jazzband · bckohan · Dec 2, 2025 · Jan 31, 2024
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,30 +1,150 @@
-name: Release
+name: Publish Release
+
+permissions: read-all
+
+concurrency:
+  # stop previous release runs if tag is recreated
+  group: release-${{ github.ref }}
+  cancel-in-progress: true
+
 on:
   push:
-    branches:
-      - master
     tags:
-      - '*'
+      - 'v*'  # only publish on version tags (e.g. v1.0.0)
 
 jobs:
-  Build:
-    runs-on: ubuntu-22.04
+
+  lint:
+    if: github.repository == 'jazzband/django-polymorphic'
+    permissions:
+      contents: read
+      actions: write
+    uses: ./.github/workflows/lint.yml
+    secrets: inherit
+
+  test:
+    if: github.repository == 'jazzband/django-polymorphic'
+    permissions:
+      contents: read
+      actions: write
+    uses: ./.github/workflows/test.yml
+    secrets: inherit
+
+  build:
+    if: github.repository == 'jazzband/django-polymorphic'
+    name: Build Package
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: write
+    outputs:
+      PACKAGE_NAME: ${{ steps.set-package.outputs.package_name }}
+      RELEASE_VERSION: ${{ steps.set-package.outputs.release_version }}
+    steps:
+    - uses: actions/checkout@v6
+    - name: Set up Python
+      uses: actions/setup-python@v6
+      id: sp
+      with:
+        python-version: "3.13"  # for tomlib
+    - name: Install uv
+      uses: astral-sh/setup-uv@v7
+      with:
+        enable-cache: true
+    - name: Setup Just
+      uses: extractions/setup-just@v3
+    - name: Install Dependencies
+      run: |
+        just setup ${{ steps.sp.outputs.python-path }}
+    - name: Verify Tag
+      run: |
+        TAG_NAME=${GITHUB_REF#refs/tags/}
+        echo "Verifying tag $TAG_NAME..."
+        # if a tag was deleted and recreated we may have the old one cached
+        # be sure that we're publishing the current tag!
+        git fetch --force origin refs/tags/$TAG_NAME:refs/tags/$TAG_NAME
+
+        # verify signature
+        curl -sL https://github.com/${{ github.actor }}.gpg | gpg --import 
+        git tag -v "$TAG_NAME"
+
+        # verify version
+        RELEASE_VERSION=$(just validate_version $TAG_NAME)
+
+        # export the release version
+        echo "RELEASE_VERSION=${RELEASE_VERSION}" >> $GITHUB_ENV 
+    - name: Build the binary wheel and a source tarball
+      run: just build
+    - name: Store the distribution packages
+      uses: actions/upload-artifact@v5
+      with:
+        name: python-package-distributions
+        path: dist/
+    - name: Set Package Name
+      id: set-package
+      run:
+        PACKAGE_NAME=$(python -c "import tomllib; print(tomllib.load(open('pyproject.toml', 'rb'))['project']['name'])")
+        echo "PACKAGE_NAME=${PACKAGE_NAME}" >> $GITHUB_ENV
+
+  publish-to-pypi:
+    name: Publish to PyPI
+    needs:
+      - lint
+      - test
+      - build
+    runs-on: ubuntu-latest
+    steps:
+    - name: Download all the dists
+      uses: actions/download-artifact@v6
+      with:
+        name: python-package-distributions
+        path: dist/
+    - name: Upload Package to Jazzband
+      uses: pypa/gh-action-pypi-publish@release/v1.13
+      with:
+        user: jazzband
+        password: ${{ secrets.JAZZBAND_RELEASE_KEY }}
+        repository-url: https://jazzband.co/projects/django-polymorphic/upload
+
+  github-release:
+    name: Publish GitHub Release
+    runs-on: ubuntu-latest
+    needs:
+      - lint
+      - test
+      - build
+    permissions:
+      contents: write  # IMPORTANT: mandatory for making GitHub Releases
+      id-token: write  # IMPORTANT: mandatory for sigstore
+
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
-        with:
-          python-version: "3"
-          cache: pip
-          cache-dependency-path: setup.cfg
-      - name: Install uv
-        uses: astral-sh/setup-uv@v6
-        with:
-          enable-cache: true
-      - name: Setup Just
-        uses: extractions/setup-just@v3
-      - run: sudo apt-get update && sudo apt-get install -y --no-install-recommends gettext
-      - run: just build
-      - uses: actions/upload-artifact@v4
-        with:
-          name: dist
-          path: dist/
+    - name: Download all the dists
+      uses: actions/download-artifact@v6
+      with:
+        name: python-package-distributions
+        path: dist/
+    - name: Sign the dists with Sigstore
+      uses: sigstore/[email protected]
+      with:
+        inputs: >-
+          ./dist/*.tar.gz
+          ./dist/*.whl
+    - name: Create GitHub Release
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+      run: >-
+        gh release create
+        '${{ github.ref_name }}'
+        --repo '${{ github.repository }}'
+        --generate-notes
+        --prerelease
+    - name: Upload artifact signatures to GitHub Release
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+      # Upload to GitHub Release using the `gh` CLI.
+      # `dist/` contains the built packages, and the
+      # sigstore-produced signatures and certificates.
+      run: >-
+        gh release upload
+        '${{ github.ref_name }}' dist/**
+        --repo '${{ github.repository }}'