name: Publish Release permissions: read-all concurrency: # stop previous release runs if tag is recreated group: release-${{ github.ref }} cancel-in-progress: true on: push: tags: - 'v*' # only publish on version tags (e.g. v1.0.0) jobs: lint: if: github.repository == 'jazzband/django-polymorphic' name: Lint permissions: contents: read actions: write uses: ./.github/workflows/lint.yml secrets: inherit test: if: github.repository == 'jazzband/django-polymorphic' name: Test permissions: contents: read actions: write uses: ./.github/workflows/test.yml secrets: inherit build: if: github.repository == 'jazzband/django-polymorphic' name: Build Package runs-on: ubuntu-latest permissions: contents: read actions: write outputs: PACKAGE_NAME: ${{ steps.set-package.outputs.package_name }} RELEASE_VERSION: ${{ steps.set-package.outputs.release_version }} steps: - uses: actions/checkout@v6 - name: Set up Python uses: actions/setup-python@v6 id: sp with: python-version: "3.13" # for tomlib - name: Install uv uses: astral-sh/setup-uv@v7 with: enable-cache: true - name: Setup Just uses: extractions/setup-just@v3 - name: Install Dependencies run: | just setup ${{ steps.sp.outputs.python-path }} sudo apt-get install -y gettext - name: Verify Tag run: | TAG_NAME=${GITHUB_REF#refs/tags/} echo "Verifying tag $TAG_NAME..." # if a tag was deleted and recreated we may have the old one cached # be sure that we're publishing the current tag! git fetch --force origin refs/tags/$TAG_NAME:refs/tags/$TAG_NAME # verify signature curl -sL https://github.com/${{ github.actor }}.gpg | gpg --import git tag -v "$TAG_NAME" # verify version RELEASE_VERSION=$(just validate_version $TAG_NAME) # export the release version echo "RELEASE_VERSION=${RELEASE_VERSION}" >> $GITHUB_ENV - name: Build the binary wheel and a source tarball run: just build - name: Store the distribution packages uses: actions/upload-artifact@v6 with: name: python-package-distributions path: dist/ - name: Set Package Name id: set-package run: PACKAGE_NAME=$(python -c "import tomllib; print(tomllib.load(open('pyproject.toml', 'rb'))['project']['name'])") echo "PACKAGE_NAME=${PACKAGE_NAME}" >> $GITHUB_ENV publish-to-jazzband: name: Publish to Jazzband needs: - lint - test - build runs-on: ubuntu-latest steps: - name: Download all the dists uses: actions/download-artifact@v6 with: name: python-package-distributions path: dist/ - name: Upload Package to Jazzband uses: pypa/gh-action-pypi-publish@release/v1.13 with: user: jazzband password: ${{ secrets.JAZZBAND_RELEASE_KEY }} attestations: false repository-url: https://jazzband.co/projects/django-polymorphic/upload verbose: true github-release: name: Publish GitHub Release runs-on: ubuntu-latest needs: - lint - test - build permissions: contents: write # IMPORTANT: mandatory for making GitHub Releases id-token: write # IMPORTANT: mandatory for sigstore steps: - name: Download all the dists uses: actions/download-artifact@v6 with: name: python-package-distributions path: dist/ - name: Sign the dists with Sigstore uses: sigstore/gh-action-sigstore-python@v3.1.0 with: inputs: >- ./dist/*.tar.gz ./dist/*.whl - name: Create GitHub Release env: GITHUB_TOKEN: ${{ github.token }} run: >- gh release create '${{ github.ref_name }}' --repo '${{ github.repository }}' --generate-notes --prerelease - name: Upload artifact signatures to GitHub Release env: GITHUB_TOKEN: ${{ github.token }} # Upload to GitHub Release using the `gh` CLI. # `dist/` contains the built packages, and the # sigstore-produced signatures and certificates. run: >- gh release upload '${{ github.ref_name }}' dist/** --repo '${{ github.repository }}'