release.yaml

name: Release

on:
  workflow_dispatch:
permissions: {}

jobs:
  get_pypi_token:
    name: Get PyPI Token for Trusted Publishing
    runs-on: ubuntu-22.04
    permissions:
      id-token: write
      contents: read
    outputs:
      pypi_token: ${{ steps.get_pypi_token.outputs.pypi_token }}
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
        name: Checkout source code
        with:
          persist-credentials: false

      - name: Get PyPI token
        id: get_pypi_token
        uses: ./.github/actions/get_pypi_token
  get_config_values:
    uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
    permissions:
      attestations: read
      contents: read
      packages: read
    with:
      verify_published_from_main_image: false
  quality_checks:
    name: Quality Checks
    needs: get_config_values
    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@8399c1f015c1304e40771cbd8ccc24c7ed48fdbc
    permissions:
      contents: read
      id-token: write
      packages: read
    with:
      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
    secrets:
      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

  get_next_version:
    name: Get Next Version Number for Poetry
    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
    needs: [get_config_values, quality_checks]
    permissions:
      id-token: write
      contents: write
      packages: write
    with:
      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
      branch_name: main
      dry_run: true

  build:
    name: Build Package and Upload as Artifact
    runs-on: ubuntu-22.04
    permissions:
      contents: read
    container:
      image: ${{ needs.get_config_values.outputs.pinned_image }}
      options: --user 1001:1001 --group-add 128
    defaults:
      run:
        shell: bash
    needs: [get_config_values, get_next_version]
    outputs:
      artifact_id: ${{ steps.upload-artifact.outputs.artifact-id }}
    steps:
      - name: copy .tool-versions
        run: |
          cp /home/vscode/.tool-versions "$HOME/.tool-versions"
      - name: Git checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
        with:
          persist-credentials: false
      - name: make install
        run: |
          make install
      - name: Build package
        run: |
          poetry version "$NEXT_VERSION"
          make build
          cd dist
          zip -r eps_spine_shared.zip ./*
        env:
          NEXT_VERSION: ${{ needs.get_next_version.outputs.next_version_tag }}

      - name: Upload artifact
        id: upload-artifact
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
        with:
          name: packaged_code
          path: |
            dist/eps_spine_shared.zip

  tag_release:
    name: Tag Release
    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
    needs: [build, get_config_values, get_pypi_token]
    with:
      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
      branch_name: main
      extra_artifact_name: eps_spine_shared.zip
      extra_artifact_id: ${{ needs.build.outputs.artifact_id }}
      extra_artifact_run_id: ${{ github.run_id }}
      extra_artifact_repository: ${{ github.repository }}
      dry_run: false
      pypi_publish: true
    secrets:
      PYPI_TOKEN: ${{ needs.get_pypi_token.outputs.pypi_token }}
    permissions:
      id-token: write
      contents: write
      packages: write