[PATCH] Lay initial groundwork for GHI #338

Additions with file .github/actions/checkout-and-rebuild/action.yml:
 * lays groundwork for GHI #338

Additions with file .github/workflows/CD-PyPi.yml:
 * related work

Changes in file .github/tools/checkmake.bash:
 * related work

Changes in file .github/tools/shlock_helper.sh:
 * related work

Changes in file .github/workflows/CI-BUILD.yml:
 * lays groundwork for GHI #338

Changes in file .github/workflows/CI-MATs.yml:
 * lays groundwork for GHI #338

Changes in file Makefile:
 * sync from master

Changes in file multicast/__init__.py:
 * sync from master

Author: reactive-firewall

.github/actions/checkout-and-rebuild/action.yml

@@ -0,0 +1,126 @@
+---
+name: 'Checkout and use Build'
+description: 'checks-out the given commit and fetches the build artifact'
+author: 'Mr. Walls'
+branding:
+  icon: 'chevron-down'
+  color: 'blue'
+inputs:
+  sha:
+    description: |
+      The commit to checkout and fetch build artifacts for. When running this action on github.com,
+      the default value is sufficient.
+    required: true
+    default: ${{ github.server_url == 'https://github.com' && github.sha || 'HEAD' }}
+  build-run-id:
+    description: |
+      The workflow run to fetch build artifacts from. When running this action on github.com,
+      the default value is the calling workflow.
+    required: true
+    default: ${{ github.server_url == 'https://github.com' && github.run_id || '' }}
+  path:
+    description: |
+      Path to setup. When running this action on github.com, the default value
+      is sufficient.
+    required: true
+    default: ${{ github.server_url == 'https://github.com' && github.workspace || '' }}
+  token:
+    description: |
+      The token used to authenticate when fetching Python distributions from
+      https://github.com/actions/python-versions. When running this action on github.com,
+      the default value is sufficient. When running on GHES, you can pass a personal access
+      token for github.com if you are experiencing rate limiting.
+    default: ${{ github.server_url == 'https://github.com' && github.token || '' }}
+    required: true
+  python-version:
+    description: |
+      The python version to setup. The default is to use the value of the environment
+      variable 'PYTHON_VERSION'.
+    default: '3.12'
+    required: true
+outputs:
+  branch-name:
+    description: "The name of the branch that was checked-out"
+    value: ${{ steps.output_branch_name.outputs.branch-name || '' }}
+  sha:
+    description: "The SHA of the commit checked-out"
+    value: ${{ steps.output_sha.outputs.sha || 'HEAD' }}
+  python-version:
+    description: "The python version that was used in the run."
+    value: ${{ steps.cp313.outputs.python-version || '' }}
+  artifact-name:
+    description: "The downloaded artifact-name"
+    value: "multicast-build-${{ steps.output_sha.outputs.sha }}.zip"
+  artifact-files:
+    description: "The downloaded artifact-files"
+    value: ${{ steps.output_artifact_files.outputs.files }}
+
+runs:
+  using: composite
+  steps:
+    - name: Checkout repository
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: false
+        fetch-depth: 0
+        path: ${{ inputs.path }}
+        repository: reactive-firewall/multicast
+        token: ${{ inputs.token }}
+    - name: "Checkout Target Commit by SHA"
+      shell: bash
+      run: |
+        printf "%s\n" "::group::target-commit"
+        git checkout --force --detach ${{ inputs.sha }} --
+        printf "%s\n" "::endgroup::"
+      if: ${{ (github.sha != inputs.sha) && success() }}
+    - id: output_branch_name
+      if: ${{ !cancelled() }}
+      shell: bash
+      run: |
+        printf "branch-name=%s\n" $(git name-rev --name-only HEAD | cut -d~ -f1-1) >> "$GITHUB_OUTPUT"
+    - id: output_sha
+      shell: bash
+      run: printf "sha=%s\n" $(git rev-parse --verify HEAD) >> "$GITHUB_OUTPUT"
+    - name: "Setup Python"
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      id: cp313
+      with:
+        python-version: ${{ inputs.python-version }}
+        cache: 'pip'  # caching pip dependencies
+      if: ${{ !cancelled() }}
+    - name: "Install Test Dependencies"
+      shell: bash
+      run: make -j1 -f Makefile test-reqs ;
+    - id: output_artifact_name
+      if: ${{ success() }}
+      shell: bash
+      run: printf "artifact-name=%s\n" multicast-build-${{ steps.output_sha.outputs.sha }}.zip >> "$GITHUB_OUTPUT"
+    - name: "Fetch Build Files"
+      if: ${{ (github.repository == 'reactive-firewall/multicast') && success() }}
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      with:
+        path: ${{ inputs.path }}/dist
+        pattern: multicast-build-${{ steps.output_sha.outputs.sha }}.zip
+        merge-multiple: true
+        repository: reactive-firewall/multicast
+        github-token: ${{ inputs.token }}
+        run-id: ${{ inputs.build-run-id }}
+    - name: "Enumerate Fetched Files"
+      id: output_artifact_files
+      env:
+        BUILD_MATCH_PATTERN: "dist/multicast-*-*.whl dist/multicast-*.tar.gz"
+        SCRIPT_NAME: ".github/actions/checkout-and-rebuild/action.yml"
+      shell: bash
+      run: |
+        FILES=$(git ls-files -oi --exclude-standard -- ${{ env.BUILD_MATCH_PATTERN }} )
+        if [ -z "$FILES" ]; then
+          printf "::warning file=%s:: %s\n" "${SCRIPT_NAME}" "No Built files found."
+          printf "%s\n" "files=" >> "$GITHUB_OUTPUT"
+        else
+          printf "%s\n" "Built files found:"
+          printf "%s\n" "$FILES"
+          # Replace line breaks with commas for GitHub Action Output
+          FILES="${FILES//$'\n'/ }"
+          printf "%s\n" "files=$FILES" >> "$GITHUB_OUTPUT"
+        fi
+      if: ${{ success() }}

.github/tool_checkmake.sh renamed to .github/tools/checkmake.bash

@@ -0,0 +1,52 @@
+---
+name: CD-PyPi
+description: "Continuous Deployment workflow for PyPi publishing."
+run-name: Build and publish ${{ github.ref_name }} by @${{ github.actor }}
+
+on:
+  release:
+    types:
+      - published
+
+permissions: {}
+
+jobs:
+  pypi-publish:
+    name: upload release to PyPI
+    if: ${{ github.event_name == 'release' && (github.repository == 'reactive-firewall/multicast') && startsWith(github.ref, 'refs/tags/v') }}
+    runs-on: ubuntu-latest
+    # Specifying a GitHub environment is optional, but strongly encouraged
+    # environment: pypi
+    permissions:
+      # IMPORTANT: this permission is mandatory for Trusted Publishing
+      id-token: write
+      statuses: write
+      contents: read
+      actions: read
+    defaults:
+      run:
+        shell: bash
+    env:
+      LANG: "en_US.UTF-8"
+    outputs:
+      build_status: ${{ steps.build.outcome }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+        with:
+          python-version: "${{ vars.PYTHON_DEFAULT }}"
+      - name: Pre-Clean
+        id: clean
+        run: make -j1 -f Makefile purge 2>/dev/null || true
+      - name: Build
+        id: build
+        run: make -j1 -f Makefile build
+      - name: Publish package distributions to PyPI
+        if ${{ success() }}
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          skip-existing: true
+          packages-dir: dist/

.github/tool_shlock_helper.sh renamed to .github/tools/shlock_helper.sh

@@ -1,7 +1,7 @@
 ---
 name: CI-BUILD
 description: "Continuous Integration workflow for building, the project."
-run-name: Build ${{ github.ref_name }} by @${{ github.actor }}
+run-name: Build ${{ github.ref_name }}
 #
 # Jobs included:
 # - BUILD: Ensures the project compiles correctly
@@ -33,8 +33,6 @@ jobs:
       statuses: write
       packages: none
       pull-requests: read
-      id-token: write
-      attestations: write
       security-events: none
     if: ${{ !cancelled() && (github.repository == 'reactive-firewall/multicast') }}
     runs-on: ubuntu-latest
@@ -44,7 +42,7 @@ jobs:
         shell: bash
     env:
       LANG: "en_US.UTF-8"
-      GIT_MATCH_PATTERN: "dist/multicast-*-*.whl dist/multicast-*.tar.gz"
+      BUILD_MATCH_PATTERN: "dist/multicast-*-*.whl dist/multicast-*.tar.gz"
     outputs:
       build_status: ${{ steps.build.outcome }}
     steps:
@@ -71,30 +69,27 @@ jobs:
         id: buildfiles
         shell: bash
         run: |
-          FILES=$(git ls-files -oi --exclude-standard -- ${{ env.GIT_MATCH_PATTERN }} )
+          FILES=$(git ls-files -oi --exclude-standard -- ${{ env.BUILD_MATCH_PATTERN }} )
           if [ -z "$FILES" ]; then
             printf "%s\n" "::warning file=.github/workflows/CI-BUILD.yml:: No Built files found."
             printf "%s\n" "files=" >> "$GITHUB_OUTPUT"
           else
             printf "%s\n" "Built files found:"
             printf "%s\n" "$FILES"
-            # Replace line breaks with spaces for GitHub Action Output
+            # Replace line breaks with commas for GitHub Action Output
             FILES="${FILES//$'\n'/ }"
             printf "%s\n" "files=$FILES" >> "$GITHUB_OUTPUT"
           fi
         if: ${{ success() }}
       - name: Upload build artifact
         id: upload
+        if: ${{ !cancelled() && (steps.buildfiles.outputs.files != '') && (github.repository == 'reactive-firewall/multicast') }}
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
-          path: ${{ steps.buildfiles.outputs.files }}
+          path: dist
           name: multicast-build-${{ github.sha }}.zip
-      - name: Generate artifact attestation
-        if: ${{ !cancelled() && steps.buildfiles.outputs.files != '' && (github.repository == 'reactive-firewall/multicast') }}
-        uses: actions/attest-build-provenance@v2
-        with:
-          subject-name: multicast-build-${{ github.sha }}.zip
-          subject-digest: sha256:${{ steps.upload.outputs.artifact-digest }}
+          compression-level: 3
+          overwrite: true
 
   BOOTSTRAP:
     permissions:
@@ -195,11 +190,13 @@ jobs:
       pull-requests: read
     needs: [BUILD, BOOTSTRAP]
     runs-on: ubuntu-latest
+    environment: ${{ needs.BUILD.environment }}
     if: ${{ !cancelled() }}
     outputs:
       didBUILD: ${{ steps.check_status.outputs.build_success }}
       build_ref: ${{ steps.check_status.outputs.build_ref }}
       build_ref_name: ${{ steps.check_status.outputs.build_ref_name }}
+      environment: ${{ needs.BUILD.environment }}
     steps:
       - id: check_status
         run: |
@@ -213,6 +210,7 @@ jobs:
       - name: Download All Artifacts
         uses: actions/download-artifact@v4
         with:
-          path: dist
-          pattern: multicast-${{ github.sha }}
+          path: ${{ github.workspace }}/dist
+          pattern: multicast-build-${{ github.sha }}.zip
+          merge-multiple: true
       - run: ls -R dist