release.yml

name: Release

on:
  push:
    branches:
      - main

# Set read-only permissions by default
permissions: read-all

jobs:
  # Skip test job - CI workflow already runs comprehensive tests on push to main
  release:
    runs-on: ubuntu-latest
    # Grant write permissions only to this job
    permissions:
      contents: write        # Required for semantic-release to create releases and push commits
      id-token: write        # Required for PyPI OIDC trusted publishing
      pull-requests: write   # Required for semantic-release PR comments
    steps:
      - name: Generate GitHub App token
        id: app-token
        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
        with:
          app-id: ${{ secrets.RELEASE_APP_ID }}
          private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}

      - name: Checkout
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
        with:
          fetch-depth: 0
          token: ${{ steps.app-token.outputs.token }}

      - name: Set up Python
        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6
        with:
          python-version: '3.12'
          cache: pip
          cache-dependency-path: pyproject.toml

      - name: Install uv
        uses: astral-sh/setup-uv@85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41 # v7
        with:
          enable-cache: true
          cache-dependency-glob: "pyproject.toml"

      - name: Install dependencies
        run: uv sync

      - name: Upgrade setuptools
        run: uv pip install --system "setuptools>=61.0"

      - name: Release with Python Semantic Release
        id: semantic-release
        env:
          GH_TOKEN: ${{ steps.app-token.outputs.token }}
        run: |
          set +e
          uv run semantic-release version
          echo "exit_code=$?" >> $GITHUB_OUTPUT
          set -e
          # Check if dist/ directory was created (indicates new release)
          if [ -d "dist" ]; then
            echo "new_release=true" >> $GITHUB_OUTPUT
          else
            echo "new_release=false" >> $GITHUB_OUTPUT
          fi

      - name: Publish to PyPI
        if: steps.semantic-release.outputs.new_release == 'true'
        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1
        with:
          print-hash: true