ci(release): enable manual/semrel publish; verify pyproject==tag; PyPI OIDC + GHCR (#82)

CoderDeltaLAN · web-flow · commit 68d1afa71ff3 · 2025-09-17T01:29:24.000+01:00
diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml
@@ -1,74 +1,88 @@
 name: publish-pypi
 
 on:
-  workflow_run:
-    workflows: ["publish-on-semrel"]
-    types: [completed]
   workflow_dispatch:
     inputs:
       tag:
-        description: Tag to publish (e.g. v0.4.36)
+        description: "Tag a publicar (por defecto: último v*)"
         required: false
-        type: string
+  workflow_run:
+    workflows: ["semantic-release"]
+    types: [completed]
 
 permissions:
-  contents: read
   id-token: write
+  contents: read
   packages: write
+  attestations: write
 
 jobs:
   publish:
-    if: ${{ github.event_name == 'workflow_dispatch' || (github.event.workflow_run.conclusion == 'success') }}
+    if: github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success'
     environment: pypi
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout with tags
+      - name: Checkout con tags
         uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-          fetch-tags: true
+        with: { fetch-depth: 0 }
 
-      - name: Resolve TAG
+      - name: Resolver TAG
         id: tag
         shell: bash
         run: |
           if [[ -n "${{ github.event.inputs.tag }}" ]]; then
-            echo "TAG=${{ github.event.inputs.tag }}" >> $GITHUB_ENV
+            TAG="${{ github.event.inputs.tag }}"
+          elif [[ "${GITHUB_REF}" == refs/tags/* ]]; then
+            TAG="${GITHUB_REF#refs/tags/}"
           else
-            git fetch --tags --force
-            TAG=$(git describe --tags --abbrev=0)
-            echo "TAG=$TAG" >> $GITHUB_ENV
+            TAG="$(git tag -l 'v*' --sort=-v:refname | head -n1)"
           fi
-          echo "Resolved TAG=$TAG"
-
-      - name: Sync version from TAG into pyproject.toml
-        shell: bash
-        env:
-          TAG: ${{ env.TAG }}
-        run: |
-          VER="${TAG#v}"
-          python - <<'PY'
-import os,re,pathlib
-ver=os.environ["VER"]
-p=pathlib.Path("pyproject.toml")
-t=p.read_text()
-t=re.sub(r'(?m)^(\s*version\s*=\s*")\d+\.\d+\.\d+(")', rf'\1{ver}\2', t)
-p.write_text(t)
-print("synced version:", ver)
-PY
+          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
+          echo "TAG=${TAG}"
 
       - name: Setup Python
         uses: actions/setup-python@v5
-        with:
-          python-version: '3.x'
+        with: { python-version: '3.x' }
 
       - name: Build sdist & wheel
         run: |
           python -m pip install -U pip build
           python -m build
 
-      - name: Publish to PyPI via OIDC
+      - name: Verificar version == tag
+        shell: bash
+        run: |
+          WANT="${{ steps.tag.outputs.tag#v }}"
+          ACTUAL=$(python - <<'PY'
+import re, pathlib
+t=pathlib.Path("pyproject.toml").read_text()
+print(re.search(r'(?m)^\s*version\s*=\s*"([0-9.]+)"', t).group(1))
+PY
+)
+          echo "want=$WANT actual=$ACTUAL"
+          test "$WANT" = "$ACTUAL"
+
+      - name: Publicar en PyPI (OIDC)
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
-          packages-dir: dist
-          verbose: true
+          skip-existing: true
+
+      - name: Login GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Setup Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build & Push image
+        shell: bash
+        run: |
+          REPO="${GITHUB_REPOSITORY,,}"
+          TAG="${{ steps.tag.outputs.tag }}"
+          docker buildx build --platform linux/amd64,linux/arm64 \
+            -t ghcr.io/$REPO:$TAG \
+            -t ghcr.io/$REPO:latest \
+            --push .
