name: CD
concurrency: cd

on:
  push:
    tags:
      - v*

permissions: {}

jobs:
  test:
    uses: ./.github/workflows/_test.yml

  build:
    name: Build
    runs-on: ubuntu-latest
    needs: test
    steps:
      - name: Checkout release tag
        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
        with:
          ref: ${{ github.event.workflow_run.head_branch }}

      - name: Set up Python
        uses: actions/setup-python@5ccb29d8773c3f3f653e1705f474dfaa8a06a912
        with:
          python-version: '3.x'

      - name: Install build dependency
        run: python3 -m pip install --constraint requirements-build.txt build

      - name: Build binary wheel and source tarball
        run: python3 -m build --sdist --wheel --outdir dist/ .

      - name: Store build artifacts
        uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb
        # NOTE: The GitHub release page contains the release artifacts too, but using
        # GitHub upload/download actions seems robuster: there is no need to compute
        # download URLs and tampering with artifacts between jobs is more limited.
        with:
          name: build-artifacts
          path: dist

  candidate_release:
    name: Release candidate on Github for review
    runs-on: ubuntu-latest
    needs: build
    permissions:
      contents: write # to modify GitHub releases
    outputs:
      release_id: ${{ steps.gh-release.outputs.id }}
    steps:
      - name: Fetch build artifacts
        uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7
        with:
          name: build-artifacts
          path: dist

      - id: gh-release
        name: Publish GitHub release candidate
        uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
        with:
          name: ${{ github.ref_name }}-rc
          tag_name: ${{ github.ref }}
          body: "Release waiting for review..."
          files: dist/*


  release:
    name: Release
    runs-on: ubuntu-latest
    needs: candidate_release
    environment: release
    permissions:
      contents: write # to modify GitHub releases
    steps:
      - name: Fetch build artifacts
        uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7
        with:
          name: build-artifacts
          path: dist

      - name: Publish binary wheel and source tarball on PyPI
        # Only attempt pypi upload in upstream repository
        if: github.repository == 'theupdateframework/python-tuf'
        uses: pypa/gh-action-pypi-publish@c7f29f7adef1a245bd91520e94867e5c6eedddcc
        with:
          user: __token__
          password: ${{ secrets.PYPI_API_TOKEN }}

      - name: Finalize GitHub release
        uses: actions/github-script@d556feaca394842dc55e4734bf3bb9f685482fa0
        with:
          script: |
            await github.rest.repos.updateRelease({
              owner: context.repo.owner,
              repo: context.repo.repo,
              release_id: '${{ needs.candidate_release.outputs.release_id }}',
              name: '${{ github.ref_name }}',
              body: 'See [CHANGELOG.md](https://github.com/' +
                     context.repo.owner + '/' + context.repo.repo +
                    '/blob/${{ github.ref_name }}/docs/CHANGELOG.md) for details.'
            })