pypi.yaml

# SPDX-License-Identifier: Apache-2.0

name: Build, test, and upload PyPI package

on:
    push:
        branches:
            - "main"
            - "release-**"
        tags:
            - "v*"
    pull_request:
        branches:
            - "main"
            - "release-**"
    release:
        types:
            - published

env:
    LC_ALL: en_US.UTF-8

defaults:
    run:
        shell: bash

permissions:
    contents: read

jobs:
    # Create and verify release artifacts
    # - build source dist (tar ball) and wheel
    # - validate artifacts with various tools
    # - upload artifacts to GHA
    build-package:
        name: Build and check packages
        runs-on: ubuntu-latest
        steps:
            - name: "Checkout"
              uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
              with:
                  # for setuptools-scm
                  fetch-depth: 0

            - name: "Build and Inspect"
              uses: hynek/build-and-inspect-python-package@c52c3a4710070b50470d903818a7b25115dcd076 # v2.13.0

    # push to Test PyPI on
    # - a new GitHub release is published
    # - a PR is merged into main branch
    publish-test-pypi:
        name: Publish packages to test.pypi.org
        # environment: publish-test-pypi
        if: ${{ (github.repository_owner == 'instructlab') && ((github.event.action == 'published') || ((github.event_name == 'push') && (github.ref == 'refs/heads/main'))) }}
        permissions:
            contents: read
            # see https://docs.pypi.org/trusted-publishers/
            id-token: write
        runs-on: ubuntu-latest
        needs: build-package

        steps:
            - name: "Download build artifacts"
              uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
              with:
                  name: Packages
                  path: dist

            - name: "Upload to Test PyPI"
              uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
              with:
                  repository-url: https://test.pypi.org/legacy/

    # push to Production PyPI on
    # - a new GitHub release is published
    publish-pypi:
        name: Publish release to pypi.org
        # environment: publish-pypi
        if: ${{ (github.repository_owner == 'instructlab') && (github.event.action == 'published') }}
        permissions:
            # see https://docs.pypi.org/trusted-publishers/
            id-token: write
            # allow gh release upload
            contents: write

        runs-on: ubuntu-latest
        needs: build-package

        steps:
            - name: "Download build artifacts"
              uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
              with:
                  name: Packages
                  path: dist

            - name: "Sigstore sign package"
              uses: sigstore/gh-action-sigstore-python@f7ad0af51a5648d09a20d00370f0a91c3bdf8f84 # v3.0.1
              with:
                  release-signing-artifacts: false
                  inputs: |
                      ./dist/*.tar.gz
                      ./dist/*.whl

            - name: "Upload artifacts and signatures to GitHub release"
              run: |
                  gh release upload '${{ github.ref_name }}' dist/* --repo '${{ github.repository }}'
              env:
                  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

            # PyPI does not accept .sigstore artifacts and
            # gh-action-pypi-publish has no option to ignore them.
            - name: "Remove sigstore signatures before uploading to PyPI"
              run: |
                  rm ./dist/*.sigstore.json

            - name: "Upload to PyPI"
              uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4