template-python/.github/workflows/release.yml at main · axiomantic/template-python · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
name: Release
on:
  push:
    tags: ["v*"]
permissions:
  contents: write
  id-token: write   # OIDC for PyPI trusted publishing

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - uses: astral-sh/setup-uv@v8.1.0   # No floating v8 major-tag; pin to specific patch
        with: { enable-cache: true }
      - run: uv build
      - uses: actions/upload-artifact@v7
        with: { name: dist, path: dist/ }

  pypi-existence-check:
    # NOTE: This is an EXISTENCE CHECK only — it answers "does this project name
    # already have any release on PyPI?" It does NOT verify that a trusted
    # publisher is configured for this repo. Trusted-publisher misconfiguration
    # surfaces as a loud failure on the `pypi-publish` step below, which prints
    # a setup URL via `if: failure()`.
    needs: build
    runs-on: ubuntu-latest
    outputs:
      first_publish: ${{ steps.check.outputs.first_publish }}
    steps:
      - uses: actions/checkout@v6
      - id: check
        name: Check PyPI metadata existence
        run: |
          PROJECT_NAME=$(awk -F'"' '/^name = / {print $2; exit}' pyproject.toml)
          if curl -sf "https://pypi.org/pypi/${PROJECT_NAME}/json" >/dev/null; then
            echo "first_publish=false" >> "$GITHUB_OUTPUT"
          else
            echo "first_publish=true"  >> "$GITHUB_OUTPUT"
            echo "::notice::Project '${PROJECT_NAME}' has no PyPI history. First publish requires a trusted publisher to be configured: https://pypi.org/manage/account/publishing/"
          fi

  pypi-publish:
    needs: [build, pypi-existence-check]
    runs-on: ubuntu-latest
    environment: pypi
    permissions:
      id-token: write
    steps:
      - uses: actions/checkout@v6
      - uses: actions/download-artifact@v8
        with: { name: dist, path: dist/ }
      - id: publish
        uses: pypa/gh-action-pypi-publish@release/v1   # versioned-branch ref, stays valid
        with:
          attestations: true
      - if: failure()
        name: Trusted-publisher setup hint
        run: |
          PROJECT_NAME=$(grep -m1 '^name = ' pyproject.toml | cut -d'"' -f2)
          echo "::error::PyPI publish failed. If first release, configure trusted publisher at:"
          echo "::error::https://pypi.org/manage/account/publishing/"
          echo "::error::Use these values: Owner=axiomantic  Repository=$GITHUB_REPOSITORY  Workflow=release.yml  Environment=pypi"

  github-release:
    needs: pypi-publish
    runs-on: ubuntu-latest
    permissions: { contents: write }
    steps:
      - uses: actions/download-artifact@v8
        with: { name: dist, path: dist/ }
      - uses: softprops/action-gh-release@v3
        with: { files: dist/* }