template-python/.github/workflows/release.yml at main · markurtz/template-python · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
---
# =============================================================================
# release.yml
#
# Trigger:  Push of a version tag matching v*.*.*
# Purpose:  Final verification, immutable build, versioned docs, release publish
# =============================================================================
name: "CI — Release"
on:
  push:
    tags:
      - "v[0-9]+.[0-9]+.[0-9]+"      # Strict semver: v1.2.3
permissions:
  contents: write
  packages: write
  id-token: write
  security-events: write
  attestations: write
jobs:

  # ── Stage 1: Security Audit ────────────────────────────────────────────────
  security:
    name: "Security Audit"
    uses: ./.github/workflows/_security.yml

  # ── Stage 2: Link Check ────────────────────────────────────────────────────
  link-check:
    name: "Link Check"
    uses: ./.github/workflows/_link-check.yml
    with:
      fail_on_error: true

  # ── Stage 3: Full Verification ─────────────────────────────────────────────
  test:
    name: "Full Verification Suite"
    uses: ./.github/workflows/_tests.yml
    with:
      test_matrix: >-
        [
          {"level": "unit", "types": "smoke, sanity, regression"},
          {"level": "integration", "types": "smoke, sanity, regression"},
          {"level": "e2e", "types": "smoke, sanity, regression"}
        ]
      python_versions: '["3.10", "3.11", "3.12", "3.13", "3.14"]'
      generate_coverage: true
      publish_results: true
      retention_days: 90

  # ── Stage 4: Versioned Docs ────────────────────────────────────────────────
  docs:
    name: "Versioned Docs"
    needs: test
    uses: ./.github/workflows/_docs.yml
    with:
      build_type: "release"
      alias: "latest"
      include_coverage: true

  # ── Stage 5: Immutable Build ───────────────────────────────────────────────
  build:
    name: "Release Build"
    needs:
      - test
      - security
    uses: ./.github/workflows/_build_package.yml
    with:
      build_type: "release"

  # ── Stage 6: Publish Artifacts ─────────────────────────────────────────────
  publish:
    name: "Publish Release"
    needs: build
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
      - name: Download build artifact
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16  # v4
        with:
          name: build-artifact-release-${{ github.run_id }}
          path: dist/
      - name: Generate artifact attestations
        uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2  # v1.5.1
        with:
          subject-path: dist/*
#       - name: Publish to PyPI
#         uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b  # v1.14
#         with:
#           packages-dir: dist/
      - name: Create GitHub Release
        if: ${{ github.ref_type == 'tag' }}
        uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191  # v2.0.8
        with:
          files: dist/*
          generate_release_notes: true
          prerelease: false