python-tuf/.github/workflows/cd.yml

name: CD
concurrency: cd

on:
  push:
    tags:
      - v*

permissions: {}

jobs:
  test:
    uses: ./.github/workflows/_test.yml

  build:
    name: Build
    runs-on: ubuntu-latest
    needs: test
    steps:
      - name: Checkout release tag
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false
          ref: ${{ github.event.workflow_run.head_branch }}

      - name: Set up Python
        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
        with:
          python-version: '3.x'

      - name: Install build dependency
        run: python3 -m pip install --constraint requirements/build.txt build

      - name: Build binary wheel, source tarball and changelog
        run: |
          python3 -m build --sdist --wheel --outdir dist/ .
          awk "/## $GITHUB_REF_NAME/{flag=1; next} /## v/{flag=0} flag" docs/CHANGELOG.md > changelog          

      - name: Store build artifacts
        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: build-artifacts
          path: |
            dist
            changelog            

  candidate_release:
    name: Release candidate on Github for review
    runs-on: ubuntu-latest
    needs: build
    permissions:
      contents: write # to modify GitHub releases
    outputs:
      release_id: ${{ steps.gh-release.outputs.result }}
    steps:
      - name: Fetch build artifacts
        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
        with:
          name: build-artifacts

      - id: gh-release
        name: Publish GitHub release draft
        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          script: |
            fs = require('fs')
            res = await github.rest.repos.createRelease({
              owner: context.repo.owner,
              repo: context.repo.repo,
              name: process.env.REF_NAME + '-rc',
              tag_name: process.env.REF,
              body: fs.readFileSync('changelog', 'utf8'),
            });

            fs.readdirSync('dist/').forEach(file => {
              github.rest.repos.uploadReleaseAsset({
                owner: context.repo.owner,
                repo: context.repo.repo,
                release_id: res.data.id,
                name: file,
                data: fs.readFileSync('dist/' + file),
              });
            });
            return res.data.id            
        env:
          REF_NAME: ${{ github.ref_name }}
          REF: ${{ github.ref }}

  release:
    name: Release
    runs-on: ubuntu-latest
    needs: candidate_release
    environment: release
    permissions:
      contents: write # to modify GitHub releases
      id-token: write # to authenticate as Trusted Publisher to pypi.org
    steps:
      - name: Fetch build artifacts
        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
        with:
          name: build-artifacts

      - name: Publish binary wheel and source tarball on PyPI
        # Only attempt pypi upload in upstream repository
        if: github.repository == 'theupdateframework/python-tuf'
        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0

      - name: Finalize GitHub release
        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          script: |
            github.rest.repos.updateRelease({
              owner: context.repo.owner,
              repo: context.repo.repo,
              release_id: process.env.RELEASE_ID,
              name: process.env.REF_NAME,
            })            
        
        env:
          REF_NAME: ${{ github.ref_name }}
          RELEASE_ID: ${{ needs.candidate_release.outputs.release_id }}