reorder workflows

spoorcc · spoorcc · commit 53cfa6b043b8 · 2026-01-02T14:19:33.000Z
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -1,19 +1,18 @@
 name: Build
 
 on:
-  push:
-    branches:
-      - main
-  pull_request:
-    types: [opened, synchronize, reopened]
+  workflow_call:
+    inputs:
+      release_id:
+        required: true
+        type: string
 
 permissions:
   contents: read
 
 jobs:
 
   build:
-    needs: prepare-release
     strategy:
       matrix:
         platform: [ubuntu-latest, macos-latest, windows-latest]
@@ -96,6 +95,20 @@ jobs:
               build/dfetch-package/*.msi
               build/dfetch-package/*.cdx.json
 
+      - name: Upload artifacts to release
+        if: ${{ inputs.release_id }} != ''
+        uses: softprops/action-gh-release@5122b4edc95f85501a71628a57dc180a03ec7588 # v2.5.0
+        with:
+          release_id: ${{ inputs.release_id }}
+          files: |
+              build/dfetch-package/*.deb
+              build/dfetch-package/*.rpm
+              build/dfetch-package/*.pkg
+              build/dfetch-package/*.msi
+              build/dfetch-package/*.cdx.json
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
   test-binary:
     name: test binary
     needs:
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,33 @@
+name: CI & Release Orchestration
+
+on:
+  push:
+    branches:
+      - main
+      - automate-release
+    tags:
+      - '*.*.*'
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+  # Allows to run this workflow manually
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  draft-release:
+    uses: ./.github/workflows/release.yml
+    permissions:
+      contents: write
+      security-events: write
+
+  build-binaries:
+    needs: draft-release
+    uses: ./.github/workflows/build.yml
+    permissions:
+      contents: read
+      security-events: write
+    with:
+      release_id: ${{ needs.draft-release.outputs.release_id }}
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -9,17 +9,11 @@ jobs:
   docs:
     runs-on: ubuntu-latest
     steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+    - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
       with:
         egress-policy: audit
-
     - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0
-
-    - name: Install Python
-      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
-      with:
-        python-version: '3.x'
+    - uses: ./.github/workflows/setup-python.yml
 
     - name: Install documentation requirements
       run: "pip install .[docs] && pip install sphinx_design"
diff --git a/.github/workflows/landing-page.yml b/.github/workflows/landing-page.yml
@@ -13,17 +13,11 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+      - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with:
           egress-policy: audit
-
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0
-
-      - name: Setup Python
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
-        with:
-          python-version: "3.13"
+      - uses: ./.github/workflows/setup-python.yml
 
       - name: Install dependencies
         run: |
diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml
@@ -5,7 +5,7 @@ name: Upload Python Package
 
 on:
   release:
-    types: [created]
+    types: [published]
   pull_request:
     types: [opened, synchronize, reopened]
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,12 +1,7 @@
 name: Releases
 
 on:
-  push:
-    branches:
-      - main
-      - automate-release
-    tags:
-      - '*.*.*'
+  workflow_call:
 
 permissions:
   contents: read
@@ -18,23 +13,27 @@ jobs:
       contents: write
       security-events: write
 
-    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0
+    outputs:
+      release_id: ${{ steps.release_info.outputs.tag }}
 
-      - name: Setup Python
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+    steps:
+      - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with:
-          python-version: '3.13'
+          egress-policy: audit
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0
+      - uses: ./.github/workflows/setup-python.yml
 
       - name: Determine release info
         id: release_info
         run: |
-          if [[ "${GITHUB_REF}" == "refs/heads/automate-release" ]]; then
-            TAG="latest"
-          else
-            TAG="${GITHUB_REF#refs/tags/}"
-          fi
-          echo "tag=$TAG" >> $GITHUB_OUTPUT
+              if [[ "${GITHUB_REF}" == "refs/heads/automate-release" ]]; then
+                TAG="latest"
+              elif [[ "${GITHUB_REF}" == refs/tags/* ]]; then
+                TAG="${GITHUB_REF#refs/tags/}"
+              else
+                TAG=""
+              fi
+              echo "tag=$TAG" >> $GITHUB_OUTPUT
 
       - name: Update latest tag
         if: github.ref == 'refs/heads/automate-release'
@@ -45,11 +44,13 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Generate release notes
+        if: ${{ steps.release_info.outputs.tag != '' }}
         id: notes
         run: |
           python script/create_release_notes.py
 
       - name: Create release
+        if: ${{ steps.release_info.outputs.tag != '' }}
         uses: softprops/action-gh-release@5122b4edc95f85501a71628a57dc180a03ec7588 # v2.5.0
         with:
           tag_name: ${{ steps.release_info.outputs.tag }}
diff --git a/.github/workflows/setup-python.yml b/.github/workflows/setup-python.yml
@@ -0,0 +1,20 @@
+name: Setup Python Environment
+
+on:
+  workflow_call:        # Makes this workflow reusable
+    inputs:
+      python-version:   # Optional input
+        required: false
+        type: string
+        default: '3.13'
+
+jobs:
+  setup:
+    runs-on: ubuntu-latest
+    outputs:
+      python-version: ${{ inputs.python-version }}
+    steps:
+      - name: Setup Python
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+        with:
+          python-version: ${{ inputs.python-version }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -14,17 +14,11 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+      - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with:
           egress-policy: audit
-
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0
-
-      - name: Setup Python
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
-        with:
-          python-version: '3.13'
+      - uses: ./.github/workflows/setup-python.yml
 
       - name: Install Subversion (SVN)
         run: |
