.github/workflows/Publish.yaml

name: Build and upload to PyPI

on:
  release:
    types:
      - published

env:
  LIBZIM_DL_VERSION: "9.2.3-2"
  MACOSX_DEPLOYMENT_TARGET: "12.0"
  CIBW_ENVIRONMENT_PASS_LINUX: "LIBZIM_DL_VERSION"
  # APPLE_SIGNING_KEYCHAIN_PATH set in prepare keychain step
  APPLE_SIGNING_KEYCHAIN_PROFILE: "build-profile"
  APPLE_SIGNING_IDENTITY: "${{ secrets.APPLE_SIGNING_IDENTITY }}"
  SIGN_APPLE: "yes"


jobs:
  build_wheels:
    environment: release
    name: Build wheels on ${{ matrix.os }}
    runs-on: ${{ matrix.os }}
    strategy:
      matrix:
        os: [ubuntu-20.04, macos-13, windows-2022]

    steps:
      - uses: actions/checkout@v4

      - name: Set up QEMU
        if: runner.os == 'Linux'
        uses: docker/setup-qemu-action@v3
        with:
          platforms: all

      - name: Prepare Apple Keychain for Signing
        if: matrix.os == 'macos-13'
        shell: bash
        run: |
          # store certificate on filesystem
          export CERTIFICATE="$(mktemp -d)/wmch-devid.p12"
          echo "${{ secrets.APPLE_SIGNING_CERTIFICATE }}" | base64 --decode -o $CERTIFICATE

          # create a dedicated keychain
          export APPLE_SIGNING_KEYCHAIN_PATH="$(mktemp -d)/build.keychain"
          echo "APPLE_SIGNING_KEYCHAIN_PATH=${APPLE_SIGNING_KEYCHAIN_PATH}" >> "$GITHUB_ENV"
          security create-keychain -p mysecretpassword ${APPLE_SIGNING_KEYCHAIN_PATH}
          security default-keychain -s ${APPLE_SIGNING_KEYCHAIN_PATH}
          security unlock-keychain -p mysecretpassword ${APPLE_SIGNING_KEYCHAIN_PATH}

          # import certificate into keychain then remove from filesystem
          security import ${CERTIFICATE} -k ${APPLE_SIGNING_KEYCHAIN_PATH} -P "${{ secrets.APPLE_SIGNING_P12_PASSWORD }}" -A
          rm $CERTIFICATE

          # store signing credentials into the keychain
          security set-key-partition-list -S "apple-tool:,apple:" -s -k mysecretpassword ${APPLE_SIGNING_KEYCHAIN_PATH}
          security find-identity -v
          xcrun notarytool store-credentials \
            --apple-id "${{ secrets.APPLE_SIGNING_ALTOOL_USERNAME }}" \
            --password "${{ secrets.APPLE_SIGNING_ALTOOL_PASSWORD }}" \
            --team-id "${{ secrets.APPLE_SIGNING_TEAM }}" \
            --validate \
            --keychain ${APPLE_SIGNING_KEYCHAIN_PATH} \
            ${APPLE_SIGNING_KEYCHAIN_PROFILE}

          # disable auto-locking of keychain
          security set-keychain-settings ${APPLE_SIGNING_KEYCHAIN_PATH}
          security unlock-keychain -p mysecretpassword ${APPLE_SIGNING_KEYCHAIN_PATH}

      - name: Build wheels
        uses: pypa/cibuildwheel@v2.20

      - name: Cleanup Apple Keychain
        if: matrix.os == 'macos-13'
        shell: bash
        run: |
          security lock-keychain ${APPLE_SIGNING_KEYCHAIN_PATH}
          security delete-keychain ${APPLE_SIGNING_KEYCHAIN_PATH}
          rm -f ${APPLE_SIGNING_KEYCHAIN_PATH}

      - uses: actions/upload-artifact@v4
        with:
          name: wheels-${{ matrix.os }}
          path: ./wheelhouse/*.whl

  build_sdist:
    name: Build source distribution
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Build sdist
        run: pipx run build --sdist

      - uses: actions/upload-artifact@v4
        with:
          name: sdist
          path: dist/*.tar.gz

  upload_pypi:
    needs: [build_wheels, build_sdist]
    runs-on: ubuntu-latest
    environment: release
    steps:
      # retrieve all artifacts
      - uses: actions/download-artifact@v4
        with:
          name: sdist
          path: dist
      - uses: actions/download-artifact@v4
        with:
          name: wheels-ubuntu-20.04
          path: dist
      - uses: actions/download-artifact@v4
        with:
          name: wheels-macos-13
          path: dist
      - uses: actions/download-artifact@v4
        with:
          name: wheels-windows-2022
          path: dist

      - uses: pypa/gh-action-pypi-publish@v1.9.0
        with:
          user: __token__
          # password: ${{ secrets.PYPI_TEST_API_TOKEN }}
          password: ${{ secrets.PYPI_API_TOKEN }}
          # uncomment for test
          # repository_url: https://test.pypi.org/legacy/