senderkit-sdk-python/.github/workflows/release.yml at main · senderkit/senderkit-sdk-python · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
name: Release

# Automated releases via release-please + PyPI Trusted Publishing.
#
# Flow:
#   1. Pushes to main run release-please, which maintains a "release PR" that
#      bumps the version (src/senderkit/_version.py) and CHANGELOG.md from the
#      Conventional Commit history.
#   2. Merging that release PR tags the version + creates the GitHub Release and,
#      in the same run, builds and publishes to PyPI.
#
# Everything stays in ONE workflow run so it does not depend on the GitHub
# Release event (events raised by GITHUB_TOKEN do not trigger other workflows).
#
# One-time repo setup:
#   - Settings → Actions → General → Workflow permissions:
#       enable "Allow GitHub Actions to create and approve pull requests".
#   - A PyPI Trusted Publisher for this repo → workflow "release.yml" →
#     environment "pypi". https://docs.pypi.org/trusted-publishers/

on:
  push:
    branches: [main]

permissions:
  contents: read

jobs:
  release-please:
    name: Release please
    runs-on: ubuntu-latest
    permissions:
      contents: write # create tags + GitHub releases
      pull-requests: write # open/update the release PR
    outputs:
      release_created: ${{ steps.release.outputs.release_created }}
      tag_name: ${{ steps.release.outputs.tag_name }}
    steps:
      - uses: googleapis/release-please-action@v4
        id: release
        with:
          config-file: release-please-config.json
          manifest-file: .release-please-manifest.json

  build:
    name: Build distributions
    needs: release-please
    if: needs.release-please.outputs.release_created == 'true'
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@v6
      - uses: actions/setup-python@v6
        with:
          python-version: "3.12"
      - name: Install build tooling
        run: python -m pip install build twine
      - name: Build sdist and wheel
        run: python -m build
      - name: Check metadata
        run: twine check dist/*
      - name: Verify built version matches the release tag
        env:
          TAG: ${{ needs.release-please.outputs.tag_name }}
        run: |
          # Install the freshly built wheel so we verify the artifact that is
          # about to be published, not an editable/source checkout.
          python -m pip install dist/*.whl
          VERSION="$(python -c 'import senderkit; print(senderkit.__version__)')"
          echo "Package version: $VERSION"
          echo "Release tag:     $TAG"
          if [ "${TAG#v}" != "$VERSION" ]; then
            echo "::error::Release tag ($TAG) does not match package version ($VERSION)."
            exit 1
          fi
      - uses: actions/upload-artifact@v7
        with:
          name: dist
          path: dist/

  publish:
    name: Publish to PyPI
    needs: [release-please, build]
    if: needs.release-please.outputs.release_created == 'true'
    runs-on: ubuntu-latest
    environment:
      name: pypi
      url: https://pypi.org/p/senderkit
    permissions:
      contents: read
      id-token: write # required for Trusted Publishing
    steps:
      - uses: actions/download-artifact@v8
        with:
          name: dist
          path: dist/
      - name: Publish
        uses: pypa/gh-action-pypi-publish@release/v1