chore: rework release workflow to reuse the tests workflow.

High level:
* Add multiple release-test-* branch targets as a way to flex and test the
  release pathway.  This includes wiring test pypi in.  The pkgcore project
  there is under my account which I'll transfer once the PR lands and I figure
  out the 'how'.
* The release process now runs the full test suite.  This is being done for
  obvious reasons, but particularly since the previous pathway was covering up
  an unstated dep of .[doc] requiring pytest due to snakeoil/test/mixins.
* To support that, test workflow was rewired to use a custom action that can
  pivot between git cloning, or using a git artifact (IE, the release tarball
  being tested).
  https://github.com/ferringb/gh-actions/blob/main/get-source/action.yml shows
  why an action encapsulating this was necessary.

lesser stuff:
* disable format check for releases.  If we've tagged, by the time the tag is
  in github we have to just accept any format violations.
* The publish code is duplicated because pypi upload doesn't support being invoked
  from reusable workflows.  And GH doesn't support the yaml spec fully (no <<:*),
  thus just violating DRY.  Moving that to an in repo action is a possibility.
* I turned off 'draft' for github publishing.  If we publish to PyPI,
  the source has to be publically available.  I also forced the github release
  to be first for this reason (if it fails, no pypi release).
* Since I broke out actions, I also moved out the VCS check code.

This gh-actions repo I intend as pkgcore/gh-actions, but that requires some
gentoo infra interactions which I'll do after folks double check this work.

Signed-off-by: Brian Harring <[email protected]>

Author: ferringb

.github/workflows/release.yml

@@ -2,34 +2,27 @@ name: release
 
 on:
   push:
-    branches: [deploy]
+    branches: [release-test-pypi, release-test-github, release-test-full]
     tags: [v*]
   workflow_dispatch:
 
+
 jobs:
-  build-and-deploy:
+  build:
     runs-on: ubuntu-latest
-    environment: release
-
-    permissions:
-      id-token: write # Used to authenticate to PyPI via OIDC
-
-      contents: write # Used to authenticate github release publish
+    outputs:
+      release-artifact-id: ${{ steps.upload-release.outputs.artifact-id }}
+      wheel-artifact-id: ${{ steps.upload-wheel.outputs.artifact-id }}
+      artifact-runner: ${{ github.job }}
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
 
     - name: Reject any VCS dependencies
-      shell: python
-      run: |
-        import re, tomllib
-        manifest = tomllib.load(open('pyproject.toml', 'rb'))
-        deps = manifest['build-system']['requires']
-        deps.extend(manifest['project']['dependencies'])
-        if rejects := list(filter(re.compile(r'@[^+]+').search, deps)):
-          rejects = "  \n".join(sorted(rejects))
-          raise Exception(f'VCS dependencies were detected in [build-system]:\n  {rejects}')
+      if: false
+      continue-on-error: ${{ github.ref_type == 'branch' && github.ref_name != 'release-test-full' }}
+      uses: ferringb/gh-actions/reject-python-vcs-deps@main
 
     - name: Set up Python 3.13
       uses: actions/setup-python@v5
@@ -41,15 +34,11 @@ jobs:
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
-        pip install build ".[test,doc]"
-
-    - name: Test with pytest
-      env:
-        PY_COLORS: 1 # forcibly enable pytest colors
-      run: pytest
+        pip install build ".[doc]"
 
     - name: Build sdist
       run: |
+        which pytest && echo "safe"
         git clean -fxd
         make man
         make sdist
@@ -60,21 +49,89 @@ jobs:
     - name: Output dist file info
       run: |
         sha512sum dist/*
+        echo ::group::Release contents
         tar -ztf dist/*.tar.gz | sort
+        echo ::endgroup::
+        echo ::group::All generated content in dist
+        find .
+        echo ::endgroup::
+
+    - name: Upload wheel
+      id: upload-wheel
+      uses: actions/upload-artifact@v5
+      with:
+        name: wheel-release
+        path: dist/*.whl
+        if-no-files-found: error
+
+    - name: Upload release source
+      id: upload-release
+      uses: actions/upload-artifact@v5
+      with:
+        name: release-source
+        path: dist/*.tar.gz
+        if-no-files-found: error
+
+  test:
+    needs: [build]
+    uses: ./.github/workflows/test.yml
+    with:
+      release-artifact-id: ${{ needs.build.outputs.release-artifact-id }}
+      format-check: false
+
+  publish:
+    if: github.ref_type == 'tag'
+    needs: [build, test]
+    environment: release
+    permissions:
+      id-token: write # Used to authenticate to PyPI via OIDC
+      contents: write # release uploads
+    runs-on: ubuntu-latest
 
-    - uses: actions/upload-artifact@v4
+    steps:
+    - &common_download_artifacts
+      name: Download artifacts
+      uses: actions/download-artifact@v5
       with:
-        name: results
-        path: dist/*
+        merge-multiple: true # store both in the root, not in named directories
+        artifact-ids: ${{ needs.build.outputs.release-artifact-id }},${{ needs.build.outputs.wheel-artifact-id }}
 
-    - name: publish
-      uses: pypa/gh-action-pypi-publish@release/v1
-      if: startsWith(github.ref, 'refs/tags/')
+    - name: Publish github source
+      uses: softprops/action-gh-release@v2
+      with:
+        files: '*.tar.*'
+        fail_on_unmatched_files: true
 
-    - name: Create GitHub release
-      uses: softprops/action-gh-release@v1
-      if: startsWith(github.ref, 'refs/tags/')
+    - name: Publish to PyPi server
+      uses: pypa/gh-action-pypi-publish@release/v1.13
       with:
-        files: dist/*.tar.gz
+        packages-dir: .
+
+  test-publish:
+    # use the full form to ensure insane tags and errors in 'on' filter still don't kick.
+    if: github.ref_type == 'branch'
+    needs: [build, test]
+    environment: test-release
+    permissions:
+      id-token: write # Used to authenticate to PyPI via OIDC
+      contents: write # release uploads-
+    runs-on: ubuntu-latest
+
+    steps:
+    - *common_download_artifacts
+    - name: Publish github source
+      uses: softprops/action-gh-release@v2
+      if: github.ref_name == 'release-test-github' || github.ref_name == 'release-test-full'
+      with:
+        files: '*.tar.*'
         fail_on_unmatched_files: true
         draft: true
+
+    - name: Publish to Test PyPi server
+      if: github.ref_name == 'release-test-pypi' || github.ref_name == 'release-test-full'
+      uses: pypa/gh-action-pypi-publish@release/v1.13
+      with:
+        packages-dir: .
+        repository-url: https://test.pypi.org/legacy/
+        # attestations are bound in a way re-releasing isn't possible.  Disable for tests.
+        attestations: false

.github/workflows/test.yml

@@ -2,10 +2,20 @@ name: test
 
 on:
   push:
-    branches-ignore: [deploy]
+    branches-ignore: [release-test-*]
   pull_request:
     branches: [master]
-
+  workflow_call:
+    inputs:
+      release-artifact-id:
+        required: false
+        type: string
+        default: ''
+        description: The artifact-id to run the tests against.
+      format-check:
+        type: boolean
+        default: true
+        description: Run the ruff format check.  This should only be disabled for releases.
 jobs:
   build:
     runs-on: ${{ matrix.os }}
@@ -32,8 +42,10 @@ jobs:
       fail-fast: false
 
     steps:
-    - name: Checkout code
-      uses: actions/checkout@v4
+    - name: Checkout pkgcore
+      uses: ferringb/gh-actions/get-source@main
+      with:
+        artifact-id: ${{ inputs.release-artifact-id }}
 
     - name: Pin dependencies to minimal versions
       if: ${{ matrix.deps == 'minimal-deps' }}
@@ -77,12 +89,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout pkgcore
-      uses: actions/checkout@v4
+      uses: ferringb/gh-actions/get-source@main
       with:
+        artifact-id: ${{ inputs.release-artifact-id }}
         path: pkgcore
 
     - name: Checkout pkgcheck
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
       with:
         repository: pkgcore/pkgcheck
         path: pkgcheck
@@ -99,7 +112,7 @@ jobs:
     - name: Install pip dependencies
       run: |
         python -m pip install --upgrade pip
-        pip install -e "./pkgcore"
+        pip install "./pkgcore"
         pip install "./pkgcheck[test]"
 
     - name: Test with pytest
@@ -112,12 +125,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout pkgcore
-      uses: actions/checkout@v4
+      uses: ferringb/gh-actions/get-source@main
       with:
+        artifact-id: ${{ inputs.release-artifact-id }}
         path: pkgcore
-
     - name: Checkout pkgdev
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
       with:
         repository: pkgcore/pkgdev
         path: pkgdev
@@ -134,7 +147,7 @@ jobs:
     - name: Install pip dependencies
       run: |
         python -m pip install --upgrade pip
-        pip install -e "./pkgcore"
+        pip install "./pkgcore"
         pip install "./pkgdev[test]"
 
     - name: Test with pytest
@@ -145,9 +158,10 @@ jobs:
 
   format:
     runs-on: ubuntu-latest
+    if: inputs.format-check
     steps:
-    - name: Checkout code
-      uses: actions/checkout@v4
+    - name: Checkout pkgcore
+      uses: actions/checkout@v5
     - uses: astral-sh/ruff-action@v3
       with:
         args: "format --check --diff"
@@ -156,8 +170,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout pkgcore
-      uses: actions/checkout@v4
+      uses: ferringb/gh-actions/get-source@main
       with:
+        artifact-id: ${{ inputs.release-artifact-id }}
         path: pkgcore
 
     - name: Checkout gentoo
@@ -174,7 +189,7 @@ jobs:
     - name: Install pip dependencies
       run: |
         python -m pip install --upgrade pip
-        pip install -e "./pkgcore"
+        pip install "./pkgcore"
 
     - name: Run pmaint regen
       working-directory: ./gentoo