.outputs.version }}
      environment: ${{ github.event.release.prerelease && 'beta' || 'prod' }}

  publish-docker:
    name: Publish docker image for ${{ needs.define-environment.outputs.deployment_longname }}
    needs: [define-environment, build]
    uses: ./.github/workflows/publish-docker.yaml
    secrets: 'inherit'
    with:
      tag: ${{ github.event.release.tag_name }}${{ needs.define-environment.outputs.deployment_environment }}
      environment: dockerhub
      extra_tag: ${{ github.event.release.prerelease && 'beta' || 'latest' }}

  publish-pypi:
    name: Publish to PyPi
    needs: [define-environment, build]
    runs-on: ubuntu-latest
    environment:
      name: pypi
      url: https://pypi.org/project/pantos-${{ github.repository }}/${{ needs.define-environment.outputs.version }}
    permissions:
      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
    steps:
      - uses: step-security/harden-runner@v2
        with:
          disable-sudo: true
          egress-policy: audit

      - name: Download build artifact
        uses: actions/download-artifact@v4
        with:
          name: build
          path: dist

      - name: Publish package distributions to PyPi
        uses: pypa/gh-action-pypi-publish@release/v1
        with:
          print-hash: true
          repository-url: 'https://upload.pypi.org/legacy/'

  add-assets:
    name: Add Assets to the ${{ github.event.release.tag_name }} Release
    needs: build
    runs-on: ubuntu-latest
    permissions:
      contents: write
      id-token: write
    steps:
      - uses: step-security/harden-runner@v2
        with:
          disable-sudo: true
          egress-policy: audit

      - uses: actions/download-artifact@v4
        with:
          name: build
          path: release

      - name: Upload release assets
        uses: svenstaro/upload-release-action@v2
        with:
          file: "./release/*"
          file_glob: true
          overwrite: true
          repo_token: ${{ secrets.GITHUB_TOKEN }}
          tag: ${{ github.event.release.tag_name }}
      
      - uses: robinraju/release-downloader@v1.9
        name: Download tarball
        with:
          tag: ${{ github.event.release.tag_name }}
          tarBall: true
          zipBall: true
          fileName: '*'
          out-file-path: external-release
          preRelease: ${{ github.event.release.prerelease }}
          token: ${{ secrets.GITHUB_TOKEN }}
          repository: ${{ github.repository }}

      - name: List directory
        run: |
          ls -lha external-release
          # Remove all the files in external-release that are also present in release
          for file in $(ls release); do
            rm -f external-release/$file
          done

      - uses: sigstore/gh-action-sigstore-python@v3
        with:
          inputs: external-release/*

      - name: Upload signed source code
        uses: ncipollo/release-action@v1
        with:
          artifacts: "./external-release/*"
          artifactErrorsFailBuild: true
          allowUpdates: true
          tag: ${{ github.event.release.tag_name }}
          token: ${{ secrets.GITHUB_TOKEN }}