.github/workflows/release.yaml

---
name: "🐍📦 Production build and release"

# GitHub/PyPI trusted publisher documentation:
# https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/

# yamllint disable-line rule:truthy
on:
  workflow_dispatch:
  push:
    # Only invoked on release tag pushes
    tags:
      - v*.*.*

env:
  python-version: "3.9"

jobs:
  publish:
    name: "🐍📦 Build and publish"
    runs-on: ubuntu-latest
    environment:
      name: pypi
    permissions:
      # IMPORTANT: mandatory for trusted publishing
      id-token: write
    steps:
      - name: "Checkout repository"
        uses: actions/checkout@v4

      - name: "Setup PDM for build commands"
        uses: pdm-project/setup-pdm@v4
        with:
          version: 2.10.0

      - name: "Setup Python"
        uses: actions/setup-python@v5.1.1
        with:
          python-version: ${{ env.python-version }}

      - name: "Build with PDM backend"
        run: |
          pdm build

      - name: "Sign packages with Sigstore"
        uses: sigstore/gh-action-sigstore-python@v3.0.0
        with:
          inputs: >-
            ./dist/*.tar.gz
            ./dist/*.whl

      - name: "Remove files unsupported by PyPi"
        run: |
          if [ -f dist/buildvars.txt ]; then
            rm dist/buildvars.txt
          fi
          rm dist/*.sigstore* | true

      - name: "Publish package to PyPI"
        uses: pypa/gh-action-pypi-publish@release/v1
        with:
          verbose: true
          password: ${{ secrets.PYPI_API_TOKEN }}